mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 04:36:58 +00:00
README.md: update to claim the support of modsign
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
This commit is contained in:
@@ -44,7 +44,7 @@ which provides transparent encryption of block devices using the kernel crypto
|
||||
API. Additionally, the utility cryptsetup is used to conveniently setup disk
|
||||
encryption based on device-mapper crypt target.
|
||||
|
||||
#### Integrity
|
||||
#### IMA
|
||||
The Linux IMA subsystem introduces hooks within the Linux kernel to support
|
||||
measuring the integrity of files that are loaded (including application code)
|
||||
before it is executed or mmap()ed to memory. The measured value (hash) is then
|
||||
@@ -65,6 +65,15 @@ files and applications to be loaded if the hashes match (and will save the
|
||||
updated hash if the file is modified) but refuse to load it if it doesn't. This
|
||||
provides some protection against offline tampering of the files.
|
||||
|
||||
#### MODSIGN
|
||||
This feature provides the signature check for loading a kernel module. The
|
||||
signing key must be authenticated by a system trusted key already imported
|
||||
to the system trusted keyring.
|
||||
|
||||
If the kernel module is not signed, or signed by a signing key not matching
|
||||
up an imported system trusted key, kernel would refuse to load such a kernel
|
||||
module.
|
||||
|
||||
#### RPM signing
|
||||
This feature provides the integrity verification for the RPM package.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user