lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <feb537b46b78054239397396ea1fdabc1a3c44e2.camel@linux.ibm.com>
Date:   Tue, 01 Dec 2020 15:52:45 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>, mjg59@...gle.com
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        silviu.vlasceanu@...wei.com
Subject: Re: [PATCH v3 00/11] evm: Improve usability of portable signatures

Hi Roberto,

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> EVM portable signatures are particularly suitable for the protection of
> metadata of immutable files where metadata is signed by a software vendor.
> They can be used for example in conjunction with an IMA policy that
> appraises only executed and memory mapped files.

The existing "appraise_tcb" builtin policy verify all root owned files.
Defining a new builtin policy to verify only executed and memory
mmapped files would make a nice addition and would probably simplify
testing.

> 
> However, some usability issues are still unsolved, especially when EVM is
> used without loading an HMAC key. This patch set attempts to fix the open
> issues.

We need regression tests for each of these changes.

To prevent affecting the running system, the appraise policy rules
could be limited to a loopback mounted filesystem. 

> 
> Patch 1 allows EVM to be used without loading an HMAC key. Patch 2 avoids
> appraisal verification of public keys (they are already verified by the key
> subsystem).

Loading the EVM key(s) occurs early, either the builtin x509 EVM key or
during the initramfs, makes testing difficult.  Based on
security/evm/evm, different tests could be defined for when only x509
keys, only HMAC key, or both EVM key types are loaded.

> 
> Patches 3-5 allow metadata verification to be turned off when no HMAC key
> is loaded and to use this mode in a safe way (by ensuring that IMA
> revalidates metadata when there is a change).
> 
> Patches 6-8 make portable signatures more usable if metadata verification
> is not turned off, by ignoring the INTEGRITY_NOLABEL error when no HMAC key
> is loaded, by accepting any metadata modification until signature
> verification succeeds (useful when xattrs/attrs are copied sequentially
> from a source) and by allowing operations that don't change metadata.
> 
> Patch 9 makes it possible to use portable signatures when the IMA policy
> requires file signatures and patch 10 shows portable signatures in the
> measurement list when the ima-sig template is selected.

ima-evm-utils needs to be updated to support EVM portable & immutable
signatures.

> 
> Lastly, patch 11 avoids undesired removal of security.ima when a file is
> not selected by the IMA policy.

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ