Hi,
This is an RFC patch series to get early feedback on stuff I am working
on.
This series does few things.
- Adds an extra structure to ima signature (security.ima) which will signal
the elf loader that this executable needs to be locked. This will be
useful for secureboot where signed /sbin/kexec needs to run memory
locked.
I have posted RFC kernel patches on Fedora kernel mailing list.
https://lists.fedoraproject.org/pipermail/kernel/2013-September/004432.html
kexec-tools patches are posted here.
https://lists.fedoraproject.org/pipermail/kernel/2013-September/004469.html
- Add a functionality to import signatures signed externally. (Patch 2)
- Add functionality to allow signing using external crypto card. (Patch 3)
- Add a functionality to create a daemon which cilents can connect to
and request file signing (Patch 4 and Patch 5).
All the signing enhancements I need so that various build servers can
make use of it to sign /sbin/kexec and bzImage using appropriate keys.
This is still a work in progress and code is very raw. I wanted to get
the code out to get early feedback.
Thanks
Vivek
Vivek Goyal (5):
evmctl: Allow adding a memlock information in security.ima
evmctl: Allow importing external signature
evmctl: Allow signing using external crypto engine
evmctl-allow-launching-daemon
evmctl-client: A simple client to request signing from evmctl daemon
configure.ac | 1 +
src/Makefile.am | 9 +-
src/client.c | 697 +++++++++++++++++++++++++++++++++
src/daemon.h | 83 ++++
src/evmctl.c | 1166 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
5 files changed, 1934 insertions(+), 22 deletions(-)
create mode 100644 src/client.c
create mode 100644 src/daemon.h
--
1.8.3.1