Re: [PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

Mimi Zohar <zohar@xxxxxxxxxxxxx> · Wed, 02 Dec 2020 16:07:27 -0500

On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote:
> EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
> temporarily disable metadata verification until all xattrs/attrs necessary
> to verify an EVM portable signature are copied to the file. This flag is
> cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
> calculated on unverified xattrs/attrs.
> 
> Currently EVM unnecessarily denies setting this flag if EVM is initialized
> with a public key, which is not a concern as it cannot be used to trust
> xattrs/attrs updates. This patch removes this limitation.
> 
> Cc: stable@xxxxxxxxxxxxxxx # 4.16.x
> Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata")
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
>  Documentation/ABI/testing/evm      | 5 +++--
>  security/integrity/evm/evm_secfs.c | 2 +-
>  2 files changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
> index 3c477ba48a31..eb6d70fd6fa2 100644
> --- a/Documentation/ABI/testing/evm
> +++ b/Documentation/ABI/testing/evm
> @@ -49,8 +49,9 @@ Description:
>  		modification of EVM-protected metadata and
>  		disable all further modification of policy
>  
> -		Note that once a key has been loaded, it will no longer be
> -		possible to enable metadata modification.
> +		Note that once an HMAC key has been loaded, it will no longer
> +		be possible to enable metadata modification and, if it is
> +		already enabled, it will be disabled.
>  
>  		Until key loading has been signaled EVM can not create
>  		or validate the 'security.evm' xattr, but returns
> diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
> index cfc3075769bb..92fe26ace797 100644
> --- a/security/integrity/evm/evm_secfs.c
> +++ b/security/integrity/evm/evm_secfs.c
> @@ -84,7 +84,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
>  	 * keys are loaded.
>  	 */
>  	if ((i & EVM_ALLOW_METADATA_WRITES) &&
> -	    ((evm_initialized & EVM_KEY_MASK) != 0) &&
> +	    ((evm_initialized & EVM_INIT_HMAC) != 0) &&
>  	    !(evm_initialized & EVM_ALLOW_METADATA_WRITES))
>  		return -EPERM;
>  

If an HMAC key is loaded EVM_ALLOW_METADATA_WRITES should already be
disabled.  Testing EVM_ALLOW_METADATA_WRITES shouldn't be needed. 
Please update the comment: "Don't allow a request to freshly enable
metadata writes if keys are loaded."

thanks,

Mimi