[systemd-devel] [Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies

Roberto Sassu roberto.sassu at polito.it
Tue Feb 21 10:25:10 PST 2012

On 02/21/2012 05:14 PM, Mimi Zohar wrote:
> On Tue, 2012-02-21 at 15:32 +0100, Kay Sievers wrote:
>> On Tue, Feb 21, 2012 at 15:07, Colin Guthrie<gmane at colin.guthr.ie>  wrote:
>>>> The code for loading IMA custom policies was placed in the initial
>>>> ramdisk with the purpose to avoid distribution specific dependencies.
> In a trusted-grub, or equivalent environment, the kernel, initramfs, and
> kernel boot options are measured.  The main reason for loading the IMA
> policy in the initramfs was that the policy would be included in the
> initramfs measurement.

Unfortunately not, the policy file is placed in the root filesystem.
However, since trusted-grub supports the measurement of an user-defined
list of files, it is possible to preserve the chain of trust by
measuring the policy file and the Systemd main executable.

Roberto Sassu

> Mimi
>>>> However, since the SELinux initialization has been moved to Systemd
>>>> and Systemd itself will be used by the major distributions, i think
>>>> placing the IMA code here is the best solution, even if it is not the
>>>> most general.
>>> Just for reference, not all distros use the same initrd generator
>>> anyway. We're trying to move to dracut, but it's certainly not universal
>>> at the moment. I think Suse use something else (maybe they plan to move
>>> to dracut too?) and I've no idea about Ubuntu but I doubt they use dracut.
>>> So I'd suggest that at the moment, systemd will actually get you wider
>>> coverage... although that's just a slightly ill-informed and hand-wave
>>> analysis on my part. Either way, I think it's better in systemd :D
>> Sounds right. The initramfs is definitely less generic than systemd
>> is. Almost every distro has still its own here. The situation today
>> with initramfs generators can probably not get more distro-specific;
>> it is still almost at its maximum. :)
>> So the thinking of moving anything to the initramfs to avoid the Linux
>> distro balcanization problem will usually not work out.
>> Kay

More information about the systemd-devel mailing list