On Thu, Oct 19, 2017 at 8:11 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > On Thu, Oct 19, 2017 at 8:11 AM, Dmitry Kasatkin > <dmitry.kasatkin@xxxxxxxxxx> wrote: >> Hi, >> >> 1. I do not get the idea... >> >>> ship EVM signatures in packages >> >> System up and running EVM without hmac? > > Correct. > >> How it creates new files without hmac? > > New files won't have EVM signatures. Appraisal will only be performed > on executables that are running in a privileged security context. This patch was there for 3 years to enable policy to require evm digital signatures. https://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git/commit/?h=evm-next&id=580e1ad19dd9917ce8ca5edbdf823c30397ccd47 I was running a system where certain (privileged) components were required to use evm signatures. Before initramfs supported xattrs, we were running from rootfs /init and some binaries with EVM signature required. HMAC key was unsealed and initalized during this process. Now it is also possible to use external initramfs with xattrs and require evm digsigs. you are basically doing the same. Dmitry -- Thanks, Dmitry
