RE: [PATCH v7 00/12] evm: Improve usability of portable signatures

[PATCH v7 00/12] evm: Improve usability of portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 02/12] evm: Load EVM key in ima_load_x509() to avoid appraisal · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 01/12] evm: Execute evm_inode_init_security() only when an HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 03/12] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 04/12] evm: Introduce evm_revalidate_status() · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 05/12] evm: Introduce evm_hmac_disabled() to safely ignore verification errors · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[RESEND][PATCH 05/12] evm: Introduce evm_hmac_disabled() to safely ignore verification errors · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
RE: [RESEND][PATCH 05/12] evm: Introduce evm_hmac_disabled() to safely ignore verification errors · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
[PATCH v7 06/12] evm: Allow xattr/attr operations for portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 07/12] evm: Pass user namespace to set/remove xattr hooks · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 08/12] evm: Allow setxattr() and setattr() for unmodified metadata · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 09/12] evm: Deprecate EVM_ALLOW_METADATA_WRITES · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 10/12] ima: Allow imasig requirement to be satisfied by EVM portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 11/12] ima: Introduce template field evmsig and write to field sig as fallback · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
[PATCH v7 12/12] ima: Don't remove security.ima if file must not be appraised · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-14
Re: [PATCH v7 00/12] evm: Improve usability of portable signatures · Mimi Zohar <zohar@linux.ibm.com> · 2021-05-20
RE: [PATCH v7 00/12] evm: Improve usability of portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-21
Re: [PATCH v7 00/12] evm: Improve usability of portable signatures · Mimi Zohar <zohar@linux.ibm.com> · 2021-05-21

From: Roberto Sassu <roberto.sassu@huawei.com>
Date: 2021-05-21 07:09:24
Also in: linux-integrity, linux-security-module

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Thursday, May 20, 2021 8:56 PM
On Fri, 2021-05-14 at 17:27 +0200, Roberto Sassu wrote:

quoted

EVM portable signatures are particularly suitable for the protection of
metadata of immutable files where metadata is signed by a software vendor.
They can be used for example in conjunction with an IMA policy that
appraises only executed and memory mapped files.

However, until now portable signatures can be properly installed only if
the EVM_ALLOW_METADATA_WRITES initialization flag is also set, which
disables metadata verification until an HMAC key is loaded. This will cause
metadata writes to be allowed even in the situations where they shouldn't
(metadata protected by a portable signature is immutable).

The main reason why setting the flag is necessary is that the operations
necessary to install portable signatures and protected metadata would be
otherwise denied, despite being legitimate, due to the fact that the
decision logic has to avoid an unsafe recalculation of the HMAC that would
make the unsuccessfully verified metadata valid. However, the decision
logic is too coarse, and does not fully take into account all the possible
situations where metadata operations could be allowed.

For example, if the HMAC key is not loaded and it cannot be loaded in the
future due the EVM_SETUP_COMPLETE flag being set, it wouldn't be a

problem

quoted

to allow metadata operations, as they wouldn't result in an HMAC being
recalculated.

This patch set extends the decision logic and adds the necessary exceptions
to use portable signatures without turning off metadata verification and
deprecates the EVM_ALLOW_METADATA_WRITES flag.

Thanks, Roberto.

Applied to: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-
integrity.git
next-integrity-testing

Hi Mimi

could you please take the newer version of patch 5/12, which also adds
an exception for the INTEGRITY_UNKNOWN error (it occurs when xattrs
are not supported)?

https://lore.kernel.org/linux-integrity/6d7e059876b64f249b9a01d8b7696e29@huawei.com/T/#m58442ec12e47d9d457bef9b438809a6a132b7512 (local)

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help