On Mon, 2017-11-20 at 07:47 +1100, James Morris wrote: > On Fri, 17 Nov 2017, Roberto Sassu wrote: > > > LSMs are responsible to enforce a security policy at run-time, > > while IMA/EVM protect data and metadata against offline attacks. > > In my view, IMA can also protect against making an online attack > persistent across boots, and that would be the most compelling use of > it for many general purpose applications. I do not quite buy that interpretation. If the online attack succeeds in bypassing the run-time checks, for example with a full root exploit, then he has pretty much the same capabilities to make persistent file changes as during an offline attack. When allowing local hashing, it's actually worse: during an offline attack, the attacker might not have access to the TPM and thus cannot easily update the EVM HMAC. During an online attack, the kernel will happily update that and the IMA hash for the attacker, resulting in a file that passes appraisal after a reboot. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter.
