Re: [PATCH v3 2/2] ima: add enforce-evm and log-evm modes to strictly check EVM status

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/7/2019 5:08 PM, Mimi Zohar wrote:
On Fri, 2019-06-07 at 16:40 +0200, Roberto Sassu wrote:
On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote:

Although this choice appears legitimate, it might not be suitable for
hardened systems, where the administrator expects that access is denied if
there is any error. An attacker could intentionally delete the EVM keys
from the system and set the file digest in security.ima to the actual file
digest so that the final appraisal status is INTEGRITY_PASS.

Assuming that the EVM HMAC key is stored in the initramfs, not on some
other file system, and the initramfs is signed, INTEGRITY_UNKNOWN
would be limited to the rootfs filesystem.

There is another issue. The HMAC key, like the public keys, should be
loaded when appraisal is disabled. This means that we have to create a
trusted key at early boot and defer the unsealing.

There is no need for IMA to appraise the public key file signature,
since the certificate is signed by a key on the builtin/secondary
trusted keyring.  With CONFIG_IMA_LOAD_X509 enabled, the public key
can be loaded onto the IMA keyring with IMA-appraisal enabled, but
without verifying the file signature.

Yes, but access to the files containing the master key and the EVM key
is denied if appraisal is enabled.

Roberto

--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux