lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 7 Jun 2019 16:40:37 +0200
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>, <dmitry.kasatkin@...wei.com>,
        <mjg59@...gle.com>
CC:     <linux-integrity@...r.kernel.org>,
        <linux-security-module@...r.kernel.org>,
        <linux-doc@...r.kernel.org>, <stable@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com>
Subject: Re: [PATCH v3 2/2] ima: add enforce-evm and log-evm modes to strictly
 check EVM status

On 6/7/2019 4:24 PM, Mimi Zohar wrote:
> Hi Roberto,
> 
> Thank you for updating the patch description.

Hi Mimi

no problem.


> On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote:
>> IMA and EVM have been designed as two independent subsystems: the first for
>> checking the integrity of file data; the second for checking file metadata.
>> Making them independent allows users to adopt them incrementally.
>>
>> The point of intersection is in IMA-Appraisal, which calls
>> evm_verifyxattr() to ensure that security.ima wasn't modified during an
>> offline attack. The design choice, to ensure incremental adoption, was to
>> continue appraisal verification if evm_verifyxattr() returns
>> INTEGRITY_UNKNOWN. This value is returned when EVM is not enabled in the
>> kernel configuration, or if the HMAC key has not been loaded yet.
>>
>> Although this choice appears legitimate, it might not be suitable for
>> hardened systems, where the administrator expects that access is denied if
>> there is any error. An attacker could intentionally delete the EVM keys
>> from the system and set the file digest in security.ima to the actual file
>> digest so that the final appraisal status is INTEGRITY_PASS.
> 
> Assuming that the EVM HMAC key is stored in the initramfs, not on some
> other file system, and the initramfs is signed, INTEGRITY_UNKNOWN
> would be limited to the rootfs filesystem.

There is another issue. The HMAC key, like the public keys, should be
loaded when appraisal is disabled. This means that we have to create a
trusted key at early boot and defer the unsealing.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ