[PATCH 2/4] ima: define a set of appraisal rules requiring file signatures

2017-05-02 Thread Mimi Zohar
The builtin "ima_appraise_tcb" policy should require file signatures for at least a few of the hooks (eg. kernel modules, firmware, and the kexec kernel image), but changing it would break the existing userspace/kernel ABI. This patch defines a new builtin policy named "secure_boot", which can be

[PATCH 2/4] ima: define a set of appraisal rules requiring file signatures

2017-05-02 Thread Mimi Zohar
The builtin "ima_appraise_tcb" policy should require file signatures for at least a few of the hooks (eg. kernel modules, firmware, and the kexec kernel image), but changing it would break the existing userspace/kernel ABI. This patch defines a new builtin policy named "secure_boot", which can be