Hi, Mimi On 12/28/15 at 07:51am, Mimi Zohar wrote: > On Mon, 2015-12-28 at 10:08 +0800, Dave Young wrote: > > On 12/25/15 at 09:45am, Mimi Zohar wrote: > > > IMA calculates the file hash, in this case, based on the buffer > > > contents. The hash is calculated once and used for both measurement > > > and appraisal. If the file integrity appraisal fails (eg. hash > > > comparison or signature failure), IMA prevents the kexec files from > > > being used. > > > > > > > Ok, thanks for the explanatioin. But I have another question, why do we > > need a special hook for KEXEC? Shouldn't all files use same way to do the > > measurement and appraisal? > > "By all files" are you referring to all files read by the kernel or all > files opened, executed or mmapped by the system? Hmm, I means any kind of files read by the kernel. > > Currently IMA allocates a page sized buffer, reads a file a page chunk > at a time calculating the file hash as it does so, and then frees the > buffer before returning to the caller. This method of calculating the > file hash is used for measuring and appraising files opened > (FILE_CHECK), executed (BPRM_CHECK) or mmapped (MMAP_CHECK) by the > system. > > This patch set addresses files being read by kernel. A single new > generic hook named ima_hash_and_process_file() is defined to not only > measure and appraise the kexec image and initramfs, but firmware and the > IMA policy. As we identify other places that the kernel is reading > files, this hook would be called in those places as well. What I can not understand is why IMA need know the caller information and why cann't introduce a generic interface. kexec and firmware and other caller all read files, so a common file based interface should be better? Thanks Dave
