[PATCH v7 7/8] ima: check against blacklisted hashes for files with modsig

Nayna nayna at linux.vnet.ibm.com
Sun Oct 20 05:30:33 AEDT 2019


Hi Mimi,


On 10/11/2019 09:19 AM, Mimi Zohar wrote:
> On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
>> Asymmetric private keys are used to sign multiple files. The kernel
>> currently support checking against the blacklisted keys. However, if the
>> public key is blacklisted, any file signed by the blacklisted key will
>> automatically fail signature verification. We might not want to blacklist
>> all the files signed by a particular key, but just a single file.
>> Blacklisting the public key is not fine enough granularity.
>>
>> This patch adds support for blacklisting binaries with appended signatures,
>> based on the IMA policy.  Defined is a new policy option
>> "appraise_flag=check_blacklist".
> The blacklisted hash is not the same as the file hash, but is the file
> hash without the appended signature.  Are there tools for calculating
> the blacklisted hash?  Can you provide an example?

I have updated the patch description to specify that the blacklisted 
hash is the file hash without the appended signature. I hope that makes 
it clear now.

Thanks & Regards,
     - Nayna


More information about the Linuxppc-dev mailing list