On Mon, 21 Dec 2015, Mimi Zohar wrote:

> Hi James,
> Lots of changes this time.  This pull request adds support, by Dmitry
> Kasatkin, for: making the EVM keyring a trusted keyring, such that only
> keys signed by a key on the system keyring can be loaded onto the EVM
> keyring, loading the EVM keys onto the EVM trusted keyring by the
> kernel, enabling EVM when either the x509 or symmetric keys are
> available and loading the EVM symmetric key from hardware.
> As described by Mark Baushke and Petko Manalov at LSS 2015 in their talk
> "IMA/EVM: Real Applications for Embedded Networking Systems", this pull
> request includes support for two new IMA trusted keyrings named .ima_mok
> and .ima_blacklist.  Keys being loaded on either the EVM or IMA trusted
> keyrings can be validated against either the system trusted keyring or
> the intermediary .ima_mok keyring and prevented from being loaded if on
> the .ima_blacklist keyring.
> Lastly, support for extending and displaying the IMA policy.


James Morris

To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to