Thread (28 messages) 28 messages, 2 authors, 2019-05-28

Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-05-14 12:09:52
Also in: keyrings, linux-crypto, linux-doc, linux-integrity, linuxppc-dev, lkml

Hi Thiago,

On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote:
quoted hunk ↗ jump to hunk
@@ -326,6 +356,10 @@ int ima_appraise_measurement(enum ima_hooks func,
        case INTEGRITY_UNKNOWN:
                break;
        case INTEGRITY_NOXATTRS:        /* No EVM protected xattrs. */
+               /* It's fine not to have xattrs when using a modsig. */
+               if (try_modsig)
+                       break;
+               /* fall through */
        case INTEGRITY_NOLABEL:         /* No security.evm xattr. */
                cause = "missing-HMAC";
                goto out;
@@ -340,6 +374,14 @@ int ima_appraise_measurement(enum ima_hooks func,
                rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
                                  &cause);
 
+       /*
+        * If we have a modsig and either no imasig or the imasig's key isn't
+        * known, then try verifying the modsig.
+        */
+       if (status != INTEGRITY_PASS && try_modsig &&
+           (!xattr_value || rc == -ENOKEY))
+               rc = modsig_verify(func, modsig, &status, &cause);
EVM protects other security xattrs, not just security.ima, if they
exist.  As a result, evm_verifyxattr() could pass based on the other
security xattrs.

Mimi
+
 out:
        /*
         * File signatures on some filesystems can not be properly verified.
  
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help