Hi,
I'm currently evaluating the IMA (Integrity Measurement Architecture)
for the security team. This is basically enabled in our current Leap and
SLE-12 kernels but not in Tumbleweed.
For harmonization and because I'd like to test IMA with a current
kernel on Tumbleweed, could you please enable the following kernel
configuration options:
CONFIG_IMA=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH="sha256"
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
But *without* CONFIG_IMA_TRUSTED_KEYRING and
CONFIG_INTEGRITY_TRUSTED_KEYRING (those don't make sense as long as we
have no possibility to sign third party keys). See bnc#1075517.
For more information about what IMA does I've written up documentation
in https://en.opensuse.org/SDB:Ima_evm.
Thank you
Matthias
--
Matthias Gerstner