From: Denis Efremov [mailto:efremov@linux.com]
Sent: Wednesday, July 29, 2020 11:59 PM



On 7/28/20 6:43 PM, Roberto Sassu wrote:

quoted

quoted

From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
owner@vger.kernel.org] On Behalf Of Denis Efremov
Sent: Tuesday, July 28, 2020 12:32 PM
Hi,

I've started to add integrity interfaces descriptions to syzkaller
(https://github.com/google/syzkaller/pull/1970).

I've got a question, if you don't mind:

If I write 2 to /sys/kernel/security/integrity/evm/evm before loading

keys,

quoted

quoted

subsequent fs operations will fail with -ENOKEY.

$ echo 2 > /sys/kernel/security/integrity/evm/evm
$ touch test.txt

Looks good. Mimi, could you please take this patch, and if
possible, the others in the patch set?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

quoted

quoted

[  526.976855][ T5771] evm: HMAC key is not set
[  526.977892][ T5771] evm: init_desc failed
touch: cannot touch 'test.txt': Required key not available

Is this a desired behavior? Should there be a check in evm_write_key()
for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings)

before

quoted

quoted

changing the evm_initialized bit? Is it correct to set second bit without
first bit?

Hi Denis

can you please try this patch?

https://lore.kernel.org/linux-integrity/20200618160133.937-1-

roberto.sassu@huawei.com/

quoted

$ cat /proc/cmdline
console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix
$ echo 2 > /sys/kernel/security/integrity/evm/evm
[   44.116084][ T4108] evm: HMAC key is not set
$ touch test.txt
$ cat /sys/kernel/security/integrity/evm/evm
2
$ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
$ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
$ echo 1 > /sys/kernel/security/integrity/evm/evm
[  574.328262] evm: key initialized

Regards,
Denis