meta-integrity/README.md: update

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-08-15 13:19:02 +08:00
parent c912483e87
commit c8fff6a0ff
+14 -15
View File
@@ -97,14 +97,16 @@ The custom external IMA policy file is eventually installed to `/etc/ima_policy`
in initramfs. in initramfs.
##### IMA certificate & private Key ##### IMA certificate & private Key
The private key come in two flavors; one used by an installer to sign all The private key come in two flavors; one used to sign all regular files in
regular files in rootfs and one used by RPM to re-sign the executable, shared rootfs and one used by RPM to re-sign the executable, shared library, kernel
library, kernel module and firmware during RPM installation. Correspondingly, module and firmware during RPM installation. Correspondingly, the IMA
the IMA certificate is used to verify the IMA signature signed by the private certificate is used to verify the IMA signature signed by the private key.
key.
In addition, initramfs is a good place to import the IMA certificate likewise. In addition, initramfs is a good place to import the IMA certificate likewise.
Note that the IMA certificate must be signed by the system trusted key by
design. This guarantees the imported IMA certificate is always trustworthy.
###### The default IMA certificate & private key ###### The default IMA certificate & private key
The default IMA certificate & private key are generated by the build system. By The default IMA certificate & private key are generated by the build system. By
default, the sample keys are used for the purpose of development and default, the sample keys are used for the purpose of development and
@@ -150,25 +152,22 @@ The following best practices should be applied with using IMA.
To fix the failure, manually re-sign the affected file. To fix the failure, manually re-sign the affected file.
Note: RPM installation violates the IMA appraisal but its post_install
operation will always re-sign the affected files.
- Overwriting an existing file with the same content is deemed as tampering of - Overwriting an existing file with the same content is deemed as tampering of
the file. the file.
- The default IMA rules provides the ability of measuring the boot components - The default IMA rules provides the ability of measuring the boot components
and calculating the aggregate integrity value for attesting. However, this and calculating the aggregate integrity value for attesting. However, this
function conflicts with encrypted-storage feature which employs PCR policy function conflicts with encrypted-storage feature which employs PCR policy
session to retrieve the passphrase in a safe way. If the installer enables session to retrieve the passphrase in a safe way. If both of them are
both of them, the default IMA rules will be not used. enabled, the default IMA rules will be not used.
### Reference ### Reference
[IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/) [Official IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-efi-secure-boot) [OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-efi-secure-boot)
[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-signing-key) [OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-signing-key)
[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-tpm) [OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm)
[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-tpm2) [OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm2)