git.baikalelectronics.ru Git - kernel.git/commit

author	Dmitry Kasatkin <d.kasatkin@samsung.com>
	Wed, 5 Nov 2014 15:01:16 +0000 (17:01 +0200)
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Tue, 18 Nov 2014 04:12:01 +0000 (23:12 -0500)
commit	1c9094d275b6ce1948fc1e028e8a168bfdea3fc1
tree	4addf9930efefacc0394ffca22b56cb4e9083fe4	tree \| snapshot
parent	0909c23a45da96957460ea99bd31713be61fb7d9	commit \| diff

ima: require signature based appraisal

This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration
option to force IMA appraisal using signatures. This is useful, when EVM
key is not initialized yet and we want securely initialize integrity or
any other functionality.

It forces embedded policy to require signature. Signed initialization
script can initialize EVM key, update the IMA policy and change further
requirement of everything to be signed.

Changes in v3:
* kernel parameter fixed to configuration option in the patch description

Changes in v2:
* policy change of this patch separated from the key loading patch

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

security/integrity/ima/Kconfig		diff \| blob \| history
security/integrity/ima/ima_policy.c		diff \| blob \| history