On Wed, 2015-05-13 at 11:42 +0200, Janusz Kozerski wrote: > Hi Patrick, > > Zbigniew is out of office today. > You should notice, that EVM uses filesystem-specific values (like > inode number), so creating valid filesystem on build host machine have > to be done little bit more carefully when working with EVM (compared > to IMA) when using asymmetric keys.
Yes, I'm aware. That poses some practical issues in the image creation (signing must be done on the final image), but it should be doable. > And of course as you said it's not possible to sign image of > filesystem on host using EVM HMAC with TPM (trusted) keys. But if you > don't have TPM on your platform I think it would be possible to > generate EVM HMAC using userspace encrypted keys on host machine, but > there's no tools for that. > > Have you tried to use EVM with encrypted keys? > http://linux-ima.sourceforge.net/evmctl.1.html I tried very briefly, but it failed already when trying to create the keys. I did not investigate at the time (some permission issue). If I understand it correctly, it wouldn't be a suitable solution anyway: unlocking the encrypted key requires manually entering the passphrase during booting, doesn't it? That won't be possible for unattended devices. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
