Kdump with signed images
zohar at linux.vnet.ibm.com
Thu Oct 25 14:40:21 EDT 2012
On Thu, 2012-10-25 at 10:10 -0400, Vivek Goyal wrote:
> On Thu, Oct 25, 2012 at 02:10:01AM -0400, Mimi Zohar wrote:
> > IMA-appraisal verifies the integrity of file data, while EVM verifies
> > the integrity of the file metadata, such as LSM and IMA-appraisal
> > labels. Both 'security.ima' and 'security.evm' can contain digital
> > signatures.
> But the private key for creating these digital signature needs to be
> on the target system?
Absolutely not. The public key needs to be added to the _ima or _evm
keyrings. Roberto Sassu modified dracut and later made equivalent
changes to systemd. Both have been upstreamed. Dmitry has a package
that labels the filesystem called ima-evm-utils, which supports hash
(IMA), hmac(EVM) and digital signatures(both).
We're hoping that distro's would label all immutable files, not only elf
executables, with digital signatures and mutable files with a hash.
More information about the kexec