meta-integrity/README.md: update

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-08-16 10:47:33 +08:00
parent 4b41056970
commit 9fc35f2627
+25 -12
View File
@@ -78,24 +78,21 @@ switch_root from the real rootfs is launched and it must be already signed
properly. Otherwise, switch_root will fail to mount the real rootfs and kernel
panic will happen due to this failure.
The default external IMA policy is located at `/etc/ima_policy.default` in
initramfs. If a custom external IMA policy file exists at `/etc/ima_policy`,
the default external IMA policy file won't be used. In addition, the IMA
policies signed by the trusted IMA certificate in the real rootfs is also
attempted to be loaded if any.
The default external IMA policy is located at `/etc/ima/ima_policy.default` in
initramfs.
###### The custom external IMA policy
If the default external IMA policy cannot meet the protection requirement, it
is allowed to define the custom external IMA policy.
is allowed to define the custom external IMA policy, which will be used instead
of the default external IMA policy.
- Deploy the custom policy file to installer image
- Create `/opt/installer/sbin/config-installer.sh` in installer image
Define the IMA_POLICY variable, pointing to the path of policy file.
The custom external IMA policy file is eventually installed to `/etc/ima_policy`
The custom external IMA policy file is eventually installed to `/etc/ima/ima_policy`
in initramfs.
In addition, the IMA policies signed by the trusted IMA certificate in the real
rootfs are also attempted to be loaded if any, in the pattern of file name as
`/etc/ima/ima_policy*`.
##### IMA certificate & private Key
The private key come in two flavors; one used to sign all regular files in
rootfs and one used by RPM to re-sign the executable, shared library, kernel
@@ -113,6 +110,22 @@ default, the sample keys are used for the purpose of development and
demonstration. Please ensure you know what your risk is to use the sample keys
in your product, because they are completely public.
### RPM File Signing
The payloads in a RPM are signed by the private key during the build, and each
IMA signatures for the corresponding payload file will be eventually written
to the filesystem during RPM installation.
In order to check whether a RPM is signed, run the command
`rpm -qp --queryformat "%{FILESIGNATURES:arraysize}\n" <rpm>`
If the result is not none or zero, the specified RPM contains the signed
payloads.
### Tarball Signing
Packing the IMA signatures into a tarball is another method to preserve the
IMA signatures. Be aware of using `--xattrs --xattrs-include=security\\.ima`
with both extraction and creation operations.
### Best practice
The following best practices should be applied with using IMA.