On Mon, Jan 28, 2013 at 5:15 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > On Mon, Jan 28, 2013 at 04:54:06PM +0200, Kasatkin, Dmitry wrote: >> On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: >> > Hi, >> > >> > I am trying to read and understand IMA code. How does digital signature >> > mechanism work. >> > >> > IIUC, evmctl will install a file's signature in security.ima. And later >> > process_measurement() will do following. >> > >> > Calculate digest of file in ima_collect_measurement() and then >> > ima_appraise_measurement() actually compares signatuer against the >> > digest. >> > >> > If yes, ima_collect_measurement() always calculates digest either using >> > md5/sha1 but signatures might have used sha256 or something else. So >> > how does it work. What am I missing. >> >> Hi, >> >> Yes, currently it is possible to use only single configured algorithm, which is >> in generally enough. Consider it like a policy. >> Soon it will be a patch which allows to use any hash algorithms, supported by >> asymmetric key verification API. > > Ok. I am hoping that it will be more than the kernel command line we > support. In the sense that for digital signatures one needs to parse > the signature, look at what hash algorithm has been used and then > collect the hash accordingly. It is little different then IMA requirement > of calculating one pre-determine hash for all files. Yes... It is obvious. It's coming. But in general, signer should be aware of requirements and limitation of the platform. It is not really a problem... - Dmitry > > Thanks > Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
