lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110529065818.GA2122@elf.ucw.cz>
Date:	Sun, 29 May 2011 08:58:18 +0200
From:	Pavel Machek <pavel@....cz>
To:	David Safford <safford@...son.ibm.com>
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	Casey Schaufler <casey@...aufler-ca.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	James Morris <jmorris@...ei.org>, Greg KH <greg@...ah.com>,
	Dmitry Kasatkin <dmitry.kasatkin@...ia.com>
Subject: Re: [PATCH v5 00/21] EVM

On Fri 2011-05-27 13:45:51, David Safford wrote:
> On Thu, 2011-05-26 at 22:17 +0200, Pavel Machek wrote:
> 
> > I suggest you explain the patchset in the emails, then? Everyone here
> > seems to be confused... Attack it protects against, and what kind of
> > hardware is needed for the protection to be effective?
> 
> The white paper is over 15 pages, and it barely scratches the surface.
> Every customer has different security threat models and requirements.
> Discussing this in general on the mailing list is really hard.
> 
> So let's try to simplify this just down to digital signatures in
> the cellphone environment, as you state:

Good.

> > Because AFAICT, file signatures, as proposed, are only useful for
> > locking down my cellphone against myself. (That's -- evil).
> 
> The proposed digital signatures can enforce authenticity of a file's 
> data (IMA-Appraisal with Digital Signature), and of a file's metadata
> (EVM with Digital Signature). For most users, enforcing authenticity
> of files is a good thing - a user knows that they are running authentic
> software signed by their phone manufacturer, and not malicious files
> that they, or someone else installed. In this threat model, EVM is 

Ok, so lets talk about smartphone, similar to my HTC Dream (developer
version, unlocked bootloader, flashable from kernel (*)).

Yes, I could install the crazy EVM/IMA infastructure to prevent
applications modifying selected files.

But... I could just do chattr +i on selected files, I do not need
fancy EVM/IMA for that.

> Blocking signature verification would serve only to punish Linux 
> users who care about the authenticity of their files, while doing 
> _nothing_ to stop manufacturers from locking their bootloaders.

chattr already protects authenticity of my files, as do standard unix
permissions.

So... where's the difference?

								Pavel
(*) but it does not change anything.

True; determined attacker could steal my cellphone, open it up,
desolder the flash, and change attributes of the filesystem.

But... the same determined attacker can also replace
bootloader&kernel&filesystem -- that is in the same flash! -- with
unlocked versions. So the argumentation is the same for locked down
phone.

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ