lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1275664804.21231.61.camel@moss-pluto.epoch.ncsc.mil>
Date:	Fri, 04 Jun 2010 11:20:04 -0400
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	James Morris <jmorris@...ei.org>,
	David Safford <safford@...son.ibm.com>,
	Dave Hansen <dave@...ux.vnet.ibm.com>,
	Mimi Zohar <zohar@...ibm.com>
Subject: Re: [PATCH 04/14] evm: re-release

On Fri, 2010-06-04 at 10:53 -0400, Mimi Zohar wrote:
> On Fri, 2010-06-04 at 10:28 -0400, Stephen Smalley wrote:
> > On Wed, 2010-04-21 at 17:49 -0400, Mimi Zohar wrote:
> > > EVM protects a file's security extended attributes against integrity
> > > attacks. It maintains an HMAC-sha1 value across the extended attributes,
> > > storing the value as the extended attribute 'security.evm'. EVM has gone
> > > through a number of iterations, initially as an LSM module, subsequently
> > > as a LIM integrity provider, and now, when co-located with a security_
> > > hook, embedded directly in the security_ hook, similar to IMA.
> > > 
> > > This is the first part of a local file integrity verification system.
> > > While this part does authenticate the selected extended attributes, and
> > > cryptographically bind them to the inode, coming extensions will bind
> > > other directory and inode metadata for more complete protection.  The
> > > set of protected security extended attributes is configured at compile.
> > > 
> > > EVM depends on the Kernel Key Retention System to provide it with the
> > > kernel master key for the HMAC operation.  The kernel master key is
> > > securely loaded onto the root's keyring, typically by 'loadkernkey',
> > > which either uses the TPM sealed secret key, if available, or a
> > > password requested from the console.  To signal EVM, that the key has
> > > been loaded onto the keyring, 'echo 1 > <securityfs>/evm'. This is
> > > normally done in the initrd, which has already been measured as part
> > > of the trusted boot. (Refer to http://linux-ima.sourceforge.net/#EVM.)
> > 
> > I don't remember this dependency on the kernel key system in prior
> > incarnations of EVM.  Can you explain the rationale for using it, and
> > the implications?
> 
> This changed very early on, so that people without a TPM could 'play'
> with it.

The last time EVM was posted to lsm list (2005, AFAICS) prior to this
year's round, David Safford said:
"Since the kernel master key is unsealed by the hardware TPM only as a
result of a valid trusted boot, and the key is never visible outside the
kernel, the EVM HMAC attribute cannot be forged in an offline attack."

So that seemed to be an important property to you at the time.  I
understand providing alternatives for TPM-less systems, but that doesn't
necessarily mean changing the properties on systems with TPMs.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ