RE: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal

[PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
[PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-21
RE: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Roberto Sassu <roberto.sassu@huawei.com> · 2020-08-31
Re: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
[PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-21
RE: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-08-31
Re: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-31
[PATCH 04/11] evm: Check size of security.evm before using it · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 04/11] evm: Check size of security.evm before using it · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-24
[PATCH 05/11] evm: Allow xattr/attr operations for portable signatures if check fails · Roberto Sassu <roberto.sassu@huawei.com> · 2020-06-18
Re: [PATCH 05/11] evm: Allow xattr/attr operations for portable signatures if check fails · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-24
Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-21
Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-24
RE: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-09-02
Re: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-09-02

From: Roberto Sassu <roberto.sassu@huawei.com>
Date: 2020-08-31 09:44:28
Also in: linux-integrity, lkml

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Friday, August 21, 2020 8:45 PM
On Thu, 2020-06-18 at 18:01 +0200, Roberto Sassu wrote:

quoted

Public keys do not need to be appraised by IMA as the restriction on the
IMA/EVM keyrings ensures that a key is loaded only if it is signed with a
key in the primary or secondary keyring.

However, when evm_load_x509() is loaded, appraisal is already enabled

and

quoted

a valid IMA signature must be added to the EVM key to pass verification.

Since the restriction is applied on both IMA and EVM keyrings, it is safe
to disable appraisal also when the EVM key is loaded. This patch calls
evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is

defined.

quoted

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/iint.c         | 2 ++
 security/integrity/ima/ima_init.c | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index e12c4900510f..4765a266ba96 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c

@@ -212,7 +212,9 @@ int integrity_kernel_read(struct file *file, loff_t

offset,

quoted

 void __init integrity_load_keys(void)
 {
 	ima_load_x509();
+#ifndef CONFIG_IMA_LOAD_X509
 	evm_load_x509();
+#endif
 }

 static int __init integrity_fs_init(void)

diff --git a/security/integrity/ima/ima_init.c

b/security/integrity/ima/ima_init.c

quoted

index 4902fe7bd570..9d29a1680da8 100644

--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c

@@ -106,6 +106,10 @@ void __init ima_load_x509(void)

 	ima_policy_flag &= ~unset_flags;
 	integrity_load_x509(INTEGRITY_KEYRING_IMA,

CONFIG_IMA_X509_PATH);

quoted

+
+	/* load also EVM key to avoid appraisal */
+	evm_load_x509();
+
 	ima_policy_flag |= unset_flags;
 }
 #endif

As much as possible IMA and EVM should remain independent of each
other.   Modifying integrity_load_x509() doesn't help.  This looks like
a good reason for calling another EVM function from within IMA.

Can I add your Reviewed-by?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help