On Sun, 2011-05-29 at 08:58 +0200, Pavel Machek wrote: > On Fri 2011-05-27 13:45:51, David Safford wrote: > > On Thu, 2011-05-26 at 22:17 +0200, Pavel Machek wrote: > > > > > I suggest you explain the patchset in the emails, then? Everyone here > > > seems to be confused... Attack it protects against, and what kind of > > > hardware is needed for the protection to be effective? > > > > The white paper is over 15 pages, and it barely scratches the surface. > > Every customer has different security threat models and requirements. > > Discussing this in general on the mailing list is really hard. > > > > So let's try to simplify this just down to digital signatures in > > the cellphone environment, as you state: > > Good. > > > > Because AFAICT, file signatures, as proposed, are only useful for > > > locking down my cellphone against myself. (That's -- evil). > > > > The proposed digital signatures can enforce authenticity of a file's > > data (IMA-Appraisal with Digital Signature), and of a file's metadata > > (EVM with Digital Signature). For most users, enforcing authenticity > > of files is a good thing - a user knows that they are running authentic > > software signed by their phone manufacturer, and not malicious files > > that they, or someone else installed. In this threat model, EVM is > > Ok, so lets talk about smartphone, similar to my HTC Dream (developer > version, unlocked bootloader, flashable from kernel (*)). > > Yes, I could install the crazy EVM/IMA infastructure to prevent > applications modifying selected files. > > But... I could just do chattr +i on selected files, I do not need > fancy EVM/IMA for that. For files that you don't expect to change, such as ELF executables, you probably could use the immutable flag, but using a digital signature provides authenticity as well, which the immutable flag does not provide. > > Blocking signature verification would serve only to punish Linux > > users who care about the authenticity of their files, while doing > > _nothing_ to stop manufacturers from locking their bootloaders. > > chattr already protects authenticity of my files, as do standard unix > permissions. > > So... where's the difference? > Pavel Neither digital signatures nor the immutable flag work for files that change, such as config files. For these files, ima-appraisal would store a file hash. > (*) but it does not change anything. > > True; determined attacker could steal my cellphone, open it up, > desolder the flash, and change attributes of the filesystem. With EVM, assuming that i_flag is included in the EVM HMAC, which it currently isn't, you would be able to detect the change and prevent the file from being accessed. > > But... the same determined attacker can also replace > bootloader&kernel&filesystem -- that is in the same flash! -- with > unlocked versions. So the argumentation is the same for locked down > phone. > As EVM is not involved in the boot process, it can not and does not address this, but other technologies could. thanks, Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
