Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC... | linux-security-module

[PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
[PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-21
RE: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Roberto Sassu <roberto.sassu@huawei.com> · 2020-08-31
Re: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
[PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-21
RE: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-08-31
Re: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
[PATCH 04/11] evm: Check size of security.evm before using it · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 04/11] evm: Check size of security.evm before using it · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-24
[PATCH 05/11] evm: Allow xattr/attr operations for portable signatures if check fails · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 05/11] evm: Allow xattr/attr operations for portable signatures if check fails · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-24
Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-21
Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-24
RE: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-09-02
Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-09-02

Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2020-08-24 17:45:13
Also in: linux-integrity, lkml, stable

Hi Roberto,

On Fri, 2020-08-21 at 14:30 -0400, Mimi Zohar wrote:

Sorry for the delay in reviewing these patches.   Missing from this
patch set is a cover letter with an explanation for grouping these
patches into a patch set, other than for convenience.  In this case, it
would be along the lines that the original use case for EVM portable
and immutable keys support was for a few critical files, not combined
with an EVM encrypted key type.   This patch set more fully integrates
the initial EVM portable and immutable signature support.

Thank you for more fully integrating the EVM portable signatures into
IMA.

" [PATCH 08/11] ima: Allow imasig requirement to be satisfied by EVM
portable signatures" equates an IMA signature to having a portable and
immutable EVM signature.  That is true in terms of signature
verification, but from an attestation perspective the "ima-sig"
template will not contain a signature.  If not the EVM signature, then
at least some other indication should be included in the measurement
list.

Are you planning on posting the associated IMA/EVM regression tests?

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help