lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130129183931.GB21002@redhat.com>
Date:	Tue, 29 Jan 2013 13:39:31 -0500
From:	Vivek Goyal <vgoyal@...hat.com>
To:	"Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>, dhowells@...hat.com,
	jmorris@...ei.org, linux-security-module@...r.kernel.org,
	linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC 1/1] ima: digital signature verification using asymmetric
 keys

On Tue, Jan 29, 2013 at 10:48:00AM +0200, Kasatkin, Dmitry wrote:
> On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal <vgoyal@...hat.com> wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> >> > Ok. I am hoping that it will be more than the kernel command line we
> >> > support. In the sense that for digital signatures one needs to parse
> >> > the signature, look at what hash algorithm has been used  and then
> >> > collect the hash accordingly. It is little different then IMA requirement
> >> > of calculating one pre-determine hash for all files.
> >>
> >> Yes... It is obvious. It's coming.
> >> But in general, signer should be aware of requirements and limitation
> >> of the platform.
> >> It is not really a problem...
> >
> > Ok, I have another question. I was looking at your slide deck here.
> >
> > http://selinuxproject.org/~jmorris/lss2011_slides/IMA_EVM_Digital_Signature_Support.pdf
> >
> > Slide 12 mentions that keys are loaded into the kernel from initramfs. If
> > "root" can load any key, what are we protecting against.
> >
> > IOW, what good ima_appraise_tcb policy, which tries to appraise any root
> > owned file.  A root can sign all the files using its own key and load its
> > public key in IMA keyring and then integrity check should pass on all
> > root files.
> >
> > So what's the idea behind digital signature appraisal? By allowing root to
> > unconditionally load the keys in IMA keyring, it seems to circumvent the
> > appraisal mechanism.
> >
> 
> I will answer directly to this email first.
> 'keyctl setperm' command is used to lock keyring from being able to
> add new keys...
> Even root is not able to revert locked keyring to original
> write-permissive mode.
> 
> root@...ntu:~# cat /proc/keys |grep ima
> 16a4c685 I--Q---     1 perm 3f010000     0     0 keyring   _ima: 2/4
> root@...ntu:~# keyctl setperm 379897477  0x0b010000
> root@...ntu:~# keyctl add user testkey "testing1" 379897477
> add_key: Permission denied
> root@...ntu:~# keyctl setperm 379897477  0x3f010000
> keyctl_setperm: Permission denied
> root@...ntu:~# cat /proc/keys |grep ima
> 16a4c685 I--Q---     1 perm 0b010000     0     0 keyring   _ima: 3/4

Hi Dmitry,

Ok, thanks for the clarification. So from initramfs we will load the key in
IMA keyring and then lock it down.

So this boils down to trusting initramfs.  So how do we make sure that
initramfs is not compromised in secureboot environment.

As initramfs is generated dynamically, we could not sign it (no private
key on target) hence can not appraise it. So may be we need to lock down
key loading in IMA keyring in secureboot mode and ship kernel with
pre-loaded keys? Or there are other ways which have already handled this
problem.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ