| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 May 2011 07:21:25 -0400 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: Harald Hoyer <harald.hoyer@...il.com> Cc: "Serge E. Hallyn" <serge@...lyn.com>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, James Morris <jmorris@...ei.org>, David Safford <safford@...son.ibm.com>, Andrew Morton <akpm@...ux-foundation.org>, Greg KH <greg@...ah.com>, Dmitry Kasatkin <dmitry.kasatkin@...ia.com>, Mimi Zohar <zohar@...ibm.com> Subject: Re: [PATCH v5 03/21] evm: re-release On Fri, 2011-05-20 at 13:12 +0200, Harald Hoyer wrote: > Am 20.05.2011 00:49, schrieb Mimi Zohar: > > On Thu, 2011-05-19 at 01:05 -0500, Serge E. Hallyn wrote: > >> Quoting Mimi Zohar (zohar@...ux.vnet.ibm.com): > >>> EVM protects a file's security extended attributes(xattrs) against integrity > >>> attacks. This patchset provides the framework and an initial method. The > >>> initial method maintains an HMAC-sha1 value across the security extended > >>> attributes, storing the HMAC value as the extended attribute 'security.evm'. > >>> Other methods of validating the integrity of a file's metadata will be posted > >>> separately (eg. EVM-digital-signatures). > >>> > >>> While this patchset does authenticate the security xattrs, and > >>> cryptographically binds them to the inode, coming extensions will bind other > >>> directory and inode metadata for more complete protection. To help simplify > >>> the review and upstreaming process, each extension will be posted separately > >>> (eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the > >>> proposed Linux integrity subsystem, refer to Dave Safford's whitepaper: > >>> http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf. > >>> > >>> EVM depends on the Kernel Key Retention System to provide it with a > >>> trusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the > >>> root's keyring using keyctl. Until EVM receives notification that the key has > >>> been successfully loaded onto the keyring (echo 1 > <securityfs>/evm), EVM can > >>> not create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN. > >>> Loading the key and signaling EVM should be done as early as possible. Normally > >>> this is done in the initramfs, which has already been measured as part of the > >>> trusted boot. For more information on creating and loading existing > >>> trusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A > >>> sample dracut patch, which loads the trusted/encrypted key and enables EVM, is > >>> available from http://linu-ima.sourceforge.net/#EVM. > >> > >> That should read http://linux-ima.sourceforge.net/#EVM. > > > > Thanks for catching that. > > The dracut patch, could easily turned into a separate dracut module with its own > files, without patching. Somebody did not understand the modular nature of > dracut. While you are at it, I happily integrate that module in upstream, if you > submit it to the initramfs mailing list. thanks! Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists