Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is the same based on its > hash rather than on a key, I would've thought that should be fine. File hashes can be modified on the running system, so they're normally used, in conjunction with EVM, to detect off line modification of mutable files and prevent their usage. These patches https://lkml.org/lkml/2017/5/2/465 should provide some of the missing functionality. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html