• Dmitry Kasatkin's avatar
    ima: require signature based appraisal · c57782c1
    Dmitry Kasatkin authored
    This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration
    option to force IMA appraisal using signatures. This is useful, when EVM
    key is not initialized yet and we want securely initialize integrity or
    any other functionality.
    
    It forces embedded policy to require signature. Signed initialization
    script can initialize EVM key, update the IMA policy and change further
    requirement of everything to be signed.
    
    Changes in v3:
    * kernel parameter fixed to configuration option in the patch description
    
    Changes in v2:
    * policy change of this patch separated from the key loading patch
    Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    c57782c1
ima_policy.c 19.2 KB