Hi Roberto, On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote: > EVM portable signatures are particularly suitable for the protection of > metadata of immutable files where metadata is signed by a software vendor. > They can be used for example in conjunction with an IMA policy that > appraises only executed and memory mapped files. The existing "appraise_tcb" builtin policy verify all root owned files. Defining a new builtin policy to verify only executed and memory mmapped files would make a nice addition and would probably simplify testing. > > However, some usability issues are still unsolved, especially when EVM is > used without loading an HMAC key. This patch set attempts to fix the open > issues. We need regression tests for each of these changes. To prevent affecting the running system, the appraise policy rules could be limited to a loopback mounted filesystem. > > Patch 1 allows EVM to be used without loading an HMAC key. Patch 2 avoids > appraisal verification of public keys (they are already verified by the key > subsystem). Loading the EVM key(s) occurs early, either the builtin x509 EVM key or during the initramfs, makes testing difficult. Based on security/evm/evm, different tests could be defined for when only x509 keys, only HMAC key, or both EVM key types are loaded. > > Patches 3-5 allow metadata verification to be turned off when no HMAC key > is loaded and to use this mode in a safe way (by ensuring that IMA > revalidates metadata when there is a change). > > Patches 6-8 make portable signatures more usable if metadata verification > is not turned off, by ignoring the INTEGRITY_NOLABEL error when no HMAC key > is loaded, by accepting any metadata modification until signature > verification succeeds (useful when xattrs/attrs are copied sequentially > from a source) and by allowing operations that don't change metadata. > > Patch 9 makes it possible to use portable signatures when the IMA policy > requires file signatures and patch 10 shows portable signatures in the > measurement list when the ima-sig template is selected. ima-evm-utils needs to be updated to support EVM portable & immutable signatures. > > Lastly, patch 11 avoids undesired removal of security.ima when a file is > not selected by the IMA policy. thanks, Mimi