[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Jun 2019 13:43:58 +0200
From: Roberto Sassu <roberto.sassu@...wei.com>
To: <zohar@...ux.ibm.com>, <dmitry.kasatkin@...wei.com>,
<mjg59@...gle.com>
CC: <linux-integrity@...r.kernel.org>,
<linux-security-module@...r.kernel.org>,
<linux-doc@...r.kernel.org>, <stable@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com>
Subject: Re: [PATCH v3 0/2] ima/evm fixes for v5.2
On 6/6/2019 1:26 PM, Roberto Sassu wrote:
> Previous versions included the patch 'ima: don't ignore INTEGRITY_UNKNOWN
> EVM status'. However, I realized that this patch cannot be accepted alone
> because IMA-Appraisal would deny access to new files created during the
> boot. With the current behavior, those files are accessible because they
> have a valid security.ima (not protected by EVM) created after the first
> write.
>
> A solution for this problem is to initialize EVM very early with a random
> key. Access to created files will be granted, even with the strict
> appraisal, because after the first write those files will have both
> security.ima and security.evm (HMAC calculated with the random key).
>
> Strict appraisal will work only if it is done with signatures until the
> persistent HMAC key is loaded.
Changelog
v2:
- remove patch 1/3 (evm: check hash algorithm passed to init_desc());
already accepted
- remove patch 3/3 (ima: show rules with IMA_INMASK correctly);
already accepted
- add new patch (evm: add option to set a random HMAC key at early boot)
- patch 2/3: modify patch description
v1:
- remove patch 2/4 (evm: reset status in evm_inode_post_setattr()); file
attributes cannot be set if the signature is portable and immutable
- patch 3/4: add __ro_after_init to ima_appraise_req_evm variable
declaration
- patch 3/4: remove ima_appraise_req_evm kernel option and introduce
'enforce-evm' and 'log-evm' as possible values for ima_appraise=
- remove patch 4/4 (ima: only audit failed appraisal verifications)
- add new patch (ima: show rules with IMA_INMASK correctly)
> Roberto Sassu (2):
> evm: add option to set a random HMAC key at early boot
> ima: add enforce-evm and log-evm modes to strictly check EVM status
>
> .../admin-guide/kernel-parameters.txt | 11 ++--
> security/integrity/evm/evm.h | 10 +++-
> security/integrity/evm/evm_crypto.c | 57 ++++++++++++++++---
> security/integrity/evm/evm_main.c | 41 ++++++++++---
> security/integrity/ima/ima_appraise.c | 8 +++
> security/integrity/integrity.h | 1 +
> 6 files changed, 106 insertions(+), 22 deletions(-)
>
--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI
Powered by blists - more mailing lists