On 06/09/13 22:38, Vivek Goyal wrote:
Hi,
This is an RFC patch series to get early feedback on stuff I am working on.
This series does few things.
Adds an extra structure to ima signature (security.ima) which will signal the elf loader that this executable needs to be locked. This will be useful for secureboot where signed /sbin/kexec needs to run memory locked.
I have posted RFC kernel patches on Fedora kernel mailing list.
https://lists.fedoraproject.org/pipermail/kernel/2013-September/004432.html
kexec-tools patches are posted here.
https://lists.fedoraproject.org/pipermail/kernel/2013-September/004469.html
Add a functionality to import signatures signed externally. (Patch 2)
Add functionality to allow signing using external crypto card. (Patch 3)
Add a functionality to create a daemon which cilents can connect to and request file signing (Patch 4 and Patch 5).
All the signing enhancements I need so that various build servers can make use of it to sign /sbin/kexec and bzImage using appropriate keys.
This is still a work in progress and code is very raw. I wanted to get the code out to get early feedback.
Thanks Vivek
Vivek Goyal (5): evmctl: Allow adding a memlock information in security.ima evmctl: Allow importing external signature evmctl: Allow signing using external crypto engine evmctl-allow-launching-daemon evmctl-client: A simple client to request signing from evmctl daemon
configure.ac | 1 + src/Makefile.am | 9 +- src/client.c | 697 +++++++++++++++++++++++++++++++++ src/daemon.h | 83 ++++ src/evmctl.c | 1166 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 1934 insertions(+), 22 deletions(-) create mode 100644 src/client.c create mode 100644 src/daemon.h
Hi Vivek,
I am looking into patches..
It would be great if you could share your tree somewhere so that it would simplify pulling your code.
- Dmitry