On Sun, 2019-10-20 at 12:06 -0400, Mimi Zohar wrote: > On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote: > > Asymmetric private keys are used to sign multiple files. The kernel > > currently support checking against blacklisted keys. However, if the > > public key is blacklisted, any file signed by the blacklisted key will > > automatically fail signature verification. We might not want to blacklist > > all the files signed by a particular key, but just a single file. > > Blacklisting the public key is not fine enough granularity. > > > > This patch adds support for checking against the blacklisted hash of the > > file based on the IMA policy. The blacklisted hash is the file hash > > without the appended signature. Defined is a new policy option > > "appraise_flag=check_blacklist". > > Please add an example of how to blacklist a file with an appended > signature. The simplest example that works on x86 as well as Power > would be blacklisting a kernel module. The example should include > calculating the kernel module hash without the appended signature, > enabling the Kconfig option (CONFIG_SYSTEM_BLACKLIST_HASH_LIST), and > the blacklist hash format (eg. "bin:<file hash>"). And of course, the IMA appraise kernel module policy rule containing "appraise_flag=check_blacklist". thanks, Mimi
