On Wed, Oct 18, 2017 at 9:18 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > On Wed, Oct 18, 2017 at 11:16 AM, Dmitry Kasatkin > <dmitry.kasatkin@xxxxxxxxx> wrote: >> Hi, >> >> I have not read thread in detail so sorry if I will repeat something. >> >> EVM support signatures. >> https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/tree/security/integrity/evm/evm_main.c?h=next#n166 >> >> They can be mutable or immutable if I not is marked immutables >> Mutable signature will be replaced on the first verification. >> >> And ima-evm-utils has support to generate evm signatures >> >> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/src/evmctl.c#l1549 >> >> Also there is concept of EVM signatures not bound to inode unique data like >> ino and generation > > That's fine - the problem is how to write these out. If EVM is enabled > there's no way to write security.evm on a new file unless the iint > entry has an IMA_NEW_FILE flag, and this will only be set if there's > an IMA policy that covers that file. Why?? It is possible to set digital signature.. int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { const struct evm_ima_xattr_data *xattr_data = xattr_value; if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { if (!xattr_value_len) return -EINVAL; if (xattr_data->type != EVM_IMA_XATTR_DIGSIG) return -EPERM; } return evm_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); } -- Thanks, Dmitry
