RE: IMA/EVM interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Denis Efremov [mailto:efremov@xxxxxxxxx]
> Sent: Wednesday, July 29, 2020 11:59 PM
> 
> 
> 
> On 7/28/20 6:43 PM, Roberto Sassu wrote:
> >> From: linux-integrity-owner@xxxxxxxxxxxxxxx [mailto:linux-integrity-
> >> owner@xxxxxxxxxxxxxxx] On Behalf Of Denis Efremov
> >> Sent: Tuesday, July 28, 2020 12:32 PM
> >> Hi,
> >>
> >> I've started to add integrity interfaces descriptions to syzkaller
> >> (https://github.com/google/syzkaller/pull/1970).
> >>
> >> I've got a question, if you don't mind:
> >>
> >> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading
> keys,
> >> subsequent fs operations will fail with -ENOKEY.
> >>
> >> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> >> $ touch test.txt

Looks good. Mimi, could you please take this patch, and if
possible, the others in the patch set?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> >> [  526.976855][ T5771] evm: HMAC key is not set
> >> [  526.977892][ T5771] evm: init_desc failed
> >> touch: cannot touch 'test.txt': Required key not available
> >>
> >> Is this a desired behavior? Should there be a check in evm_write_key()
> >> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings)
> before
> >> changing the evm_initialized bit? Is it correct to set second bit without
> >> first bit?
> >
> > Hi Denis
> >
> > can you please try this patch?
> >
> > https://lore.kernel.org/linux-integrity/20200618160133.937-1-
> roberto.sassu@xxxxxxxxxx/
> >
> >
> 
> $ cat /proc/cmdline
> console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix
> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> [   44.116084][ T4108] evm: HMAC key is not set
> $ touch test.txt
> $ cat /sys/kernel/security/integrity/evm/evm
> 2
> $ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
> $ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
> $ echo 1 > /sys/kernel/security/integrity/evm/evm
> [  574.328262] evm: key initialized
> 
> Regards,
> Denis




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux