Kdump with signed images
zohar at linux.vnet.ibm.com
Fri Oct 26 13:59:34 EDT 2012
On Fri, 2012-10-26 at 03:39 +0100, Matthew Garrett wrote:
> On Thu, Oct 25, 2012 at 09:15:58PM -0400, Mimi Zohar wrote:
> > On a running system, the package installer, after verifying the package
> > integrity, would install each file with the associated 'security.ima'
> > extended attribute. The 'security.evm' digital signature would be
> > installed with an HMAC, calculated using a system unique key.
> The idea isn't to prevent /sbin/kexec from being modified after
> installation - it's to prevent it from being possible to install a
> system that has a modified /sbin/kexec.
> Leaving any part of this up to
> the package installer means that it doesn't solve the problem we're
> trying to solve here. It must be impossible for the kernel to launch any
> /sbin/kexec that hasn't been signed by a trusted key that's been built
> into the kernel,
With Dmitry's patch "5e0d1a4 ima: added policy support for security.ima
type", or something similar, we can force 'security.ima' to a specific
type, in this case, a digital signature. With that patch, this
shouldn't be a problem.
> and it must be impossible for anything other than
> /sbin/kexec to make the kexec system call.
Permission is a MAC issue. :)
More information about the kexec