On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote: > Asymmetric private keys are used to sign multiple files. The kernel > currently support checking against blacklisted keys. However, if the > public key is blacklisted, any file signed by the blacklisted key will > automatically fail signature verification. We might not want to blacklist > all the files signed by a particular key, but just a single file. > Blacklisting the public key is not fine enough granularity. > > This patch adds support for checking against the blacklisted hash of the > file based on the IMA policy. The blacklisted hash is the file hash > without the appended signature. Defined is a new policy option > "appraise_flag=check_blacklist". Please add an example of how to blacklist a file with an appended signature. The simplest example that works on x86 as well as Power would be blacklisting a kernel module. The example should include calculating the kernel module hash without the appended signature, enabling the Kconfig option (CONFIG_SYSTEM_BLACKLIST_HASH_LIST), and the blacklist hash format (eg. "bin:<file hash>"). thanks, Mimi
