Hello James, Thanks for you interest in these patches. James Morris <jmorris@xxxxxxxxx> writes: > On Fri, 16 Nov 2018, Thiago Jung Bauermann wrote: > >> On the OpenPOWER platform, secure boot and trusted boot are being >> implemented using IMA for taking measurements and verifying signatures. >> Since the kernel image on Power servers is an ELF binary, kernels are >> signed using the scripts/sign-file tool and thus use the same signature >> format as signed kernel modules. >> >> This patch series adds support in IMA for verifying those signatures. > > Are you saying you use IMA to verify kernels during boot? From a Linux > bootloader? Yes to both. OpenPOWER machines have embedded in their firmware a Linux kernel and initramfs to use as bootloader, using Petitboot. kexec is used to load the OS and boot it. >> It adds flexibility to OpenPOWER secure boot, because it allows it to boot >> kernels with the signature appended to them as well as kernels where the >> signature is stored in the IMA extended attribute. > > Just to clarify, with these patches, IMA will be able to verify the > native form of signed kernel modules? That wasn't my use case to develop the patches, but I just tested and it works. I just had to make a slight modification: there's a whitelist of IMA hooks that are allowed to use the module signature format (in the ima_hook_supports_modsig function), and I had to add MODULE_CHECK to it. The next version of the patches will have this change. The only difference is that IMA looks for a valid key in the IMA keyring, while the CONFIG_MODULE_SIG code looks for the module signing key in the builtin and secondary trusted keyrings. > i.e. without xattrs at all, and > this will work with existing signed modules? No xattrs at all, and yes. -- Thiago Jung Bauermann IBM Linux Technology Center
