ima: Add support for appraisal with digest lists
hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 ------------------------------------------------- IMA-Appraise grants access to files with a valid signature or with actual file digest equal to the digest included in security.ima. This patch adds support for appraisal based on digest lists. Instead of using the reference value from security.ima, this patch checks if the calculated file digest is included in the uploaded digest lists. This functionality must be explicitly enabled by providing one of the following values for the ima_appraise_digest_list= kernel option: - digest: this mode enables appraisal verification with digest lists until EVM is initialized; after that, EVM verification must be successful even if the file digest is found in a digest list; - digest-nometadata: this mode enables appraisal verification with digest lists even after EVM has been initialized; files without security.evm are allowed if the digest of the content is found in the digest list, and security.evm is created with current values of xattrs (trust at first use); all files created in this way will have the new security.ima type EVM_IMA_XATTR_DIGEST_LIST; they can be accessed later only if this mode has been selected. Signed-off-by:Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by:
Loading
Please sign in to comment