On Thu, 2019-03-14 at 15:54 -0700, Matthew Garrett wrote: > On Thu, Mar 14, 2019 at 3:31 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > On Thu, 2019-03-14 at 14:08 -0700, Matthew Garrett wrote: > > > On Wed, Mar 13, 2019 at 6:08 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > The IMA hash and EVM hmac combination is fine for offline protection. > > > > It's used for mutable files. For immutable files, there must be > > > > either an IMA or EVM signature. > > > > > > Ok. Is the correct way to handle this to check that the file has a > > > signature, or to extend IMA policy to allow it to provide a > > > requirement that EVM verify a signature rather than an HMAC and have > > > the arch policy set that? > > > > I'm not sure what you mean by "check that the file has a signature". > > Call getxattr(XATTR_SECURITY_EVM) and parse the type to determine > whether it's an hmac or a signature. The other option is preferable. > > > EVM and IMA are separate subsystems with a defined interface for > > interaction between them. evm_verifyxattr() isn't, but could be called > > by LSMs. So evm_verifyxattr() would need to be extended to return the > > EVM xattr type. The IMA policy could then require a specific evmxattr > > type. Possible. > > I'd been thinking of doing it the other way (ie, pass the set of > permitted EVM xattr types to evm_verifyxattr()), but yes. Just as IMA decides how it wants to handle "no xattrs", let IMA decide how it wants to handle the different EVM xattr types. > > > Perhaps for now require IMA signatures and defer supporting EVM > > signatures? > > If that's sufficient for you, happy to do that. Definitely Mimi
