On 7/28/20 6:43 PM, Roberto Sassu wrote: >> From: linux-integrity-owner@xxxxxxxxxxxxxxx [mailto:linux-integrity- >> owner@xxxxxxxxxxxxxxx] On Behalf Of Denis Efremov >> Sent: Tuesday, July 28, 2020 12:32 PM >> Hi, >> >> I've started to add integrity interfaces descriptions to syzkaller >> (https://github.com/google/syzkaller/pull/1970). >> >> I've got a question, if you don't mind: >> >> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys, >> subsequent fs operations will fail with -ENOKEY. >> >> $ echo 2 > /sys/kernel/security/integrity/evm/evm >> $ touch test.txt >> [ 526.976855][ T5771] evm: HMAC key is not set >> [ 526.977892][ T5771] evm: init_desc failed >> touch: cannot touch 'test.txt': Required key not available >> >> Is this a desired behavior? Should there be a check in evm_write_key() >> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before >> changing the evm_initialized bit? Is it correct to set second bit without >> first bit? > > Hi Denis > > can you please try this patch? > > https://lore.kernel.org/linux-integrity/20200618160133.937-1-roberto.sassu@xxxxxxxxxx/ > > $ cat /proc/cmdline console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix $ echo 2 > /sys/kernel/security/integrity/evm/evm [ 44.116084][ T4108] evm: HMAC key is not set $ touch test.txt $ cat /sys/kernel/security/integrity/evm/evm 2 $ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u $ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u $ echo 1 > /sys/kernel/security/integrity/evm/evm [ 574.328262] evm: key initialized Regards, Denis
