On Thu, 2012-10-25 at 10:10 -0400, Vivek Goyal wrote: > On Thu, Oct 25, 2012 at 02:10:01AM -0400, Mimi Zohar wrote: > > [..] > > IMA-appraisal verifies the integrity of file data, while EVM verifies > > the integrity of the file metadata, such as LSM and IMA-appraisal > > labels. Both 'security.ima' and 'security.evm' can contain digital > > signatures. > > But the private key for creating these digital signature needs to be > on the target system? > > Thanks > Vivek Absolutely not. The public key needs to be added to the _ima or _evm keyrings. Roberto Sassu modified dracut and later made equivalent changes to systemd. Both have been upstreamed. Dmitry has a package that labels the filesystem called ima-evm-utils, which supports hash (IMA), hmac(EVM) and digital signatures(both). We're hoping that distro's would label all immutable files, not only elf executables, with digital signatures and mutable files with a hash. thanks, Mimi
