mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
meta-integrity/README.md: update
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
+14
-15
@@ -97,14 +97,16 @@ The custom external IMA policy file is eventually installed to `/etc/ima_policy`
|
||||
in initramfs.
|
||||
|
||||
##### IMA certificate & private Key
|
||||
The private key come in two flavors; one used by an installer to sign all
|
||||
regular files in rootfs and one used by RPM to re-sign the executable, shared
|
||||
library, kernel module and firmware during RPM installation. Correspondingly,
|
||||
the IMA certificate is used to verify the IMA signature signed by the private
|
||||
key.
|
||||
The private key come in two flavors; one used to sign all regular files in
|
||||
rootfs and one used by RPM to re-sign the executable, shared library, kernel
|
||||
module and firmware during RPM installation. Correspondingly, the IMA
|
||||
certificate is used to verify the IMA signature signed by the private key.
|
||||
|
||||
In addition, initramfs is a good place to import the IMA certificate likewise.
|
||||
|
||||
Note that the IMA certificate must be signed by the system trusted key by
|
||||
design. This guarantees the imported IMA certificate is always trustworthy.
|
||||
|
||||
###### The default IMA certificate & private key
|
||||
The default IMA certificate & private key are generated by the build system. By
|
||||
default, the sample keys are used for the purpose of development and
|
||||
@@ -150,25 +152,22 @@ The following best practices should be applied with using IMA.
|
||||
|
||||
To fix the failure, manually re-sign the affected file.
|
||||
|
||||
Note: RPM installation violates the IMA appraisal but its post_install
|
||||
operation will always re-sign the affected files.
|
||||
|
||||
- Overwriting an existing file with the same content is deemed as tampering of
|
||||
the file.
|
||||
|
||||
- The default IMA rules provides the ability of measuring the boot components
|
||||
and calculating the aggregate integrity value for attesting. However, this
|
||||
function conflicts with encrypted-storage feature which employs PCR policy
|
||||
session to retrieve the passphrase in a safe way. If the installer enables
|
||||
both of them, the default IMA rules will be not used.
|
||||
session to retrieve the passphrase in a safe way. If both of them are
|
||||
enabled, the default IMA rules will be not used.
|
||||
|
||||
### Reference
|
||||
[IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
|
||||
[Official IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
|
||||
|
||||
[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-efi-secure-boot)
|
||||
[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-efi-secure-boot)
|
||||
|
||||
[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-signing-key)
|
||||
[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-signing-key)
|
||||
|
||||
[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-tpm)
|
||||
[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm)
|
||||
|
||||
[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-tpm2)
|
||||
[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm2)
|
||||
|
||||
Reference in New Issue
Block a user