On Wed, 2019-03-13 at 14:59 -0700, Matthew Garrett wrote: > On Wed, Mar 13, 2019 at 2:29 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > On Wed, 2019-03-13 at 13:36 -0700, Matthew Garrett wrote: > > > Oh hm. The only case I can see where this isn't sufficient is if the > > > filesystem returns EOPNOTSUPP for the EVM xattr, but in that case we > > > should already have failed to get the IMA xattr and will fail > > > appraisal as a result? > > > > The evm_initialized flag is an indication that EVM has been > > initialized on the system. Both hmac and signatures could be > > supported. Even checking for EVM_INIT_X509 doesn't provide any > > guarantees that the particular file has an EVM signature. > > > > (The hmac can be updated (eg. change in security xattrs, > > remove/additional of protected xattr), so we can't rely on them.) > > So having IMA appraisal of the hash and hmac-based EVM validation of > the xattr security isn't sufficient? Is this just because of the > offline attack case? The IMA hash and EVM hmac combination is fine for offline protection. It's used for mutable files. For immutable files, there must be either an IMA or EVM signature. Mimi
