RE: F36 Change: DIGLIM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> From: Nico Kadel-Garcia [mailto:nkadel@xxxxxxxxx]
> Sent: Wednesday, December 29, 2021 10:29 AM

[...]

> From one of the patches:
> 
>      It accomplishes this task by storing reference values coming from
> software vendors and by reporting whether or not the
> digest of file content or metadata calculated by IMA (or EVM) is found
> among those values.
> 
> That has no use but digital rights management.

Hi Nico

I give some clarifications.

The kernel won't enforce any policy unless you define it.
Without loading a policy, there will be no change in
your user experience.

I mentioned in the patches software vendors, as they would
be the primary source of digest lists, easy to obtain. However,
as an advanced user, you would be able to effectively use
DIGLIM, even if you build your OS from scratch, by creating
a digest list of the binaries you built.

This will be possible because you will have the ability to load
your own GPG (or RSA) keys to the kernel to verify data source
authenticity of the digest lists.

This applies if you want to enforce an IMA appraisal policy,
which denies access to the files if file verification fails. If you
want to enforce an IMA measurement policy instead, access
to the files will be always granted, regardless of whether
the digest lists are signed or not. IMA, in this case, will simply
record the execution of unknown files, in addition to the
digest lists you generated.

The IMA measurement list remains in your system, unless
you decide that your system should be remotely attested
by a remote verifier.
 
Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux