README.md: update to claim the support of modsign

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
This commit is contained in:
Jia Zhang
2017-11-21 09:33:01 -05:00
parent 59ca43808c
commit 5758c189a3
+10 -1
View File
@@ -44,7 +44,7 @@ which provides transparent encryption of block devices using the kernel crypto
API. Additionally, the utility cryptsetup is used to conveniently setup disk API. Additionally, the utility cryptsetup is used to conveniently setup disk
encryption based on device-mapper crypt target. encryption based on device-mapper crypt target.
#### Integrity #### IMA
The Linux IMA subsystem introduces hooks within the Linux kernel to support The Linux IMA subsystem introduces hooks within the Linux kernel to support
measuring the integrity of files that are loaded (including application code) measuring the integrity of files that are loaded (including application code)
before it is executed or mmap()ed to memory. The measured value (hash) is then before it is executed or mmap()ed to memory. The measured value (hash) is then
@@ -65,6 +65,15 @@ files and applications to be loaded if the hashes match (and will save the
updated hash if the file is modified) but refuse to load it if it doesn't. This updated hash if the file is modified) but refuse to load it if it doesn't. This
provides some protection against offline tampering of the files. provides some protection against offline tampering of the files.
#### MODSIGN
This feature provides the signature check for loading a kernel module. The
signing key must be authenticated by a system trusted key already imported
to the system trusted keyring.
If the kernel module is not signed, or signed by a signing key not matching
up an imported system trusted key, kernel would refuse to load such a kernel
module.
#### RPM signing #### RPM signing
This feature provides the integrity verification for the RPM package. This feature provides the integrity verification for the RPM package.