meta-integrity/README.md: update

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-08-15 13:19:02 +08:00
parent c912483e87
commit c8fff6a0ff
+14 -15
View File
@@ -97,14 +97,16 @@ The custom external IMA policy file is eventually installed to `/etc/ima_policy`
in initramfs.
##### IMA certificate & private Key
The private key come in two flavors; one used by an installer to sign all
regular files in rootfs and one used by RPM to re-sign the executable, shared
library, kernel module and firmware during RPM installation. Correspondingly,
the IMA certificate is used to verify the IMA signature signed by the private
key.
The private key come in two flavors; one used to sign all regular files in
rootfs and one used by RPM to re-sign the executable, shared library, kernel
module and firmware during RPM installation. Correspondingly, the IMA
certificate is used to verify the IMA signature signed by the private key.
In addition, initramfs is a good place to import the IMA certificate likewise.
Note that the IMA certificate must be signed by the system trusted key by
design. This guarantees the imported IMA certificate is always trustworthy.
###### The default IMA certificate & private key
The default IMA certificate & private key are generated by the build system. By
default, the sample keys are used for the purpose of development and
@@ -150,25 +152,22 @@ The following best practices should be applied with using IMA.
To fix the failure, manually re-sign the affected file.
Note: RPM installation violates the IMA appraisal but its post_install
operation will always re-sign the affected files.
- Overwriting an existing file with the same content is deemed as tampering of
the file.
- The default IMA rules provides the ability of measuring the boot components
and calculating the aggregate integrity value for attesting. However, this
function conflicts with encrypted-storage feature which employs PCR policy
session to retrieve the passphrase in a safe way. If the installer enables
both of them, the default IMA rules will be not used.
session to retrieve the passphrase in a safe way. If both of them are
enabled, the default IMA rules will be not used.
### Reference
[IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
[Official IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-efi-secure-boot)
[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-efi-secure-boot)
[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-signing-key)
[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-signing-key)
[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-tpm)
[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm)
[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-tpm2)
[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm2)