Hi Mimi,
On 10/11/2019 09:19 AM, Mimi Zohar wrote:
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
Asymmetric private keys are used to sign multiple files. The kernel
currently support checking against the blacklisted keys. However, if the
public key is blacklisted, any file signed by the blacklisted key will
automatically fail signature verification. We might not want to blacklist
all the files signed by a particular key, but just a single file.
Blacklisting the public key is not fine enough granularity.
This patch adds support for blacklisting binaries with appended signatures,
based on the IMA policy. Defined is a new policy option
"appraise_flag=check_blacklist".
The blacklisted hash is not the same as the file hash, but is the file
hash without the appended signature. Are there tools for calculating
the blacklisted hash? Can you provide an example?
I have updated the patch description to specify that the blacklisted
hash is the file hash without the appended signature. I hope that makes
it clear now.
Thanks & Regards,
- Nayna