Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755533Ab1FAWLP (ORCPT ); Wed, 1 Jun 2011 18:11:15 -0400 Received: from mail-vx0-f174.google.com ([209.85.220.174]:48226 "EHLO mail-vx0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751912Ab1FAWLM convert rfc822-to-8bit (ORCPT ); Wed, 1 Jun 2011 18:11:12 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=hELjl39OldANBgPZNYSQgvwv9B5ZafgT6JXtFQUkms4uiH61T7tAaSG5Kq9CwDmraC pRI86ZttullNssp986dIkZnjsiVHkH9N4mrzEFsJYaiuX3VrYQCQJcyIL3jLT4XCmQg/ 6Y3aBfx4/OZCQjxUnQM4Mz9gUpLp/ELc/vcFc= MIME-Version: 1.0 In-Reply-To: <20110529065818.GA2122@elf.ucw.cz> References: <1305557115-15652-1-git-send-email-zohar@linux.vnet.ibm.com> <20110518172552.6d482c7a.akpm@linux-foundation.org> <20110526060842.GA13933@localhost.ucw.cz> <4DDE80FE.7010005@schaufler-ca.com> <1306433514.24986.26.camel@localhost.localdomain> <20110526183849.GA4563@ucw.cz> <1306439347.3092.89.camel@localhost.localdomain> <20110526201725.GC15959@elf.ucw.cz> <1306518351.24986.102.camel@localhost.localdomain> <20110529065818.GA2122@elf.ucw.cz> Date: Thu, 2 Jun 2011 01:11:11 +0300 Message-ID: Subject: Re: [PATCH v5 00/21] EVM From: Dmitry Kasatkin To: Pavel Machek Cc: David Safford , Mimi Zohar , Casey Schaufler , Andrew Morton , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, James Morris , Greg KH , Dmitry Kasatkin Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1631 Lines: 44 reposted in plain text.. On Sun, May 29, 2011 at 9:58 AM, Pavel Machek wrote: > > chattr already protects authenticity of my files, as do standard unix > permissions. > > So... where's the difference? > chattr only protects against runtime attacks. That is Access Control feature - not integrity. > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Pavel > (*) but it does not change anything. > > True; determined attacker could steal my cellphone, open it up, > desolder the flash, and change attributes of the filesystem. > > But... the same determined attacker can also replace > bootloader&kernel&filesystem -- that is in the same flash! -- with > unlocked versions. So the argumentation is the same for locked down > phone. > That is completely incorrect in respect to locked/protected devices. Chain of trust starts from ROM. Bootloader is authenticated by the ROM and that will not allow to boot the device. Next bootloader will authenticate the kernel and display the message on the screen if it has been tampered. And the next, authentic kernel will enforce filesystem integrity protection using EVM. The important use case is not to lock down phone against yourself, but to protect normal users against possibility to sell/give them devices with not authentic software which could do different nasty things, like stealing the data or spying. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/