Linux Security Summit 2015/Abstracts/Manolov
IMA/EVM: Real Applications for Embedded Networking Systems
Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks
I am working on a project that requires integration of Linux IMA in a large scale networking equipment.
These are the basic ideas behind the talk:
- Provide a way for a platform supplier to delegate a Certificate Authority or building and IMA/EVM signing software to a third-party.
- The Kernel Keyring needs to be able to add new CAs or certificate chains to provide a root of trust for all software from platform
and other third-parties.
- There should be a method (OCSP or CRL) for being able to revoke a particular CA from the kernel keyring.
We will discuss experiments performed on the Linux kernel with different kinds of X509 certificate hierarchies for the validation of software being run.