Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp263967ybi; Fri, 7 Jun 2019 07:42:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqysmdJMyIpYAuGXsCv9NOZZdDJfUYloKqfvLk+7C9zVHx59Pi8YN8JkdycyJVdbOndf6hs+ X-Received: by 2002:a62:4c5:: with SMTP id 188mr58701627pfe.19.1559918579125; Fri, 07 Jun 2019 07:42:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559918579; cv=none; d=google.com; s=arc-20160816; b=LD5Zim96rIWsyB+tuUxhUWuUCkJBDEVeMfHZ2g27MlEhaSCLY1MbLQrAfTsMFync7G BcMZ60o6dZJJ1WSMpSG2eHr8P9KahKNTC7qVjETFJV1fdTlTqTzUVx1YqYS6xXZJFBtu S2kFM22/L/fqCgTMtLoQ75X69U84pVonz+QZelCvawl4GSsd1l/a6/ntepVGrDEpgPAA kR/j/z1LNOJyDd1NnBdA6ZdJaqGewUJOjqU0B3Kfslp2mtHKP9RGHVZ5O9KGm2/X6Llg rbY7KWb+LWUD/9zL7ds5JoYs5R050EwCrKSYpX2sq80XUm3TSj2BC8HsEqiAI/FXQU8g 3Iig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=TPLD5cMqzUuMOaXv/WdvnHXcpPkfcrITjhsNZSTihrg=; b=cnTs/XeO5bgTd+wMxxkKqrKP4EF8Mwh2uWDDBCfDhSYfYns4ZAnBNK5DDe1AQHTCaR Gw7hLaqH6u3JC+G6y7egoC+cPEINl1cMOFBHm8Qg+b38xsK1QqNxx9GuYWgDmn7rfahx 5l8082fQavGnSIYhxWKJPieqmgnw5oyH+YtwQxca8S4WZm6hHeEw3Wjwb1ZHgFiTD8bM Cl7v99nD6F2X/y4LVT07jHRWiyeMLd6/XWo1QJwn9T7ST65tQZEYhUdMRqoUabhwWtkK aX1VHFOfvBpi6vu8yAbI+SY2su3+8E4otfeuVrrr0uYYN+6C7qADDsKGr51l6Cbk1DSZ vxgA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k24si1815450pll.268.2019.06.07.07.42.42; Fri, 07 Jun 2019 07:42:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728955AbfFGOkj (ORCPT + 99 others); Fri, 7 Jun 2019 10:40:39 -0400 Received: from lhrrgout.huawei.com ([185.176.76.210]:33001 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728198AbfFGOkj (ORCPT ); Fri, 7 Jun 2019 10:40:39 -0400 Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 5288EE6A9E88F4C4862A; Fri, 7 Jun 2019 15:40:37 +0100 (IST) Received: from [10.220.96.108] (10.220.96.108) by smtpsuk.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 7 Jun 2019 15:40:29 +0100 Subject: Re: [PATCH v3 2/2] ima: add enforce-evm and log-evm modes to strictly check EVM status To: Mimi Zohar , , CC: , , , , , References: <20190606112620.26488-1-roberto.sassu@huawei.com> <20190606112620.26488-3-roberto.sassu@huawei.com> <1559917462.4278.253.camel@linux.ibm.com> From: Roberto Sassu Message-ID: <93459fe8-f9b6-fe45-1ca7-2efb8854dc8b@huawei.com> Date: Fri, 7 Jun 2019 16:40:37 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <1559917462.4278.253.camel@linux.ibm.com> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.220.96.108] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/7/2019 4:24 PM, Mimi Zohar wrote: > Hi Roberto, > > Thank you for updating the patch description. Hi Mimi no problem. > On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote: >> IMA and EVM have been designed as two independent subsystems: the first for >> checking the integrity of file data; the second for checking file metadata. >> Making them independent allows users to adopt them incrementally. >> >> The point of intersection is in IMA-Appraisal, which calls >> evm_verifyxattr() to ensure that security.ima wasn't modified during an >> offline attack. The design choice, to ensure incremental adoption, was to >> continue appraisal verification if evm_verifyxattr() returns >> INTEGRITY_UNKNOWN. This value is returned when EVM is not enabled in the >> kernel configuration, or if the HMAC key has not been loaded yet. >> >> Although this choice appears legitimate, it might not be suitable for >> hardened systems, where the administrator expects that access is denied if >> there is any error. An attacker could intentionally delete the EVM keys >> from the system and set the file digest in security.ima to the actual file >> digest so that the final appraisal status is INTEGRITY_PASS. > > Assuming that the EVM HMAC key is stored in the initramfs, not on some > other file system, and the initramfs is signed, INTEGRITY_UNKNOWN > would be limited to the rootfs filesystem. There is another issue. The HMAC key, like the public keys, should be loaded when appraisal is disabled. This means that we have to create a trusted key at early boot and defer the unsealing. Roberto -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI