On Thu, Oct 19, 2017 at 9:15 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > On Thu, Oct 19, 2017 at 11:02 AM, Dmitry Kasatkin > <dmitry.kasatkin@xxxxxxxxx> wrote: >> On Thu, Oct 19, 2017 at 8:11 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: >>> New files won't have EVM signatures. Appraisal will only be performed >>> on executables that are running in a privileged security context. >> >> This patch was there for 3 years to enable policy to require evm >> digital signatures. >> >> https://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git/commit/?h=evm-next&id=580e1ad19dd9917ce8ca5edbdf823c30397ccd47 >> >> I was running a system where certain (privileged) components were >> required to use evm signatures. >> >> Before initramfs supported xattrs, we were running from rootfs /init >> and some binaries with EVM signature required. HMAC key was unsealed >> and initalized during this process. >> Now it is also possible to use external initramfs with xattrs and >> require evm digsigs. >> >> you are basically doing the same. > > Broadly, but for our case we can't permit the local system to possess > a key that can create valid signatures, which means enhancing support > for portable asymmetric signatures. I was not there as well. Binaries were EVM signed on the build system. Runtime did not have private key.
