On 6/13/2019 8:01 AM, Janne Karhunen wrote:
On Wed, Jun 12, 2019 at 7:33 PM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote:
That's a pretty big change for the userland IMHO. Quite a few
configurations out there will break, including mine I believe, so I
hope there is a solid reason asking people to change their stuff. I'm
fine holding off all writing until it is safe to do so for now..
The goal of appraisal is to allow access only to files with a valid
signature or HMAC. With the current behavior, that cannot be guaranteed.
Unfortunately, dracut-state.sh is created very early. It could be
possible to unseal the key before, but this probably means modifying
systemd.
Ok, I see the use case. Now, if you pull a urandom key that early on
during the boot, the state of the system entropy is at all time low,
and you are not really protecting against any sort of offline attack
since the file is created during that boot cycle. Is there really use
for using such key? Wouldn't it be possible to create a new config
option, say IMA_ALLOW_EARLY_WRITERS, that would hold the NEW_FILE flag
until the persistent key becomes available? In other words, it would
start the measuring at the point when the key becomes online?
I also thought about similar solutions. Another is for example to keep
the appraisal flags at file close, if security.ima is successfully
added to the file.
Initializing EVM with a key is not a trivial change, but it seemed
better to me as it does not introduce exceptions in the IMA behavior.
Roberto
--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI
