Re: [RFC] [ima-evm-utils 0/5] evmctl: Sign using daemon and secureboot related enhancement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/09/13 22:38, Vivek Goyal wrote:
> Hi,
>
> This is an RFC patch series to get early feedback on stuff I am working
> on.
>
> This series does few things.
>
> - Adds an extra structure to ima signature (security.ima) which will signal
>   the elf loader that this executable needs to be locked. This will be
>   useful for secureboot where signed /sbin/kexec needs to run memory 
>   locked. 
>
>   I have posted RFC kernel patches on Fedora kernel mailing list.
>
>   https://lists.fedoraproject.org/pipermail/kernel/2013-September/004432.html 
>
>   kexec-tools patches are posted here.
>
>   https://lists.fedoraproject.org/pipermail/kernel/2013-September/004469.html 
>
> - Add a functionality to import signatures signed externally. (Patch 2)
> - Add functionality to allow signing using external crypto card. (Patch 3)
> - Add a functionality to create a daemon which cilents can connect to
>   and request file signing (Patch 4 and Patch 5).
>
> All the signing enhancements I need so that various build servers can
> make use of it to sign /sbin/kexec and bzImage using appropriate keys.
>
> This is still a work in progress and code is very raw. I wanted to get
> the code out to get early feedback.
>
> Thanks
> Vivek
>
> Vivek Goyal (5):
>   evmctl: Allow adding a memlock information in security.ima
>   evmctl: Allow importing external signature
>   evmctl: Allow signing using external crypto engine
>   evmctl-allow-launching-daemon
>   evmctl-client: A simple client to request signing from evmctl daemon
>
>  configure.ac    |    1 +
>  src/Makefile.am |    9 +-
>  src/client.c    |  697 +++++++++++++++++++++++++++++++++
>  src/daemon.h    |   83 ++++
>  src/evmctl.c    | 1166 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  5 files changed, 1934 insertions(+), 22 deletions(-)
>  create mode 100644 src/client.c
>  create mode 100644 src/daemon.h
>
Hi Vivek,

I am looking into patches..

It would be great if you could share your tree somewhere so that it
would simplify pulling your code.

- Dmitry


_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux