On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > On 11/9/2017 3:47 PM, Matthew Garrett wrote: >> There's no need to have a policy that measures those files, because >> they're part of the already-measured initramfs. Just set the IMA >> policy after you've loaded the digest list. > > > The default IMA policy measures files accessed from the initial ram > disk. It is easier to verify individual files, rather than the whole > image. That's a matter of implementation. You're not forced to use the default policy. >> This seems very over-complicated, and it's unclear why the kernel >> needs to open the file itself. You *know* that all of userland is > > > You can have a look at ima_fs.c. If appraisal is in enforcing mode, > direct upload of a policy is not permitted. The kernel reads the policy, > calculates the digest, and verifies the signature. Is there an expectation that you'll load additional digest lists at runtime? >> trustworthy at this point even in the absence of signatures. It seem > >> reasonable to provide a interface that allows userland to pass a >> digest list to the kernel, in the same way that userland can pass an >> IMA policy to the kernel. You can then restrict access to that >> interface via an LSM. > > > Then digest lists cannot be used alone, without an LSM. Also, verifiers > have to check the LSM policy to ensure that only the parser was able to > upload the digest lists. Only if you want to add additional digest lists at runtime, but yes, you really want to be verifying the LSM policy in any case.
