lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 24 Apr 2014 14:44:59 -0400
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Dmitry Kasatkin <d.kasatkin@...sung.com>
Cc:	dhowells@...hat.com, jmorris@...ei.org, roberto.sassu@...ito.it,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/20] in-kernel IMA/EVM initialization

On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote: 
> Hi,
> 
> Currently secure IMA/EVM initialization has to be done from the
> initramfs, embedded in the signed kernel image. Many systems do
> not want to use initramfs or use unsigned locally generated images.
> 
> This patchset introduces kernel functionality, which allows to perform
> IMA/EVM initialization without initramfs from the kernel, which
> includes mainly following:
> - loading EVM hmac encrypted keys
> - loading and verification of signed X509 certificates
> - loading and verification of signed IMA policy
> 
> Patchset introduces the set of new kernel configuration options,
> which makes this functionality entirely configurable.
> Not enabling any of the options does not change original IMA/EVM
> behavior. In order not to bloat security configuration menu,
> integrity subsystem options were moved to the separate menu.
> It does not affect existing configuration. Re-configuration is
> not needed.

Loading the IMA/EVM keys onto their respective keyrings by the kernel,
as early as possible, is a good idea, but unfortunately, at least in the
past, having the kernel open files (eg. configuration, policies, kernel
module public key) has not been permitted.  LSM policies were initially
loaded by the initramfs, but more recently by dracut.  As for the kernel
module public key, the key is built into the kernel and loaded onto the
system keyring.  I'm not aware that this limitation of opening files
from the kernel has been removed.

thanks,

Mimi

> 
> Dmitry Kasatkin (19):
>   integrity: initialize EVM before IMA
>   ima: move asymmetric keys config option
>   integrity: move integrity subsystem options to a separate menu
>   integrity: provide builtin 'trusted' keyrings
>   ima: create '_ima' as a builtin 'trusted' keyring
>   integrity: provide x509 certificate loading from the kernel
>   ima: load x509 certificate from the kernel
>   evm: create '_evm' as a builtin 'trusted' keyring
>   evm: load x509 certificate from the kernel
>   ima: added kernel parameter for disabling IMA
>   ima: provide buffer hash calculation function
>   ima: replace opencount with bitop
>   ima: check if policy was set at open
>   ima: path based policy loading interface
>   ima: load policy from the kernel
>   ima: make IMA policy replaceable at runtime
>   evm: added kernel parameter for disabling EVM
>   evm: try enable EVM from the kernel
>   evm: read EVM key from the kernel
> 
> Mimi Zohar (1):
>   KEYS: verify a certificate is signed by a 'trusted' key
> 
>  crypto/asymmetric_keys/x509_public_key.c |  85 +++++++++++++++++++++++-
>  security/integrity/Kconfig               |  41 ++++++++----
>  security/integrity/Makefile              |   4 +-
>  security/integrity/digsig.c              | 103 +++++++++++++++++++++++++++++
>  security/integrity/evm/Kconfig           |  32 +++++++--
>  security/integrity/evm/evm.h             |  14 ++++
>  security/integrity/evm/evm_crypto.c      | 101 ++++++++++++++++++++++++++++
>  security/integrity/evm/evm_main.c        |  25 +++++--
>  security/integrity/evm/evm_secfs.c       |  13 ++--
>  security/integrity/ima/Kconfig           |  49 +++++++++++++-
>  security/integrity/ima/ima.h             |  19 ++++++
>  security/integrity/ima/ima_crypto.c      |  11 +++-
>  security/integrity/ima/ima_fs.c          |  48 ++++++++++----
>  security/integrity/ima/ima_init.c        |   3 +
>  security/integrity/ima/ima_main.c        |  12 +++-
>  security/integrity/ima/ima_policy.c      | 109 ++++++++++++++++++++++++++++---
>  security/integrity/integrity.h           |  20 ++++++
>  17 files changed, 626 insertions(+), 63 deletions(-)
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ