meta-integrity/README.md: update

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>

1 files changed, 38 insertions, 30 deletions

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 2efb494..9525227 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -22,22 +22,49 @@ files and applications to be loaded if the hashes match (and will save the
 updated hash if the file is modified) but refuse to load it if it doesn't. This
 provides some protection against offline tampering of the files.
 
-NOTE: Extended file system attribute is required for IMA appraisal, but not
+By default, the following constraint conditions are applied by design of this
+layer:
+
+- Appraise the files for exec'd (the executables), files mmap'd for exec
+  (shared libraries), kernel modules and firmwares in effective root identity
+  (euid=0).
+- Enforce verifying the IMA signature when running the executables, shared
+  libraries, kernel modules and firmwares.
+- Deny to run the newly created executables, shared libraries, kernel modules
+  and firmwares.
+- Deny to run the tampered executables, shared libraries, kernel modules and
+  firmwares.
+- Deny to run any executables, shared libraries, kernel modules and firmwares
+  in the filesystems without file extended attribute supported.
+- Allow to run the manually signed executables, shared libraries, kernel
+  modules and firmwares.
+- Allow to run the updated executables, shared libraries, kernel modules and
+  firmwares during RPM installation.
+- Enforce the subsequent policy file write to be verified by a trusted IMA
+  certificate.
+
+NOTE:
+- The different behaviors when executing a script, e.g, launching a python
+script with "./test.py" is allowed only when test.py is signed, and launching
+a python script with "python test.py" is always allowed as long as the python
+interpreter is signed.
+- Extended file system attribute is required for IMA appraisal, but not
 all file systems can support it. Typically, the pseudo file systems, such as
 sysfs, proc, tmpfs and ramfs, certain disk-based file systems, such as FAT,
 and network file systems, such as NFS, don't support extended attribute,
 meaning IMA appraisal is not available with them.
 
 ##### Dependency
-- meta-tpm
-  This layer provides the kernel configurations for TPM 1.x enablement.
+- meta-tpm  
+  This layer provides the kernel configurations and TSS for TPM 1.x enablement.
 
-- meta-tpm2
-  This layer provides the kernel configurations for TPM 2.0 enablement.
+- meta-tpm2  
+  This layer provides the kernel configurations and TSS for TPM 2.0 enablement.
 
 ##### Use The External IMA Policy
 initramfs is a good place to run some IMA initializations, such as loading
-the IMA policy, as well as the public keys used to verify IMA signatures.
+the IMA policy, as well as the trusted IMA certificate used to verify IMA
+signatures.
 
 ###### The default external IMA policy
 The default external IMA policy enforces appraising all the executable, shared
@@ -47,34 +74,15 @@ external IMA policy occurs at the end of initramfs initializations, just before
 switch_root.
 
 Instead of running switch_root directly from initramfs, a statically linked
-switch_root from the real rootfs is called and it must be already signed
+switch_root from the real rootfs is launched and it must be already signed
 properly. Otherwise, switch_root will fail to mount the real rootfs and kernel
 panic will happen due to this failure.
 
 The default external IMA policy is located at `/etc/ima_policy.default` in
-initramfs. If a custom external IMA policy file exists, the default external
-IMA policy file won't be used any more.
-
-The default external IMA policy enables the following constraint conditions:
-- Appraise the files for exec'd (the executables), files mmap'd for exec
-  (shared libraries), kernel modules and firmwares in effective root identity
-  (euid=0).
-- Enforce verifying the IMA signature when running the executables, shared
-  libraries, kernel modules and firmwares.
-- Deny to run the newly created executables, shared libraries, kernel modules
-  and firmwares.
-- Deny to run the tampered executables, shared libraries, kernel modules and
-  firmwares.
-- Deny to run any executables, shared libraries, kernel modules and firmwares
-  in the filesystems without file extended attribute supported.
-- Allow to run the manually signed executables, shared libraries, kernel
-  modules and firmwares.
-- Allow to run the updated executables, shared libraries, kernel modules and
-  firmwares during RPM installation.
-- Note the different behaviors when executing a script.
-  e.g, launching a python script with "./test.py" is allowed only when test.py
-  is signed, and launching a python script with "python test.py" is always
-  allowed as long as the python interpreter is signed.
+initramfs. If a custom external IMA policy file exists at `/etc/ima_policy`,
+the default external IMA policy file won't be used. In addition, the IMA
+policies signed by the trusted IMA certificate in the real rootfs is also
+attempted to be loaded if any.
 
 ###### The custom external IMA policy
 If the default external IMA policy cannot meet the protection requirement, it