Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757030Ab2BHATW (ORCPT ); Tue, 7 Feb 2012 19:19:22 -0500 Received: from ozlabs.org ([203.10.76.45]:37085 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756365Ab2BHATV convert rfc822-to-8bit (ORCPT ); Tue, 7 Feb 2012 19:19:21 -0500 From: Rusty Russell To: "Kasatkin\, Dmitry" Cc: James Morris , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, David Howells , Lucas De Marchi , Jon Masters Subject: Re: [RFC][PATCH v1 0/2] integrity: module integrity verification In-Reply-To: References: <87zkcuh8iq.fsf@rustcorp.com.au> User-Agent: Notmuch/0.6.1-1 (http://notmuchmail.org) Emacs/23.3.1 (i686-pc-linux-gnu) Date: Wed, 08 Feb 2012 10:09:11 +1030 Message-ID: <87bopagqn4.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1789 Lines: 51 On Tue, 7 Feb 2012 23:18:38 +0200, "Kasatkin, Dmitry" wrote: > On Tue, Feb 7, 2012 at 7:13 PM, Rusty Russell wrote: > > On Mon, 6 Feb 2012 08:59:00 +0200, "Kasatkin, Dmitry" wrote: > >> On Mon, Feb 6, 2012 at 3:51 AM, James Morris wrote: > >> > On Wed, 1 Feb 2012, Dmitry Kasatkin wrote: > >> > > >> >> Hi, > >> >> > >> >> Here is another module verification patchset, which is based on the recently > >> >> upstreamed digital signature support used by EVM and IMA-appraisal. > >> > > >> > You should cc: Rusty on any changes to the module code. > >> > > >> > >> Hello, > >> > >> Mimi already has pointed that out. > >> I have sent him an email with the link.. > > > > Thanks. > > > > Using an external signature (via cmdline arguments) is simple, at > > least.  Not sure what the userspace side of this looks like? > > > > Hello, > > There are couple of patches for modprobe and insmod... > > You could see them on the top at: > http://linux-ima.git.sourceforge.net/git/gitweb.cgi?p=linux-ima/module-init-tools.git;a=summary > > It first tries to read signature from xattr, then from file... > "modprobe -v" will show 'ima=' parameter with signature. > > - Dmitry The problem is that distributions tend to have two variants of modules: stripped and unstripped. Thus you may want to support multiple signatures, any *one* of which may match. I've cc'd the module-init-tools and libkmod maintainers for their comments, too. Cheers, Rusty. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/