mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
meta-integrity/README.md: update
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
+25
-12
@@ -78,24 +78,21 @@ switch_root from the real rootfs is launched and it must be already signed
|
||||
properly. Otherwise, switch_root will fail to mount the real rootfs and kernel
|
||||
panic will happen due to this failure.
|
||||
|
||||
The default external IMA policy is located at `/etc/ima_policy.default` in
|
||||
initramfs. If a custom external IMA policy file exists at `/etc/ima_policy`,
|
||||
the default external IMA policy file won't be used. In addition, the IMA
|
||||
policies signed by the trusted IMA certificate in the real rootfs is also
|
||||
attempted to be loaded if any.
|
||||
The default external IMA policy is located at `/etc/ima/ima_policy.default` in
|
||||
initramfs.
|
||||
|
||||
###### The custom external IMA policy
|
||||
If the default external IMA policy cannot meet the protection requirement, it
|
||||
is allowed to define the custom external IMA policy.
|
||||
is allowed to define the custom external IMA policy, which will be used instead
|
||||
of the default external IMA policy.
|
||||
|
||||
- Deploy the custom policy file to installer image
|
||||
|
||||
- Create `/opt/installer/sbin/config-installer.sh` in installer image
|
||||
Define the IMA_POLICY variable, pointing to the path of policy file.
|
||||
|
||||
The custom external IMA policy file is eventually installed to `/etc/ima_policy`
|
||||
The custom external IMA policy file is eventually installed to `/etc/ima/ima_policy`
|
||||
in initramfs.
|
||||
|
||||
In addition, the IMA policies signed by the trusted IMA certificate in the real
|
||||
rootfs are also attempted to be loaded if any, in the pattern of file name as
|
||||
`/etc/ima/ima_policy*`.
|
||||
|
||||
##### IMA certificate & private Key
|
||||
The private key come in two flavors; one used to sign all regular files in
|
||||
rootfs and one used by RPM to re-sign the executable, shared library, kernel
|
||||
@@ -113,6 +110,22 @@ default, the sample keys are used for the purpose of development and
|
||||
demonstration. Please ensure you know what your risk is to use the sample keys
|
||||
in your product, because they are completely public.
|
||||
|
||||
### RPM File Signing
|
||||
The payloads in a RPM are signed by the private key during the build, and each
|
||||
IMA signatures for the corresponding payload file will be eventually written
|
||||
to the filesystem during RPM installation.
|
||||
|
||||
In order to check whether a RPM is signed, run the command
|
||||
`rpm -qp --queryformat "%{FILESIGNATURES:arraysize}\n" <rpm>`
|
||||
|
||||
If the result is not none or zero, the specified RPM contains the signed
|
||||
payloads.
|
||||
|
||||
### Tarball Signing
|
||||
Packing the IMA signatures into a tarball is another method to preserve the
|
||||
IMA signatures. Be aware of using `--xattrs --xattrs-include=security\\.ima`
|
||||
with both extraction and creation operations.
|
||||
|
||||
### Best practice
|
||||
The following best practices should be applied with using IMA.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user