From 9fc35f2627a194caa45bd7cf217aaf9437d1f5c4 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Wed, 16 Aug 2017 10:47:33 +0800 Subject: meta-integrity/README.md: update Signed-off-by: Lans Zhang --- meta-integrity/README.md | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) (limited to 'meta-integrity') diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 4d73c38..ee22850 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -78,24 +78,21 @@ switch_root from the real rootfs is launched and it must be already signed properly. Otherwise, switch_root will fail to mount the real rootfs and kernel panic will happen due to this failure. -The default external IMA policy is located at `/etc/ima_policy.default` in -initramfs. If a custom external IMA policy file exists at `/etc/ima_policy`, -the default external IMA policy file won't be used. In addition, the IMA -policies signed by the trusted IMA certificate in the real rootfs is also -attempted to be loaded if any. +The default external IMA policy is located at `/etc/ima/ima_policy.default` in +initramfs. ###### The custom external IMA policy If the default external IMA policy cannot meet the protection requirement, it -is allowed to define the custom external IMA policy. +is allowed to define the custom external IMA policy, which will be used instead +of the default external IMA policy. -- Deploy the custom policy file to installer image - -- Create `/opt/installer/sbin/config-installer.sh` in installer image - Define the IMA_POLICY variable, pointing to the path of policy file. - -The custom external IMA policy file is eventually installed to `/etc/ima_policy` +The custom external IMA policy file is eventually installed to `/etc/ima/ima_policy` in initramfs. +In addition, the IMA policies signed by the trusted IMA certificate in the real +rootfs are also attempted to be loaded if any, in the pattern of file name as +`/etc/ima/ima_policy*`. + ##### IMA certificate & private Key The private key come in two flavors; one used to sign all regular files in rootfs and one used by RPM to re-sign the executable, shared library, kernel @@ -113,6 +110,22 @@ default, the sample keys are used for the purpose of development and demonstration. Please ensure you know what your risk is to use the sample keys in your product, because they are completely public. +### RPM File Signing +The payloads in a RPM are signed by the private key during the build, and each +IMA signatures for the corresponding payload file will be eventually written +to the filesystem during RPM installation. + +In order to check whether a RPM is signed, run the command +`rpm -qp --queryformat "%{FILESIGNATURES:arraysize}\n" ` + +If the result is not none or zero, the specified RPM contains the signed +payloads. + +### Tarball Signing +Packing the IMA signatures into a tarball is another method to preserve the +IMA signatures. Be aware of using `--xattrs --xattrs-include=security\\.ima` +with both extraction and creation operations. + ### Best practice The following best practices should be applied with using IMA. -- cgit v1.2.3-54-g00ecf