Hi Roberto, Thank you for updating the patch description. On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote: > IMA and EVM have been designed as two independent subsystems: the first for > checking the integrity of file data; the second for checking file metadata. > Making them independent allows users to adopt them incrementally. > > The point of intersection is in IMA-Appraisal, which calls > evm_verifyxattr() to ensure that security.ima wasn't modified during an > offline attack. The design choice, to ensure incremental adoption, was to > continue appraisal verification if evm_verifyxattr() returns > INTEGRITY_UNKNOWN. This value is returned when EVM is not enabled in the > kernel configuration, or if the HMAC key has not been loaded yet. > > Although this choice appears legitimate, it might not be suitable for > hardened systems, where the administrator expects that access is denied if > there is any error. An attacker could intentionally delete the EVM keys > from the system and set the file digest in security.ima to the actual file > digest so that the final appraisal status is INTEGRITY_PASS. Assuming that the EVM HMAC key is stored in the initramfs, not on some other file system, and the initramfs is signed, INTEGRITY_UNKNOWN would be limited to the rootfs filesystem. > > This patch allows such hardened systems to strictly enforce an access > control policy based on the validity of signatures/HMACs, by introducing > two new values for the ima_appraise= kernel option: enforce-evm and > log-evm. > This patch defines a global policy requiring EVM on all filesystems. I've previously suggested extending the IMA policy to support enforcing or maybe exempting EVM on a per IMA policy rule basis. As seen by the need for an additional patch, included in this patch set, which defines a temporary random number HMAC key to address INTEGRITY_UNKNOWN on the rootfs filesystem, exempting certain filesystems on a per policy rule basis might be simpler and achieve similar results. I'd like to hear other people's thoughts on defining a temporary, random number HMAC key. thanks, Mimi
