[PATCH v8 7/8] ima: check against blacklisted hashes for files with modsig
Mimi Zohar
zohar at linux.ibm.com
Mon Oct 21 03:06:42 AEDT 2019
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> Asymmetric private keys are used to sign multiple files. The kernel
> currently support checking against blacklisted keys. However, if the
> public key is blacklisted, any file signed by the blacklisted key will
> automatically fail signature verification. We might not want to blacklist
> all the files signed by a particular key, but just a single file.
> Blacklisting the public key is not fine enough granularity.
>
> This patch adds support for checking against the blacklisted hash of the
> file based on the IMA policy. The blacklisted hash is the file hash
> without the appended signature. Defined is a new policy option
> "appraise_flag=check_blacklist".
Please add an example of how to blacklist a file with an appended
signature. The simplest example that works on x86 as well as Power
would be blacklisting a kernel module. The example should include
calculating the kernel module hash without the appended signature,
enabling the Kconfig option (CONFIG_SYSTEM_BLACKLIST_HASH_LIST), and
the blacklist hash format (eg. "bin:<file hash>").
thanks,
Mimi
More information about the Linuxppc-dev
mailing list