On Wed, Mar 13, 2019 at 2:29 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Wed, 2019-03-13 at 13:36 -0700, Matthew Garrett wrote: > > Oh hm. The only case I can see where this isn't sufficient is if the > > filesystem returns EOPNOTSUPP for the EVM xattr, but in that case we > > should already have failed to get the IMA xattr and will fail > > appraisal as a result? > > The evm_initialized flag is an indication that EVM has been > initialized on the system. Both hmac and signatures could be > supported. Even checking for EVM_INIT_X509 doesn't provide any > guarantees that the particular file has an EVM signature. > > (The hmac can be updated (eg. change in security xattrs, > remove/additional of protected xattr), so we can't rely on them.) So having IMA appraisal of the hash and hmac-based EVM validation of the xattr security isn't sufficient? Is this just because of the offline attack case? > > > > +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) > > > > > > With these defines, the function isn't limited to just "lockdown". > > > Either fix the defines or the patch description. > > > > The function will be called even when lockdown isn't enabled, but it > > won't have any impact on the logic flow. > > Ok, so inverting the test order should prevent unnecessarily calling > ima_apprase_kexec_signature(). Unfortunately kernel_is_locked_down(reason) will print a message telling us that something was blocked, even if ima_appraise_signature() then permits it, so we need to do it in this order to shortcut that.
