[Dev] IMA/EVM

Patrick Ohly patrick.ohly at intel.com
Tue May 12 09:23:02 GMT 2015


On Mon, 2015-05-11 at 15:42 +0200, Patrick Ohly wrote:
> Note that there is no kernel output at all when loading the policy
> (neither on success nor when it fails the signature check). Some more
> verbosity would have been useful. At least I couldn't figure out whether
> the kernel even tried to load the policy. Even with the .sig file in
> place and ima_load as boot parameter, the policy still doesn't get
> loaded.

After adding some more output to the kernel I figured out why it didn't
work: the IMA_LOAD_POLICY kernel feature depends on a
"IMA_POLICY_LOADER" config option which does not exist (and never has,
at least not in the public kernel tree). Therefore IMA_LOAD_POLICY
cannot be enabled and the kernel code isn't actually active. The
attached patch fixes that, and now it works for me.

However, I'm really scratching my head. How did policy loading work for
you when you wrote the Tizen Wiki instructions?

How could it happen that unusable code went into both systemd and the
Linux kernel? And finally, why has no-one noticed before? Am I really
the first one who actually tries to use the official upstream code?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ima-fix-configuration-of-policy-loading.patch
Type: text/x-patch
Size: 1144 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20150512/af760b6d/attachment.patch>


More information about the Dev mailing list