On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote:
> On 11/17/2017 2:08 AM, Kees Cook wrote:
> > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu
> > wrote:
> >> On 11/7/2017 2:37 PM, Mimi Zohar wrote:
> >>> Normally, the protection of kernel memory is out of scope
On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote:
> On 11/17/2017 2:08 AM, Kees Cook wrote:
> > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu
> > wrote:
> >> On 11/7/2017 2:37 PM, Mimi Zohar wrote:
> >>> Normally, the protection of kernel memory is out of scope for IMA.
> >>> This patch
On 11/17/2017 2:08 AM, Kees Cook wrote:
On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote:
On 11/7/2017 2:37 PM, Mimi Zohar wrote:
Normally, the protection of kernel memory is out of scope for IMA.
This patch set introduces an in kernel white list, which would be a
On 11/17/2017 2:08 AM, Kees Cook wrote:
On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote:
On 11/7/2017 2:37 PM, Mimi Zohar wrote:
Normally, the protection of kernel memory is out of scope for IMA.
This patch set introduces an in kernel white list, which would be a
prime target for
On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote:
> On 11/7/2017 2:37 PM, Mimi Zohar wrote:
>> Normally, the protection of kernel memory is out of scope for IMA.
>> This patch set introduces an in kernel white list, which would be a
>> prime target for attackers
On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote:
> On 11/7/2017 2:37 PM, Mimi Zohar wrote:
>> Normally, the protection of kernel memory is out of scope for IMA.
>> This patch set introduces an in kernel white list, which would be a
>> prime target for attackers looking for ways of by-passing
On 11/9/2017 5:46 PM, Matthew Garrett wrote:
On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote:
On 11/9/2017 3:47 PM, Matthew Garrett wrote:
There's no need to have a policy that measures those files, because
they're part of the already-measured initramfs. Just
On 11/9/2017 5:46 PM, Matthew Garrett wrote:
On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote:
On 11/9/2017 3:47 PM, Matthew Garrett wrote:
There's no need to have a policy that measures those files, because
they're part of the already-measured initramfs. Just set the IMA
policy after
On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote:
> On 11/9/2017 3:47 PM, Matthew Garrett wrote:
>> There's no need to have a policy that measures those files, because
>> they're part of the already-measured initramfs. Just set the IMA
>> policy after you've loaded
On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote:
> On 11/9/2017 3:47 PM, Matthew Garrett wrote:
>> There's no need to have a policy that measures those files, because
>> they're part of the already-measured initramfs. Just set the IMA
>> policy after you've loaded the digest list.
>
>
> The
On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote:
> This seems very over-complicated, and it's unclear why the kernel
> needs to open the file itself. You *know* that all of userland is
> trustworthy at this point even in the absence of signatures.
Assuming the initramfs is signed, then
On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote:
> This seems very over-complicated, and it's unclear why the kernel
> needs to open the file itself. You *know* that all of userland is
> trustworthy at this point even in the absence of signatures.
Assuming the initramfs is signed, then
On 11/9/2017 3:47 PM, Matthew Garrett wrote:
On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote:
On 11/8/2017 4:48 PM, Matthew Garrett wrote:
The code doing the parsing is in the initramfs, which has already been
measured at boot time. You can guarantee that it's
On 11/9/2017 3:47 PM, Matthew Garrett wrote:
On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote:
On 11/8/2017 4:48 PM, Matthew Garrett wrote:
The code doing the parsing is in the initramfs, which has already been
measured at boot time. You can guarantee that it's being done by
trusted code.
On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote:
> On 11/8/2017 4:48 PM, Matthew Garrett wrote:
>> The code doing the parsing is in the initramfs, which has already been
>> measured at boot time. You can guarantee that it's being done by
>> trusted code.
>
>
> The
On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote:
> On 11/8/2017 4:48 PM, Matthew Garrett wrote:
>> The code doing the parsing is in the initramfs, which has already been
>> measured at boot time. You can guarantee that it's being done by
>> trusted code.
>
>
> The parser can be executed in
On 11/8/2017 4:48 PM, Matthew Garrett wrote:
On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote:
On 11/7/2017 7:06 PM, Matthew Garrett wrote:
But we're still left in a state where the kernel has to end up
supporting a number of very niche formats, and userland
On 11/8/2017 4:48 PM, Matthew Garrett wrote:
On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote:
On 11/7/2017 7:06 PM, Matthew Garrett wrote:
But we're still left in a state where the kernel has to end up
supporting a number of very niche formats, and userland agility is
tied to the kernel.
On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote:
> On 11/7/2017 7:06 PM, Matthew Garrett wrote:
>> But we're still left in a state where the kernel has to end up
>> supporting a number of very niche formats, and userland agility is
>> tied to the kernel. I think it
On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote:
> On 11/7/2017 7:06 PM, Matthew Garrett wrote:
>> But we're still left in a state where the kernel has to end up
>> supporting a number of very niche formats, and userland agility is
>> tied to the kernel. I think it makes significantly more
On 11/7/2017 7:06 PM, Matthew Garrett wrote:
On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote:
On 11/7/2017 3:49 PM, Matthew Garrett wrote:
RPM's hardly universal, and distributions are in the process of moving
away from using it for distributing non-core
On 11/7/2017 7:06 PM, Matthew Garrett wrote:
On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote:
On 11/7/2017 3:49 PM, Matthew Garrett wrote:
RPM's hardly universal, and distributions are in the process of moving
away from using it for distributing non-core applications (Flatpak and
Snap
: linux-security-mod...@vger.kernel.org; linux-fsde...@vger.kernel.org;
linux-...@vger.kernel.org; linux-kernel@vger.kernel.org;
silviu.vlasce...@huawei.com; Roberto Sassu <roberto.sa...@huawei.com>
Subject: EXT: [PATCH v2 00/15] ima: digest list feature
IMA is a security module with the obj
: linux-security-mod...@vger.kernel.org; linux-fsde...@vger.kernel.org;
linux-...@vger.kernel.org; linux-kernel@vger.kernel.org;
silviu.vlasce...@huawei.com; Roberto Sassu
Subject: EXT: [PATCH v2 00/15] ima: digest list feature
IMA is a security module with the objective of reporting or enforcing
el.org; linux-fsde...@vger.kernel.org;
> linux-...@vger.kernel.org; linux-kernel@vger.kernel.org;
> silviu.vlasce...@huawei.com; Roberto Sassu <roberto.sa...@huawei.com>
> Subject: EXT: [PATCH v2 00/15] ima: digest list feature
>
> IMA is a security module with the objective of
el.org; linux-fsde...@vger.kernel.org;
> linux-...@vger.kernel.org; linux-kernel@vger.kernel.org;
> silviu.vlasce...@huawei.com; Roberto Sassu
> Subject: EXT: [PATCH v2 00/15] ima: digest list feature
>
> IMA is a security module with the objective of reporting or enforcing the
> integ
On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote:
> On 11/7/2017 3:49 PM, Matthew Garrett wrote:
>> RPM's hardly universal, and distributions are in the process of moving
>> away from using it for distributing non-core applications (Flatpak and
>> Snap are becoming
On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote:
> On 11/7/2017 3:49 PM, Matthew Garrett wrote:
>> RPM's hardly universal, and distributions are in the process of moving
>> away from using it for distributing non-core applications (Flatpak and
>> Snap are becoming increasingly popular here).
On 11/7/2017 3:49 PM, Matthew Garrett wrote:
On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote:
Finally, digest lists address also the third issue because Linux
distribution vendors already provide the digests of files included in each
RPM package. The digest list
On 11/7/2017 3:49 PM, Matthew Garrett wrote:
On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote:
Finally, digest lists address also the third issue because Linux
distribution vendors already provide the digests of files included in each
RPM package. The digest list is stored in the RPM
On 11/7/2017 2:37 PM, Mimi Zohar wrote:
Hi Roberto,
On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote:
IMA is a security module with the objective of reporting or enforcing the
integrity of a system, by measuring files accessed with the execve(),
mmap() and open() system calls. For
On 11/7/2017 2:37 PM, Mimi Zohar wrote:
Hi Roberto,
On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote:
IMA is a security module with the objective of reporting or enforcing the
integrity of a system, by measuring files accessed with the execve(),
mmap() and open() system calls. For
On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote:
> Finally, digest lists address also the third issue because Linux
> distribution vendors already provide the digests of files included in each
> RPM package. The digest list is stored in the RPM header, signed by the
On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote:
> Finally, digest lists address also the third issue because Linux
> distribution vendors already provide the digests of files included in each
> RPM package. The digest list is stored in the RPM header, signed by the
> vendor.
RPM's hardly
Hi Roberto,
On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote:
> IMA is a security module with the objective of reporting or enforcing the
> integrity of a system, by measuring files accessed with the execve(),
> mmap() and open() system calls. For reporting, it takes advantage of the
> TPM
Hi Roberto,
On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote:
> IMA is a security module with the objective of reporting or enforcing the
> integrity of a system, by measuring files accessed with the execve(),
> mmap() and open() system calls. For reporting, it takes advantage of the
> TPM
IMA is a security module with the objective of reporting or enforcing the
integrity of a system, by measuring files accessed with the execve(),
mmap() and open() system calls. For reporting, it takes advantage of the
TPM and extends a PCR with the digest of an evaluated event. For enforcing,
it
IMA is a security module with the objective of reporting or enforcing the
integrity of a system, by measuring files accessed with the execve(),
mmap() and open() system calls. For reporting, it takes advantage of the
TPM and extends a PCR with the digest of an evaluated event. For enforcing,
it
38 matches
Mail list logo