meta-integrity/README.md: update

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-08-16 10:47:33 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-08-16 10:47:33 +0800
commit: 9fc35f2627a194caa45bd7cf217aaf9437d1f5c4 (patch)
tree: f455f7e7d23f23e34f32d0672b2b8d236c47328e
parent: 4b41056970264494a9b5b45eaa4b99b99aa72845 (diff)
download: meta-secure-core-9fc35f2627a194caa45bd7cf217aaf9437d1f5c4.tar.gz
1 files changed, 25 insertions, 12 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 4d73c38..ee22850 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -78,24 +78,21 @@ switch_root from the real rootfs is launched and it must be already signed
 properly. Otherwise, switch_root will fail to mount the real rootfs and kernel
 panic will happen due to this failure.
-The default external IMA policy is located at `/etc/ima_policy.default` in
+The default external IMA policy is located at `/etc/ima/ima_policy.default` in
-initramfs. If a custom external IMA policy file exists at `/etc/ima_policy`,
+initramfs.
-the default external IMA policy file won't be used. In addition, the IMA
-policies signed by the trusted IMA certificate in the real rootfs is also
-attempted to be loaded if any.
 ###### The custom external IMA policy
 If the default external IMA policy cannot meet the protection requirement, it
-is allowed to define the custom external IMA policy.
+is allowed to define the custom external IMA policy, which will be used instead
+of the default external IMA policy.
- Deploy the custom policy file to installer image
+The custom external IMA policy file is eventually installed to `/etc/ima/ima_policy`
- Create `/opt/installer/sbin/config-installer.sh` in installer image
-  Define the IMA_POLICY variable, pointing to the path of policy file.
-The custom external IMA policy file is eventually installed to `/etc/ima_policy`
 in initramfs.
+In addition, the IMA policies signed by the trusted IMA certificate in the real
+rootfs are also attempted to be loaded if any, in the pattern of file name as
+`/etc/ima/ima_policy*`.
 ##### IMA certificate & private Key
 The private key come in two flavors; one used to sign all regular files in
 rootfs and one used by RPM to re-sign the executable, shared library, kernel
@@ -113,6 +110,22 @@ default, the sample keys are used for the purpose of development and
 demonstration. Please ensure you know what your risk is to use the sample keys
 in your product, because they are completely public.
+### RPM File Signing
+The payloads in a RPM are signed by the private key during the build, and each
+IMA signatures for the corresponding  payload file will be eventually written
+to the filesystem during RPM installation.
+In order to check whether a RPM is signed, run the command
+`rpm -qp --queryformat "%{FILESIGNATURES:arraysize}\n" <rpm>`
+If the result is not none or zero, the specified RPM contains the signed
+payloads.
+### Tarball Signing
+Packing the IMA signatures into a tarball is another method to preserve the
+IMA signatures. Be aware of using `--xattrs --xattrs-include=security\\.ima`
+with both extraction and creation operations.
 ### Best practice
 The following best practices should be applied with using IMA.
author	Lans Zhang <jia.zhang@windriver.com>	2017-08-16 10:47:33 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-08-16 10:47:33 +0800
commit	9fc35f2627a194caa45bd7cf217aaf9437d1f5c4 (patch)
tree	f455f7e7d23f23e34f32d0672b2b8d236c47328e
parent	4b41056970264494a9b5b45eaa4b99b99aa72845 (diff)
download	meta-secure-core-9fc35f2627a194caa45bd7cf217aaf9437d1f5c4.tar.gz