| Summary: | mdev.conf setting example for integrating with linux kernel's IMA/EVM | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Yi-Ting.Chao <jackend> |
| Component: | Other | Assignee: | Yi-Ting.Chao <jackend> |
| Status: | NEW --- | ||
| Severity: | enhancement | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.29.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: |
Add comments to give an example to running with linux kernel's IMA/EVM
Update mdev.conf setting rules for using linux kernel's IMA/EVM |
||
Created attachment 7826 [details]
Add comments to give an example to running with linux kernel's IMA/EVM
Add comments to give an example to running with linux kernel's IMA/EVM
Thanks Bernhard Reutner-Fischer's suggestions in maillist. the rule will be updated in the following: [hs]d[a-z]* 0:6 660 *ln -sf /dev/$MDEV /dev/block/$(printf "%d:%d" $(stat -c "0x%t 0x%T" /dev/$MDEV)) Created attachment 7831 [details]
Update mdev.conf setting rules for using linux kernel's IMA/EVM
Thanks Bernhard Reutner-Fischer provide a better setting example.
1. reduce two rule to one rule
2. use stat command to get Major and Minor number and reduce the commands using
|
Currently, I can run Linux kernel's IMA/EVM with busybox, and need some settings to enable this kernel feature. The key point is the evmctl (user space program) will get the UUID by the command "blkid -s UUID -o value /dev/block/3:0" when user want to sign a file (ex: evmctl sign --imasig ./test.sh /root/rsa_private.pem) In order to let the evmctl could get UUID's related string, we need to create the path : /dev/block/3:0 1. in etc/init.d/rcS: mkdir -p /dev/pts mkdir -p /dev/block <= Must create this folder mount -t proc none /proc mount -t sysfs none /sys mount -t securityfs none /sys/kernel/security # Enable IMA/EVM's securityfs echo /sbin/mdev> /proc/sys/kernel/hotplug mdev -s ... do some other mount actions 2. in /etc/mdev.confg we need to add a symbol link something like /dev/block/3:0 hd[a-z]* 0:6 660 *ln -sf /dev/$MDEV /dev/block/$(ls -l /dev/$MDEV|awk '{print $5}'|tr -d ','):$(ls -l /dev/$MDEV|awk '{print $6}') sd[a-z]* 0:6 660 *ln -sf /dev/$MDEV /dev/block/$(ls -l /dev/$MDEV|awk '{print $5}'|tr -d ','):$(ls -l /dev/$MDEV|awk '{print $6}') if $MDEV is hda then will do the following things hda's Major=`ls -l /dev/hda | awk '{print $5} | tr -d ',''` hda's Minor=`ls -l /dev/$MDEV|awk '{print $6}'` create links: ln -sf /dev/hda /dev/block/$MAJOR:$MINOR Could we add this setting which is an commented example in busybox-1.29.3/examples/mdev.conf ?