06 Aug, 2019
1 commit
-
Define new "d-modsig" template field which holds the digest that is
expected to match the one contained in the modsig, and also new "modsig"
template field which holds the appended file signature.Add a new "ima-modsig" defined template descriptor with the new fields as
well as the ones from the "ima-sig" descriptor.Change ima_store_measurement() to accept a struct modsig * argument so that
it can be passed along to the templates via struct ima_event_data.Suggested-by: Mimi Zohar
Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
01 Jul, 2019
1 commit
-
A buffer(kexec boot command line arguments) measured into IMA
measuremnt list cannot be appraised, without already being
aware of the buffer contents. Since hashes are non-reversible,
raw buffer is needed for validation or regenerating hash for
appraisal/attestation.Add support to store/read the buffer contents in HEX.
The kexec cmdline hash is stored in the "d-ng" field of the
template data. It can be verified using
sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements |
grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum- Add two new fields to ima_event_data to hold the buf and
buf_len
- Add a new template field 'buf' to be used to store/read
the buffer data.
- Updated process_buffer_meaurement to add the buffer to
ima_event_data. process_buffer_measurement added in
"Define a new IMA hook to measure the boot command line
arguments"
- Add a new template policy name ima-buf to represent
'd-ng|n-ng|buf'Signed-off-by: Prakhar Srivastava
Reviewed-by: Roberto Sassu
Reviewed-by: James Morris
Signed-off-by: Mimi Zohar
19 May, 2017
1 commit
-
Adjust IMA-templates.txt for ReST markup and add to the index for
security/, under the Kernel API Documentation.Cc: Mimi Zohar
Signed-off-by: Kees Cook
Signed-off-by: Jonathan Corbet
