Linux Security Summit 2015/Abstracts/Manolov

From Linux Kernel Security Subsystem
Jump to: navigation, search


IMA/EVM: Real Applications for Embedded Networking Systems


Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks


I am working on a project that requires integration of Linux IMA in a large scale networking equipment.

These are the basic ideas behind the talk:

  • Provide a way for a platform supplier to delegate a Certificate Authority or building and IMA/EVM signing software to a third-party.
  • The Kernel Keyring needs to be able to add new CAs or certificate chains to provide a root of trust for all software from platform

and other third-parties.

  • There should be a method (OCSP or CRL) for being able to revoke a particular CA from the kernel keyring.

We will discuss experiments performed on the Linux kernel with different kinds of X509 certificate hierarchies for the validation of software being run.