On Thu, Feb 16, 2012 at 12:30:31PM -0200, Gustavo Sverzut Barbieri wrote:
> On Thu, Feb 16, 2012 at 11:38 AM, Roberto Sassu <roberto.sa...@polito.it> 
> wrote:
> > the reason for which the loading of IMA policies has been placed in
> > the main Systemd executable is that the measurement process performed
> > by IMA should start as early as possible. Otherwise, in order to build
> > the 'chain of trust' during the boot process from the BIOS to software
> > applications, it is required to measure those components loaded before
> > IMA is initialized with other means (for example from the boot loader).
> 
> Then I wonder: why not make an ima-init binary that:
>   - does ima_setup()
>   - exec systemd || upstart || ...
> 
> this way you only have to audit this very small file and not systemd
> itself, it's very early and so on.

  Isn't that a job for initramfs?

-- 
Tomasz Torcz               "Never underestimate the bandwidth of a station
xmpp: zdzich...@chrome.pl    wagon filled with backup tapes." -- Jim Gray

_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to