| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a84520e3c7de9c767cbbc17e8ad894525043e211.camel@linux.ibm.com>
Date: Wed, 02 Dec 2020 16:07:27 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...wei.com>, mjg59@...gle.com
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
silviu.vlasceanu@...wei.com, stable@...r.kernel.org
Subject: Re: [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if
an HMAC key is loaded
On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
> temporarily disable metadata verification until all xattrs/attrs necessary
> to verify an EVM portable signature are copied to the file. This flag is
> cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
> calculated on unverified xattrs/attrs.
>
> Currently EVM unnecessarily denies setting this flag if EVM is initialized
> with a public key, which is not a concern as it cannot be used to trust
> xattrs/attrs updates. This patch removes this limitation.
>
> Cc: stable@...r.kernel.org # 4.16.x
> Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata")
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
> Documentation/ABI/testing/evm | 5 +++--
> security/integrity/evm/evm_secfs.c | 2 +-
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
> index 3c477ba48a31..eb6d70fd6fa2 100644
> --- a/Documentation/ABI/testing/evm
> +++ b/Documentation/ABI/testing/evm
> @@ -49,8 +49,9 @@ Description:
> modification of EVM-protected metadata and
> disable all further modification of policy
>
> - Note that once a key has been loaded, it will no longer be
> - possible to enable metadata modification.
> + Note that once an HMAC key has been loaded, it will no longer
> + be possible to enable metadata modification and, if it is
> + already enabled, it will be disabled.
>
> Until key loading has been signaled EVM can not create
> or validate the 'security.evm' xattr, but returns
> diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
> index cfc3075769bb..92fe26ace797 100644
> --- a/security/integrity/evm/evm_secfs.c
> +++ b/security/integrity/evm/evm_secfs.c
> @@ -84,7 +84,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
> * keys are loaded.
> */
> if ((i & EVM_ALLOW_METADATA_WRITES) &&
> - ((evm_initialized & EVM_KEY_MASK) != 0) &&
> + ((evm_initialized & EVM_INIT_HMAC) != 0) &&
> !(evm_initialized & EVM_ALLOW_METADATA_WRITES))
> return -EPERM;
>
If an HMAC key is loaded EVM_ALLOW_METADATA_WRITES should already be
disabled. Testing EVM_ALLOW_METADATA_WRITES shouldn't be needed.
Please update the comment: "Don't allow a request to freshly enable
metadata writes if keys are loaded."
thanks,
Mimi
Powered by blists - more mailing lists