[PATCH v3 00/11] evm: Improve usability of portable signatures

Mimi Zohar zohar at linux.ibm.com
Tue Dec 1 20:52:45 UTC 2020


Hi Roberto,

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> EVM portable signatures are particularly suitable for the protection of
> metadata of immutable files where metadata is signed by a software vendor.
> They can be used for example in conjunction with an IMA policy that
> appraises only executed and memory mapped files.

The existing "appraise_tcb" builtin policy verify all root owned files.
Defining a new builtin policy to verify only executed and memory
mmapped files would make a nice addition and would probably simplify
testing.

> 
> However, some usability issues are still unsolved, especially when EVM is
> used without loading an HMAC key. This patch set attempts to fix the open
> issues.

We need regression tests for each of these changes.

To prevent affecting the running system, the appraise policy rules
could be limited to a loopback mounted filesystem. 

> 
> Patch 1 allows EVM to be used without loading an HMAC key. Patch 2 avoids
> appraisal verification of public keys (they are already verified by the key
> subsystem).

Loading the EVM key(s) occurs early, either the builtin x509 EVM key or
during the initramfs, makes testing difficult.  Based on
security/evm/evm, different tests could be defined for when only x509
keys, only HMAC key, or both EVM key types are loaded.

> 
> Patches 3-5 allow metadata verification to be turned off when no HMAC key
> is loaded and to use this mode in a safe way (by ensuring that IMA
> revalidates metadata when there is a change).
> 
> Patches 6-8 make portable signatures more usable if metadata verification
> is not turned off, by ignoring the INTEGRITY_NOLABEL error when no HMAC key
> is loaded, by accepting any metadata modification until signature
> verification succeeds (useful when xattrs/attrs are copied sequentially
> from a source) and by allowing operations that don't change metadata.
> 
> Patch 9 makes it possible to use portable signatures when the IMA policy
> requires file signatures and patch 10 shows portable signatures in the
> measurement list when the ima-sig template is selected.

ima-evm-utils needs to be updated to support EVM portable & immutable
signatures.

> 
> Lastly, patch 11 avoids undesired removal of security.ima when a file is
> not selected by the IMA policy.

thanks,

Mimi



More information about the Linux-security-module-archive mailing list