RE: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded

[PATCH v3 00/11] evm: Improve usability of portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
[PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
Re: [PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-02
[PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
RE: [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks · Roberto Sassu <roberto.sassu@huawei.com> · 2020-12-02
Re: [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-03
[PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
Re: [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-02
[PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
Re: [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-02
Re: [PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-01
[PATCH v3 05/11] evm: Introduce evm_status_revalidate() · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
[PATCH v3 07/11] evm: Allow xattr/attr operations for portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
[PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
Re: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-03
RE: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-12-04
Re: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-04
RE: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2020-12-04
[PATCH v3 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
[PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
Re: [PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata · kernel test robot <hidden> · 2020-11-18
[PATCH v3 10/11] ima: Introduce template field evmsig and write to field sig as fallback · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
[PATCH v3 11/11] ima: Don't remove security.ima if file must not be appraised · Roberto Sassu <roberto.sassu@huawei.com> · 2020-11-11
Re: [PATCH v3 00/11] evm: Improve usability of portable signatures · Mimi Zohar <zohar@linux.ibm.com> · 2020-12-01

From: Roberto Sassu <roberto.sassu@huawei.com>
Date: 2020-12-04 15:00:47
Also in: linux-fsdevel, linux-integrity, linux-security-module

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Friday, December 4, 2020 2:05 PM
On Fri, 2020-12-04 at 08:05 +0000, Roberto Sassu wrote:

quoted

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Thursday, December 3, 2020 9:43 PM
Hi Roberto,

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:

quoted

When a file is being created, LSMs can set the initial label with the
inode_init_security hook. If no HMAC key is loaded, the new file will

have

quoted

LSM xattrs but not the HMAC.

Unfortunately, EVM will deny any further metadata operation on new

files,

quoted

as evm_protect_xattr() will always return the INTEGRITY_NOLABEL

error.

quoted

This

quoted

would limit the usability of EVM when only a public key is loaded, as
commands such as cp or tar with the option to preserve xattrs won't

work.

quoted

Ignoring this error won't be an issue if no HMAC key is loaded, as the
inode is locked until the post hook, and EVM won't calculate the HMAC

on

quoted

metadata that wasn't previously verified. Thus this patch checks if an
HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL.

I'm not sure what problem this patch is trying to solve.
evm_protect_xattr() is only called by evm_inode_setxattr() and
evm_inode_removexattr(), which first checks whether
EVM_ALLOW_METADATA_WRITES is enabled.

The idea is to also support EVM verification when only a public key
is loaded. An advantage to do that is that for example we can prevent
accidental metadata changes when the signature is portable.

Right, there are a couple of  scenarios.  Let's be more specific as to
which scenario this patch is addressing.

- a public key is loaded and EVM_ALLOW_METADATA_WRITES is enabled,
- a public key is loaded and EVM_ALLOW_METADATA_WRITES is disabled,
- an HMAC key is loaded

For the first and last case, this patch shouldn't be necessary.  Only
the second case, with EVM_ALLOW_METADATA_WRITES disabled, probably
does
not work.  I would claim that is working as designed.

If there is no HMAC key loaded and a file is created, I think EVM should
not expect an HMAC and return an error. If we do metadata verification
only when an HMAC key is loaded, we miss a functionality that could be
useful also when only a public key is loaded.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help