git.baikalelectronics.ru Git - kernel.git/commit

author	Dmitry Kasatkin <d.kasatkin@samsung.com>
	Wed, 5 Nov 2014 15:01:16 +0000 (17:01 +0200)
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Tue, 18 Nov 2014 04:12:01 +0000 (23:12 -0500)
commit	19297f0d8156c55c9f056bf54f00402ba912f9f5
tree	4addf9930efefacc0394ffca22b56cb4e9083fe4	tree \| snapshot
parent	20d597e7611bf1038d650645077462959b039ee0	commit \| diff

ima: require signature based appraisal

This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration
option to force IMA appraisal using signatures. This is useful, when EVM
key is not initialized yet and we want securely initialize integrity or
any other functionality.

It forces embedded policy to require signature. Signed initialization
script can initialize EVM key, update the IMA policy and change further
requirement of everything to be signed.

Changes in v3:
* kernel parameter fixed to configuration option in the patch description

Changes in v2:
* policy change of this patch separated from the key loading patch

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

security/integrity/ima/Kconfig		diff \| blob \| history
security/integrity/ima/ima_policy.c		diff \| blob \| history