> From: Denis Efremov [mailto:efremov@xxxxxxxxx] > Sent: Wednesday, July 29, 2020 11:59 PM > > > > On 7/28/20 6:43 PM, Roberto Sassu wrote: > >> From: linux-integrity-owner@xxxxxxxxxxxxxxx [mailto:linux-integrity- > >> owner@xxxxxxxxxxxxxxx] On Behalf Of Denis Efremov > >> Sent: Tuesday, July 28, 2020 12:32 PM > >> Hi, > >> > >> I've started to add integrity interfaces descriptions to syzkaller > >> (https://github.com/google/syzkaller/pull/1970). > >> > >> I've got a question, if you don't mind: > >> > >> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading > keys, > >> subsequent fs operations will fail with -ENOKEY. > >> > >> $ echo 2 > /sys/kernel/security/integrity/evm/evm > >> $ touch test.txt Looks good. Mimi, could you please take this patch, and if possible, the others in the patch set? Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli > >> [ 526.976855][ T5771] evm: HMAC key is not set > >> [ 526.977892][ T5771] evm: init_desc failed > >> touch: cannot touch 'test.txt': Required key not available > >> > >> Is this a desired behavior? Should there be a check in evm_write_key() > >> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) > before > >> changing the evm_initialized bit? Is it correct to set second bit without > >> first bit? > > > > Hi Denis > > > > can you please try this patch? > > > > https://lore.kernel.org/linux-integrity/20200618160133.937-1- > roberto.sassu@xxxxxxxxxx/ > > > > > > $ cat /proc/cmdline > console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix > $ echo 2 > /sys/kernel/security/integrity/evm/evm > [ 44.116084][ T4108] evm: HMAC key is not set > $ touch test.txt > $ cat /sys/kernel/security/integrity/evm/evm > 2 > $ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u > $ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u > $ echo 1 > /sys/kernel/security/integrity/evm/evm > [ 574.328262] evm: key initialized > > Regards, > Denis