On Thu, 2021-05-20 at 10:56 +0200, Roberto Sassu wrote: > Currently, the evm_config_default_xattrnames array contains xattr names > only related to LSMs which are enabled in the kernel configuration. > However, EVM portable signatures do not depend on local information and a > vendor might include in the signature calculation xattrs that are not > enabled in the target platform. > > Just including all xattrs names in evm_config_default_xattrnames is not a > safe approach, because a target system might have already calculated > signatures or HMACs based only on the enabled xattrs. After applying this > patch, EVM would verify those signatures and HMACs with all xattrs instead. > The non-enabled ones, which could possibly exist, would cause a > verification error. > > Thus, this patch adds a new field named enabled to the xattr_list > structure, which is set to true if the LSM associated to a given xattr name > is enabled in the kernel configuration. The non-enabled xattrs are taken > into account in only evm_calc_hmac_or_hash(), if the passed security.evm > type is EVM_XATTR_PORTABLE_DIGSIG. > > The new function evm_protected_xattr_if_enabled() has been defined so that > IMA can include all protected xattrs and not only the enabled ones in the > measurement list, if the new template field evmxattrs has been included in > the template format. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Nice, I really like this idea. Mimi
