On Thu, Oct 19, 2017 at 9:02 PM, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> wrote: > On Thu, Oct 19, 2017 at 8:11 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: >> On Thu, Oct 19, 2017 at 8:11 AM, Dmitry Kasatkin >> <dmitry.kasatkin@xxxxxxxxxx> wrote: >>> Hi, >>> >>> 1. I do not get the idea... >>> >>>> ship EVM signatures in packages >>> >>> System up and running EVM without hmac? >> >> Correct. >> >>> How it creates new files without hmac? >> >> New files won't have EVM signatures. Appraisal will only be performed >> on executables that are running in a privileged security context. > > This patch was there for 3 years to enable policy to require evm > digital signatures. > > https://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git/commit/?h=evm-next&id=580e1ad19dd9917ce8ca5edbdf823c30397ccd47 > > I was running a system where certain (privileged) components were > required to use evm signatures. > > Before initramfs supported xattrs, we were running from rootfs /init > and some binaries with EVM signature required. HMAC key was unsealed > and initalized during this process. > Now it is also possible to use external initramfs with xattrs and > require evm digsigs. > > you are basically doing the same. > Ok. i got the use case. No hmac at all. Currently EVM is enabled if any of the key (symmetric or public) is loaded. Currently with only public key, it works fine when rootfs is mounted read-only, because no need to generate hmac. But when fully running and remounted rw, then it would require HMAC. So we need a way to have only evm signatures.. -- Thanks, Dmitry