lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACE9dm8awr4fTAd5i3rjxehqtxwUiJq_VEyaYU4OvjKy4Oe0sA@mail.gmail.com>
Date:	Tue, 4 Mar 2014 16:20:52 +0200
From:	Dmitry Kasatkin <dmitry.kasatkin@...il.com>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:	Dmitry Kasatkin <d.kasatkin@...sung.com>,
	linux-security-module@...r.kernel.org,
	James Morris <jmorris@...ei.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	casey.schaufler@...el.com
Subject: Re: [PATCH 7/8] evm: introduce EVM hmac attribute list

On Tue, Mar 4, 2014 at 4:09 AM, Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> This patch replaces using of hmac version configuration parameter
>> with attribute list. It allows to build kernels which works with
>> previously labeled filesystems.
>>
>> Currently supported attribute is 'fsuuid' which is equivalent of
>> former version 2.
>>
>> Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
>
> Please include the new boot command line option in
> Documentation/kernel-parameters.txt.
>

There is no kernel parameter, but configuration parameter..
Again for flexibility to add more parameters and be able to use new
kernel on existing labeled filesystems.

Kernel command line option can be added on the future.

- Dmitry

> Mimi
>
>> ---
>>  security/integrity/evm/Kconfig      | 19 ++++++++++---------
>>  security/integrity/evm/evm.h        |  4 +++-
>>  security/integrity/evm/evm_crypto.c |  2 +-
>>  security/integrity/evm/evm_main.c   | 21 ++++++++++++++++++++-
>>  4 files changed, 34 insertions(+), 12 deletions(-)
>>
>> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
>> index d35b491..2be51fa 100644
>> --- a/security/integrity/evm/Kconfig
>> +++ b/security/integrity/evm/Kconfig
>> @@ -12,15 +12,16 @@ config EVM
>>
>>         If you are unsure how to answer this question, answer N.
>>
>> -config EVM_HMAC_VERSION
>> -     int "EVM HMAC version"
>> -     depends on EVM
>> -     default 2
>> -     help
>> -       This options adds EVM HMAC version support.
>> -       1 - original version
>> -       2 - add per filesystem unique identifier (UUID) (default)
>> +config EVM_HMAC_ATTRS
>> +     string "HMAC attributes"
>> +     default "fsuuid"
>> +     help
>> +       This options allows to specify list of optional attributes included into HMAC
>> +       calculation. It makes it possible easily upgrade to newer kernels.
>> +
>> +       Default value is 'fsuuid', which is former version 2.
>> +       if blank, it is equivalent of version 1
>>
>>         WARNING: changing the HMAC calculation method or adding
>>         additional info to the calculation, requires existing EVM
>> -       labeled file systems to be relabeled.
>> +       labeled file systems to be relabeled.
>> diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
>> index 37c88dd..c8fa0aa 100644
>> --- a/security/integrity/evm/evm.h
>> +++ b/security/integrity/evm/evm.h
>> @@ -24,11 +24,13 @@
>>  extern int evm_initialized;
>>  extern char *evm_hmac;
>>  extern char *evm_hash;
>> -extern int evm_hmac_version;
>> +extern int evm_hmac_attrs;
>>
>>  extern struct crypto_shash *hmac_tfm;
>>  extern struct crypto_shash *hash_tfm;
>>
>> +#define EVM_HMAC_ATTR_FSUUID         0x0001
>> +
>>  /* List of EVM protected security xattrs */
>>  extern char *evm_config_xattrnames[];
>>
>> diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
>> index babd862..ab034e5 100644
>> --- a/security/integrity/evm/evm_crypto.c
>> +++ b/security/integrity/evm/evm_crypto.c
>> @@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
>>       hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
>>       hmac_misc.mode = inode->i_mode;
>>       crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
>> -     if (evm_hmac_version > 1)
>> +     if (evm_hmac_attrs & EVM_HMAC_ATTR_FSUUID)
>>               crypto_shash_update(desc, inode->i_sb->s_uuid,
>>                                   sizeof(inode->i_sb->s_uuid));
>>       crypto_shash_final(desc, digest);
>> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
>> index 996092f..9c05929 100644
>> --- a/security/integrity/evm/evm_main.c
>> +++ b/security/integrity/evm/evm_main.c
>> @@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
>>  };
>>  char *evm_hmac = "hmac(sha1)";
>>  char *evm_hash = "sha1";
>> -int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
>> +int evm_hmac_attrs;
>>
>>  char *evm_config_xattrnames[] = {
>>  #ifdef CONFIG_SECURITY_SELINUX
>> @@ -57,6 +57,19 @@ static int __init evm_set_fixmode(char *str)
>>  }
>>  __setup("evm=", evm_set_fixmode);
>>
>> +static int __init evm_init_config(void)
>> +{
>> +     char *attrs = CONFIG_EVM_HMAC_ATTRS;
>> +     char *p;
>> +
>> +     while ((p = strsep(&attrs, ", \t"))) {
>> +             if (!strcmp(p, "fsuuid"))
>> +                     evm_hmac_attrs |= EVM_HMAC_ATTR_FSUUID;
>> +     }
>> +     pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
>> +     return 0;
>> +}
>> +
>>  static int evm_find_protected_xattrs(struct dentry *dentry)
>>  {
>>       struct inode *inode = dentry->d_inode;
>> @@ -432,6 +445,12 @@ static int __init init_evm(void)
>>  {
>>       int error;
>>
>> +     error = evm_init_config();
>> +     if (error < 0) {
>> +             pr_info("Error parsing config lists\n");
>> +             goto err;
>> +     }
>> +
>>       error = evm_init_secfs();
>>       if (error < 0) {
>>               pr_info("Error registering secfs\n");
>
>



-- 
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ