Mimi Zohar and Dmitry Kasatkin have created a new patchset for Linux IMA which:
“closes a number of measurement/appraisal gaps by defining a generic function named ima_read_and_process_file() for measuring and appraising files read by the kernel (eg. kexec image and initramfs, firmware, IMA policy). To differentiate between callers of ima_read_and_process_file() in the IMA policy, a new enumeration is defined named ima_read_hooks, which initially includes KEXEC_CHECK, INITRAMFS_CHECK, FIRMWARE_CHECK, and POLICY_CHECK.
separate ‘security.ima’ reading functionality from collect
load policy using path
update appraise flags after policy update completes
measure and appraise kexec image and initramfs
measure and appraise firmware (improvement)
measure and appraise the IMA policy itself
require signed IMA policy
Documentation/ABI/testing/ima_policy | 2 +-
drivers/base/firmware_class.c | 15 +++++–
include/linux/ima.h | 12 +++++
kernel/kexec_file.c | 28 +++++++—–
security/integrity/digsig.c | 2 +-
security/integrity/iint.c | 24 +++++++—
security/integrity/ima/ima.h | 24 +++++—–
security/integrity/ima/ima_api.c | 51 +++++++++++++++——
security/integrity/ima/ima_appraise.c | 40 +++++++++++——
security/integrity/ima/ima_crypto.c | 56 ++++++++++++++++——–
security/integrity/ima/ima_fs.c | 45 ++++++++++++++++++-
security/integrity/ima/ima_init.c | 2 +-
security/integrity/ima/ima_main.c | 55 ++++++++++++++++++—–
security/integrity/ima/ima_policy.c | 73 ++++++++++++++++++++++++——-
security/integrity/ima/ima_template.c | 2 –
security/integrity/ima/ima_template_lib.c | 3 +-
security/integrity/integrity.h | 14 +++—
17 files changed, 329 insertions(+), 119 deletions(-)
More information:
https://lists.sourceforge.net/lists/listinfo/linux-ima-devel
Firmware Security 