On May 12, 2019 5:02:30 PM PDT, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: >On Sun, 2019-05-12 at 17:31 +0200, Dominik Brodowski wrote: >> On Sun, May 12, 2019 at 08:52:47AM -0400, Mimi Zohar wrote: > > >> > It's too late. The /init itself should be signed and verified. >> >> Could you elaborate a bit more about the threat model, and why >deferring >> this to the initramfs is too late? > >The IMA policy defines a number of different methods of identifying >which files to measure, appraise, audit.[1] Without xattrs, the >granularity of the policy rules is severely limited. Without xattrs, >a filesystem is either in policy, or not. > >With an IMA policy rule requiring rootfs (tmpfs) files to be verified, >then /init needs to be properly labeled, otherwise /init will fail to >execute. > >Mimi > >[1] Documentation/ABI/testing/ima_policy And the question is what is the sense in that, especially if /init is provided as play of the kernel itself. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
