Re: Spec needed for ima-modsig template

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/2/2020 3:25 PM, Mimi Zohar wrote:
On Thu, 2020-01-02 at 15:10 -0500, Ken Goldman wrote:
I'm trying to document the ima-modsig template and then write aparser.
Can anyone help me complete it?

1 - What the implementation does today is interesting.  Even betterwould
be what the implementation is permitted to do so that theparser will
handle future changes.

2 - My understanding so far:

      ima-modsig        is        d-ng | n-ng | sig | d-modsig |modsig

      where (both have a prepended uint32_t length)

      d-modsig            is    d-ng, filedata hash, omitting the
appended modsig signature
      modsig                is     pkcs7DER, appended signature

My immediate issue is that the d-modsig should be a length +
hashalgorithm + file data hash.  However, the length in my sample log
issometimes zero, which I did not expect.

I.e., it it legal for an ima-modsig template to contain an emptyd-modsig
item?

Can the modsig item also be empty?

Like the "sig" field in the "ima-sig" template, both the "d-modsig"
and "modsig" fields in the "ima-modsig" template may be empty.


I understand sig being empty is the file isn't signed. Same with modsig. The verifier could flag that.

However, d-modsig is a hash. How should a parser interpret a missing [file data] hash? Under what conditions would that be legal / illegal / something to flag to an admin UI?




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux