On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote:
> One aspect that was always a concern to some is whether the firmware files
> were modified directly to have the signature attached to them. That may
> run afoul of the "no modification" license that most blobs are shipped
> under. Does IMA
On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote:
> One aspect that was always a concern to some is whether the firmware files
> were modified directly to have the signature attached to them. That may
> run afoul of the "no modification" license that most blobs are shipped
> under. Does IMA
On Mon, May 14, 2018 at 11:27 PM Luis R. Rodriguez
wrote:
> On Mon, May 14, 2018 at 10:02:31PM -0400, Mimi Zohar wrote:
> > On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
> > > > - CONFIG_IMA_APPRAISE is not fine enough grained.
> > > >
> > > > The
On Mon, May 14, 2018 at 11:27 PM Luis R. Rodriguez
wrote:
> On Mon, May 14, 2018 at 10:02:31PM -0400, Mimi Zohar wrote:
> > On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
> > > > - CONFIG_IMA_APPRAISE is not fine enough grained.
> > > >
> > > > The CONFIG_IMA_APPRAISE_FIRMWARE will
On Mon, May 14, 2018 at 10:02:31PM -0400, Mimi Zohar wrote:
> On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
> > > - CONFIG_IMA_APPRAISE is not fine enough grained.
> > >
> > > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. Similar
> > > Kconfig options will require
On Mon, May 14, 2018 at 10:02:31PM -0400, Mimi Zohar wrote:
> On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
> > > - CONFIG_IMA_APPRAISE is not fine enough grained.
> > >
> > > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. Similar
> > > Kconfig options will require
On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
[...]
> > At runtime, in the case
> > that regdb is enabled and a custom policy requires IMA-appraisal
> > firmware signature verification, then both signature verification
> > methods will verify the signatures. If either fails, then
On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
[...]
> > At runtime, in the case
> > that regdb is enabled and a custom policy requires IMA-appraisal
> > firmware signature verification, then both signature verification
> > methods will verify the signatures. If either fails, then
On Mon, May 14, 2018 at 08:58:12AM -0400, Mimi Zohar wrote:
> On Fri, 2018-05-11 at 21:52 +, Luis R. Rodriguez wrote:
> > diff --git a/drivers/base/firmware_loader/main.c
> > b/drivers/base/firmware_loader/main.c
> > index eb34089e4299..d7cdf04a8681 100644
> > ---
On Mon, May 14, 2018 at 08:58:12AM -0400, Mimi Zohar wrote:
> On Fri, 2018-05-11 at 21:52 +, Luis R. Rodriguez wrote:
> > diff --git a/drivers/base/firmware_loader/main.c
> > b/drivers/base/firmware_loader/main.c
> > index eb34089e4299..d7cdf04a8681 100644
> > ---
On Fri, 2018-05-11 at 21:52 +, Luis R. Rodriguez wrote:
> On Fri, May 11, 2018 at 01:00:26AM -0400, Mimi Zohar wrote:
> > On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote:
> > > On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> > > > On Wed, 2018-05-09 at 23:48 +,
On Fri, 2018-05-11 at 21:52 +, Luis R. Rodriguez wrote:
> On Fri, May 11, 2018 at 01:00:26AM -0400, Mimi Zohar wrote:
> > On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote:
> > > On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> > > > On Wed, 2018-05-09 at 23:48 +,
On Fri, May 11, 2018 at 01:00:26AM -0400, Mimi Zohar wrote:
> On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote:
> > On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> > > On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> > > > On Wed, May 09, 2018 at 06:06:57PM
On Fri, May 11, 2018 at 01:00:26AM -0400, Mimi Zohar wrote:
> On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote:
> > On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> > > On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> > > > On Wed, May 09, 2018 at 06:06:57PM
On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote:
> On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> > On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> > > On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
> >
> > > > > > Yes, writing regdb as a
On Thu, 2018-05-10 at 23:26 +, Luis R. Rodriguez wrote:
> On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> > On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> > > On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
> >
> > > > > > Yes, writing regdb as a
On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> > On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
>
> > > > > Yes, writing regdb as a micro/mini LSM sounds reasonable. The LSM
> > > > > would differentiate
On Wed, May 09, 2018 at 10:00:58PM -0400, Mimi Zohar wrote:
> On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> > On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
>
> > > > > Yes, writing regdb as a micro/mini LSM sounds reasonable. The LSM
> > > > > would differentiate
On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
> > On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote:
> > >
> > > OK, its still not clear to what it will do. If it does not touch the
> > > firmware
> > > loader
On Wed, 2018-05-09 at 23:48 +, Luis R. Rodriguez wrote:
> On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
> > On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote:
> > >
> > > OK, its still not clear to what it will do. If it does not touch the
> > > firmware
> > > loader
On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
> On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote:
> >
> > OK, its still not clear to what it will do. If it does not touch the
> > firmware
> > loader code, and it just sets and configures IMA to do file signature
> >
On Wed, May 09, 2018 at 06:06:57PM -0400, Mimi Zohar wrote:
> On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote:
> >
> > OK, its still not clear to what it will do. If it does not touch the
> > firmware
> > loader code, and it just sets and configures IMA to do file signature
> >
On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote:
> On Wed, May 09, 2018 at 03:57:18PM -0400, Mimi Zohar wrote:
> > On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote:
> >
> > > > > > If both are enabled, do we require both signatures or is one enough.
> > > > >
> > > > > Good
On Wed, 2018-05-09 at 21:22 +, Luis R. Rodriguez wrote:
> On Wed, May 09, 2018 at 03:57:18PM -0400, Mimi Zohar wrote:
> > On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote:
> >
> > > > > > If both are enabled, do we require both signatures or is one enough.
> > > > >
> > > > > Good
On Wed, May 09, 2018 at 03:57:18PM -0400, Mimi Zohar wrote:
> On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote:
>
> > > > > If both are enabled, do we require both signatures or is one enough.
> > > >
> > > > Good question. Considering it as a stacked LSM (although not implemented
> >
On Wed, May 09, 2018 at 03:57:18PM -0400, Mimi Zohar wrote:
> On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote:
>
> > > > > If both are enabled, do we require both signatures or is one enough.
> > > >
> > > > Good question. Considering it as a stacked LSM (although not implemented
> >
On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote:
> > > > If both are enabled, do we require both signatures or is one enough.
> > >
> > > Good question. Considering it as a stacked LSM (although not implemented
> > > as one), I'd say its up to who enabled the Kconfig entries. If IMA
On Wed, 2018-05-09 at 19:15 +, Luis R. Rodriguez wrote:
> > > > If both are enabled, do we require both signatures or is one enough.
> > >
> > > Good question. Considering it as a stacked LSM (although not implemented
> > > as one), I'd say its up to who enabled the Kconfig entries. If IMA
On Wed, May 09, 2018 at 07:30:28AM -0400, Mimi Zohar wrote:
> On Tue, 2018-05-08 at 17:34 +, Luis R. Rodriguez wrote:
> > On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote:
> > > On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> > > > On Tue, May 01, 2018 at 09:48:20AM
On Wed, May 09, 2018 at 07:30:28AM -0400, Mimi Zohar wrote:
> On Tue, 2018-05-08 at 17:34 +, Luis R. Rodriguez wrote:
> > On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote:
> > > On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> > > > On Tue, May 01, 2018 at 09:48:20AM
On Tue, 2018-05-08 at 17:34 +, Luis R. Rodriguez wrote:
> On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote:
> > On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> > > On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> > > > Allow LSMs and IMA to differentiate
On Tue, 2018-05-08 at 17:34 +, Luis R. Rodriguez wrote:
> On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote:
> > On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> > > On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> > > > Allow LSMs and IMA to differentiate
On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote:
> On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> > On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> > > Allow LSMs and IMA to differentiate between signed regulatory.db and
> > > other firmware.
> > >
> > >
On Thu, May 03, 2018 at 08:24:26PM -0400, Mimi Zohar wrote:
> On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> > On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> > > Allow LSMs and IMA to differentiate between signed regulatory.db and
> > > other firmware.
> > >
> > >
On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> > Allow LSMs and IMA to differentiate between signed regulatory.db and
> > other firmware.
> >
> > Signed-off-by: Mimi Zohar
> > Cc: Luis R.
On Fri, 2018-05-04 at 00:07 +, Luis R. Rodriguez wrote:
> On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> > Allow LSMs and IMA to differentiate between signed regulatory.db and
> > other firmware.
> >
> > Signed-off-by: Mimi Zohar
> > Cc: Luis R. Rodriguez
> > Cc: David
On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> Allow LSMs and IMA to differentiate between signed regulatory.db and
> other firmware.
>
> Signed-off-by: Mimi Zohar
> Cc: Luis R. Rodriguez
> Cc: David Howells
> Cc:
On Tue, May 01, 2018 at 09:48:20AM -0400, Mimi Zohar wrote:
> Allow LSMs and IMA to differentiate between signed regulatory.db and
> other firmware.
>
> Signed-off-by: Mimi Zohar
> Cc: Luis R. Rodriguez
> Cc: David Howells
> Cc: Kees Cook
> Cc: Seth Forshee
> Cc: Johannes Berg
> ---
>
38 matches
Mail list logo