Date: Mon, 23 Jul 2012 19:22:29 +0300 From: Efstratios Karatzas <gpf.kira@gmail.com> To: soc-status@freebsd.org Subject: Kernel Level File Integrity Checker report #9 Message-ID: <CAHywV0gxsXqnKCAVta-uQnSkNs%2BeyBHLFnx-4Tuhe2kXnPqDFA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
During week #9: * .pefs.checksum is signed during /sbin/pefs 'addchecksum' action. Signature is placed in .pefs.signature and public key in .pefs.pkey. * .pefs.checksum's signature is verified during /sbin/pefs 'verify' action, using the public key. For the moment, only DSA & sha1 digest are supported and used by default. * Immutable flag schg is now required for all files that need integrity checking. /sbin/pefs 'addchecksum' action has a new option to turn on schg flag for any file that doesn't have schg turned on already. In kernel, when a vnode is first looked up in our checksum index tables, we check if schg is turned on. If not, we deny reading access to that vnode. Next tasks on the TODO list: * Code /sbin/pefs 'nameid' that will return the name id (MAC) for a file in pefs filesystem. This identifier is used instead of inode number when looking up files in .pefs.checksum so it should prove useful when user has to decipher cryptic error messages. * Offer more options for signing algorithm & digest. Support both DSA & RSA and all digests that can be used by these algorithms and are supported by the openssl library. * .pefs.checksum's integrity should be verified by the kernel driver during VFS_MOUNT(). Therefore, add another option to /sbin/pefs 'mount' that will provide the driver with the location of .pefs.pkey which should not be found inside the pefs filesystem. On the other hand, .pefs.signature is expected to be found in pefs root directory, alongside .pefs.checksum. -- Efstratios "GPF" Karatzas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHywV0gxsXqnKCAVta-uQnSkNs%2BeyBHLFnx-4Tuhe2kXnPqDFA>