From petko.manolov@konsulko.com Fri Jun  5 14:55:29 2015
Date: Fri, 5 Jun 2015 17:55:24 +0300
From: Petko Manolov <petko.manolov@konsulko.com>
To: lss-pc@lists.linuxfoundation.org
Cc: mdb@juniper.net
Subject: [lss-pc] speaker request

	Hello,

My name is Petko Manolov from Konsulko Group and I am working on a project that 
requires integration of Linux IMA in a large scale networking equipment.  After 
bugging her with a lot of questions regarding IMA, Mimi Zohar suggested that i 
do a talk to share the results of these discussions.  The tentative name of this 
talk is: "IMA/EVM - real applications for embedded networking systems".

The paper is co-authored with Mark Baushke (mdb@juniper.net) from Juniper 
Networks.  Please add him to speakers list as well in case this get accepted.

These are the basic ideas behind the talk:

  - Provide a way for a platform supplier to delegate a Certificate Authority or 
    building and IMA/EVM signing software to a third-party.

  - The Kernel Keyring needs to be able to add new CAs or certificate
    chains to provide a root of trust for all software from platform
    and other third-parties.

  - There should be a method (OCSP or CRL) for being able to revoke
    a particular CA from the kernel keyring.

    Abstract idea:

       + Platform supplier provides software with IMA digital
         signatures for an unattended hardware device. This includes
         an initrd and the kernel might be booted with Secure Boot.
         The platform supplier also signs one or more CAs/signing keys
         for a third-party (which could be the platform owner)

       + Platform owner adds additional content with IMA digital
         signatures and also wants to enable the third-party software

       + A third-party adds additional software (not just kernel
         modules) with IMA digital signatures. This third-party needs
         to have CAs/keys put into the IMA keyring after the system
         goes to multi-user running mode. The platform owner should
         authorize any third-party packages to be added.

       How can the platform owner ensure that only trusted
       certificates are present in the kernel keyring and that a full
       chain of trust must be validated before a signing key is added
       to the IMA keyring?

       This paper will discuss experiments performed on the Linux
       kernel with different kinds of X509 certificate hierarchies for
       the validation of software being run.


thank you,
Petko
_______________________________________________
lss-pc mailing list
lss-pc@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lss-pc