On Thu, 2017-10-19 at 13:14 +0300, Dmitry Kasatkin wrote: > On Thu, Oct 19, 2017 at 12:07 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > Hi Dmitry, > > > > On Wed, 2017-10-18 at 23:37 +0300, Dmitry Kasatkin wrote: > >> May be Mikhail could share GIT url to look somewhere. > >> To see latest bits. > > > > Please bottom post in the future. > > > > Summary: > > Mikhail's patches were posted earlier this year. His patches defined > > a portable EVM signature, which was never written out to disk, but > > after being verified, was written out as an HMAC. This was based on > > my understanding that the i_ino/uuid is required to prevent a cut & > > paste attack. > > I checked Mikhail patches. In his patches, immutable is normal evm > signature but not replaceable with hmac. Mikhail's version the EVM signature does not contain the i_ino/uuid and is never written to disk. On installation, an HMAC is written out. > 2) portable EVM digsig version, aimed to protect archived file's meta > data from manipulations. Right > What is the case of manipulation? hmac protects that.. Better would be to write out the portable signature on disk, assuming it is safe to do so, and not replace it with an HMAC. > > In the recent discussions, Matthew wanted to know why the i_ino/uuid > > is required. After going around and around discussing it, it turns > > out including security.ima is equivalent to including the i_ino/uuid. > > The i_ino/uuid is only necessary to prevent a cut and paste attack, > > when security.ima is not included in the security.evm hmac/signature. > > > > If I recall, we had such discussion in the chat about i_no/uuid. > > if I recall right, not including them was a compromise for "portability"? > Archive could be unpacked with xattrs and signatures are still valid. > tar --xattrs > cp --preserve=xattr > > But how security.ima will protect against cut and paste attack? > Attacker can take any other file together with metadata and it will be > valid one. Only if the file hash included in the EVM signature matches, right? Mimi > > We're at the point of making the portable EVM signature immutable. By > > immutable, we mean that it isn't re-written as an HMAC. It is based > > on your ima-evm-utils support. > > > > Mikhail, Matthew, did I leave anything out? > > > > Mimi > > > > >
