From c8fff6a0ff25dec955644e3f72045b05dd0f22bb Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Tue, 15 Aug 2017 13:19:02 +0800 Subject: meta-integrity/README.md: update Signed-off-by: Lans Zhang --- meta-integrity/README.md | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) (limited to 'meta-integrity') diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 9525227..4d73c38 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -97,14 +97,16 @@ The custom external IMA policy file is eventually installed to `/etc/ima_policy` in initramfs. ##### IMA certificate & private Key -The private key come in two flavors; one used by an installer to sign all -regular files in rootfs and one used by RPM to re-sign the executable, shared -library, kernel module and firmware during RPM installation. Correspondingly, -the IMA certificate is used to verify the IMA signature signed by the private -key. +The private key come in two flavors; one used to sign all regular files in +rootfs and one used by RPM to re-sign the executable, shared library, kernel +module and firmware during RPM installation. Correspondingly, the IMA +certificate is used to verify the IMA signature signed by the private key. In addition, initramfs is a good place to import the IMA certificate likewise. +Note that the IMA certificate must be signed by the system trusted key by +design. This guarantees the imported IMA certificate is always trustworthy. + ###### The default IMA certificate & private key The default IMA certificate & private key are generated by the build system. By default, the sample keys are used for the purpose of development and @@ -150,25 +152,22 @@ The following best practices should be applied with using IMA. To fix the failure, manually re-sign the affected file. - Note: RPM installation violates the IMA appraisal but its post_install - operation will always re-sign the affected files. - - Overwriting an existing file with the same content is deemed as tampering of the file. - The default IMA rules provides the ability of measuring the boot components and calculating the aggregate integrity value for attesting. However, this function conflicts with encrypted-storage feature which employs PCR policy - session to retrieve the passphrase in a safe way. If the installer enables - both of them, the default IMA rules will be not used. + session to retrieve the passphrase in a safe way. If both of them are + enabled, the default IMA rules will be not used. ### Reference -[IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/) +[Official IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/) -[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-efi-secure-boot) +[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-efi-secure-boot) -[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-signing-key) +[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-signing-key) -[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-tpm) +[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm) -[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-tpm2) +[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm2) -- cgit v1.2.3-54-g00ecf