On Thu, Oct 19, 2017 at 11:02 AM, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> wrote: > On Thu, Oct 19, 2017 at 8:11 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: >> New files won't have EVM signatures. Appraisal will only be performed >> on executables that are running in a privileged security context. > > This patch was there for 3 years to enable policy to require evm > digital signatures. > > https://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git/commit/?h=evm-next&id=580e1ad19dd9917ce8ca5edbdf823c30397ccd47 > > I was running a system where certain (privileged) components were > required to use evm signatures. > > Before initramfs supported xattrs, we were running from rootfs /init > and some binaries with EVM signature required. HMAC key was unsealed > and initalized during this process. > Now it is also possible to use external initramfs with xattrs and > require evm digsigs. > > you are basically doing the same. Broadly, but for our case we can't permit the local system to possess a key that can create valid signatures, which means enhancing support for portable asymmetric signatures.
