[PATCH v7 7/8] ima: check against blacklisted hashes for files with modsig
Nayna
nayna at linux.vnet.ibm.com
Sun Oct 20 05:30:33 AEDT 2019
Hi Mimi,
On 10/11/2019 09:19 AM, Mimi Zohar wrote:
> On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
>> Asymmetric private keys are used to sign multiple files. The kernel
>> currently support checking against the blacklisted keys. However, if the
>> public key is blacklisted, any file signed by the blacklisted key will
>> automatically fail signature verification. We might not want to blacklist
>> all the files signed by a particular key, but just a single file.
>> Blacklisting the public key is not fine enough granularity.
>>
>> This patch adds support for blacklisting binaries with appended signatures,
>> based on the IMA policy. Defined is a new policy option
>> "appraise_flag=check_blacklist".
> The blacklisted hash is not the same as the file hash, but is the file
> hash without the appended signature. Are there tools for calculating
> the blacklisted hash? Can you provide an example?
I have updated the patch description to specify that the blacklisted
hash is the file hash without the appended signature. I hope that makes
it clear now.
Thanks & Regards,
- Nayna
More information about the Linuxppc-dev
mailing list