Linux Security Summit 2015/Abstracts/Manolov

From Linux Kernel Security Subsystem
Revision as of 13:57, 1 July 2015 by JamesMorris (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


IMA/EVM: Real Applications for Embedded Networking Systems


Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks


I am working on a project that requires integration of Linux IMA in a large scale networking equipment.

These are the basic ideas behind the talk:

  • Provide a way for a platform supplier to delegate a Certificate Authority or building and IMA/EVM signing software to a third-party.
  • The Kernel Keyring needs to be able to add new CAs or certificate chains to provide a root of trust for all software from platform

and other third-parties.

  • There should be a method (OCSP or CRL) for being able to revoke a particular CA from the kernel keyring.

We will discuss experiments performed on the Linux kernel with different kinds of X509 certificate hierarchies for the validation of software being run.

Personal tools