diff options
author | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-11-21 09:33:01 -0500 |
---|---|---|
committer | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-11-21 09:33:01 -0500 |
commit | 5758c189a38ebeeaecd8c44c7749cfbf1dda9032 (patch) | |
tree | c57190b5707f91ba6f3d9bd389454f1199be73e3 | |
parent | 59ca43808c1732864eb126e4fd93d5fc61f8a6ff (diff) | |
download | meta-secure-core-5758c189a38ebeeaecd8c44c7749cfbf1dda9032.tar.gz |
README.md: update to claim the support of modsign
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
-rw-r--r-- | README.md | 11 |
1 files changed, 10 insertions, 1 deletions
@@ -44,7 +44,7 @@ which provides transparent encryption of block devices using the kernel crypto | |||
44 | API. Additionally, the utility cryptsetup is used to conveniently setup disk | 44 | API. Additionally, the utility cryptsetup is used to conveniently setup disk |
45 | encryption based on device-mapper crypt target. | 45 | encryption based on device-mapper crypt target. |
46 | 46 | ||
47 | #### Integrity | 47 | #### IMA |
48 | The Linux IMA subsystem introduces hooks within the Linux kernel to support | 48 | The Linux IMA subsystem introduces hooks within the Linux kernel to support |
49 | measuring the integrity of files that are loaded (including application code) | 49 | measuring the integrity of files that are loaded (including application code) |
50 | before it is executed or mmap()ed to memory. The measured value (hash) is then | 50 | before it is executed or mmap()ed to memory. The measured value (hash) is then |
@@ -65,6 +65,15 @@ files and applications to be loaded if the hashes match (and will save the | |||
65 | updated hash if the file is modified) but refuse to load it if it doesn't. This | 65 | updated hash if the file is modified) but refuse to load it if it doesn't. This |
66 | provides some protection against offline tampering of the files. | 66 | provides some protection against offline tampering of the files. |
67 | 67 | ||
68 | #### MODSIGN | ||
69 | This feature provides the signature check for loading a kernel module. The | ||
70 | signing key must be authenticated by a system trusted key already imported | ||
71 | to the system trusted keyring. | ||
72 | |||
73 | If the kernel module is not signed, or signed by a signing key not matching | ||
74 | up an imported system trusted key, kernel would refuse to load such a kernel | ||
75 | module. | ||
76 | |||
68 | #### RPM signing | 77 | #### RPM signing |
69 | This feature provides the integrity verification for the RPM package. | 78 | This feature provides the integrity verification for the RPM package. |
70 | 79 | ||