On Thu, Mar 14, 2019 at 3:31 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Thu, 2019-03-14 at 14:08 -0700, Matthew Garrett wrote: > > On Wed, Mar 13, 2019 at 6:08 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > The IMA hash and EVM hmac combination is fine for offline protection. > > > It's used for mutable files. For immutable files, there must be > > > either an IMA or EVM signature. > > > > Ok. Is the correct way to handle this to check that the file has a > > signature, or to extend IMA policy to allow it to provide a > > requirement that EVM verify a signature rather than an HMAC and have > > the arch policy set that? > > I'm not sure what you mean by "check that the file has a signature". Call getxattr(XATTR_SECURITY_EVM) and parse the type to determine whether it's an hmac or a signature. > EVM and IMA are separate subsystems with a defined interface for > interaction between them. evm_verifyxattr() isn't, but could be called > by LSMs. So evm_verifyxattr() would need to be extended to return the > EVM xattr type. The IMA policy could then require a specific evmxattr > type. Possible. I'd been thinking of doing it the other way (ie, pass the set of permitted EVM xattr types to evm_verifyxattr()), but yes. > Perhaps for now require IMA signatures and defer supporting EVM > signatures? If that's sufficient for you, happy to do that.
