lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 03 Mar 2014 21:09:30 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Dmitry Kasatkin <d.kasatkin@...sung.com>
Cc:	linux-security-module@...r.kernel.org, jmorris@...ei.org,
	linux-kernel@...r.kernel.org, casey.schaufler@...el.com,
	dmitry.kasatkin@...il.com
Subject: Re: [PATCH 7/8] evm: introduce EVM hmac attribute list

On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote: 
> This patch replaces using of hmac version configuration parameter
> with attribute list. It allows to build kernels which works with
> previously labeled filesystems.
> 
> Currently supported attribute is 'fsuuid' which is equivalent of
> former version 2.
> 
> Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>

Please include the new boot command line option in
Documentation/kernel-parameters.txt.

Mimi

> ---
>  security/integrity/evm/Kconfig      | 19 ++++++++++---------
>  security/integrity/evm/evm.h        |  4 +++-
>  security/integrity/evm/evm_crypto.c |  2 +-
>  security/integrity/evm/evm_main.c   | 21 ++++++++++++++++++++-
>  4 files changed, 34 insertions(+), 12 deletions(-)
> 
> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
> index d35b491..2be51fa 100644
> --- a/security/integrity/evm/Kconfig
> +++ b/security/integrity/evm/Kconfig
> @@ -12,15 +12,16 @@ config EVM
> 
>  	  If you are unsure how to answer this question, answer N.
> 
> -config EVM_HMAC_VERSION
> -	int "EVM HMAC version"
> -	depends on EVM
> -	default 2
> -	help
> -	  This options adds EVM HMAC version support.
> -	  1 - original version
> -	  2 - add per filesystem unique identifier (UUID) (default)
> +config EVM_HMAC_ATTRS
> +	string "HMAC attributes"
> +	default "fsuuid"
> + 	help
> +	  This options allows to specify list of optional attributes included into HMAC
> +	  calculation. It makes it possible easily upgrade to newer kernels.
> +	 
> +	  Default value is 'fsuuid', which is former version 2.
> +	  if blank, it is equivalent of version 1
> 
>  	  WARNING: changing the HMAC calculation method or adding 
>  	  additional info to the calculation, requires existing EVM
> -	  labeled file systems to be relabeled.  
> +	  labeled file systems to be relabeled.
> diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
> index 37c88dd..c8fa0aa 100644
> --- a/security/integrity/evm/evm.h
> +++ b/security/integrity/evm/evm.h
> @@ -24,11 +24,13 @@
>  extern int evm_initialized;
>  extern char *evm_hmac;
>  extern char *evm_hash;
> -extern int evm_hmac_version;
> +extern int evm_hmac_attrs;
> 
>  extern struct crypto_shash *hmac_tfm;
>  extern struct crypto_shash *hash_tfm;
> 
> +#define EVM_HMAC_ATTR_FSUUID		0x0001
> +
>  /* List of EVM protected security xattrs */
>  extern char *evm_config_xattrnames[];
> 
> diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
> index babd862..ab034e5 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
>  	hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
>  	hmac_misc.mode = inode->i_mode;
>  	crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
> -	if (evm_hmac_version > 1)
> +	if (evm_hmac_attrs & EVM_HMAC_ATTR_FSUUID)
>  		crypto_shash_update(desc, inode->i_sb->s_uuid,
>  				    sizeof(inode->i_sb->s_uuid));
>  	crypto_shash_final(desc, digest);
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 996092f..9c05929 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
>  };
>  char *evm_hmac = "hmac(sha1)";
>  char *evm_hash = "sha1";
> -int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
> +int evm_hmac_attrs;
> 
>  char *evm_config_xattrnames[] = {
>  #ifdef CONFIG_SECURITY_SELINUX
> @@ -57,6 +57,19 @@ static int __init evm_set_fixmode(char *str)
>  }
>  __setup("evm=", evm_set_fixmode);
> 
> +static int __init evm_init_config(void)
> +{
> +	char *attrs = CONFIG_EVM_HMAC_ATTRS;
> +	char *p;
> +
> +	while ((p = strsep(&attrs, ", \t"))) {
> +		if (!strcmp(p, "fsuuid"))
> +			evm_hmac_attrs |= EVM_HMAC_ATTR_FSUUID;
> +	}
> +	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
> +	return 0;
> +}
> +
>  static int evm_find_protected_xattrs(struct dentry *dentry)
>  {
>  	struct inode *inode = dentry->d_inode;
> @@ -432,6 +445,12 @@ static int __init init_evm(void)
>  {
>  	int error;
> 
> +	error = evm_init_config();
> +	if (error < 0) {
> +		pr_info("Error parsing config lists\n");
> +		goto err;
> +	}
> +
>  	error = evm_init_secfs();
>  	if (error < 0) {
>  		pr_info("Error registering secfs\n");


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ