All of lore.kernel.org
 help / color / mirror / Atom feed
From: Roberto Sassu <roberto.sassu@huawei.com>
To: Janne Karhunen <janne.karhunen@gmail.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>, <dmitry.kasatkin@huawei.com>,
	<mjg59@google.com>, <linux-integrity@vger.kernel.org>,
	<linux-security-module@vger.kernel.org>,
	<silviu.vlasceanu@huawei.com>
Subject: Re: [PATCH v3 0/2] ima/evm fixes for v5.2
Date: Thu, 13 Jun 2019 08:57:05 +0200	[thread overview]
Message-ID: <144bf319-ea0c-f6b6-5737-0aac34f37186@huawei.com> (raw)
In-Reply-To: <CAE=NcrZiyWjZUuxdLgA9Bq89Cpt1W6MLAzPkLHVgfOqSo2i1hQ@mail.gmail.com>

On 6/13/2019 8:01 AM, Janne Karhunen wrote:
> On Wed, Jun 12, 2019 at 7:33 PM Roberto Sassu <roberto.sassu@huawei.com> wrote:
> 
>>> That's a pretty big change for the userland IMHO. Quite a few
>>> configurations out there will break, including mine I believe, so I
>>> hope there is a solid reason asking people to change their stuff. I'm
>>> fine holding off all writing until it is safe to do so for now..
>>
>> The goal of appraisal is to allow access only to files with a valid
>> signature or HMAC. With the current behavior, that cannot be guaranteed.
>>
>> Unfortunately, dracut-state.sh is created very early. It could be
>> possible to unseal the key before, but this probably means modifying
>> systemd.
> 
> Ok, I see the use case. Now, if you pull a urandom key that early on
> during the boot, the state of the system entropy is at all time low,
> and you are not really protecting against any sort of offline attack
> since the file is created during that boot cycle. Is there really use
> for using such key? Wouldn't it be possible to create a new config
> option, say IMA_ALLOW_EARLY_WRITERS, that would hold the NEW_FILE flag
> until the persistent key becomes available? In other words, it would
> start the measuring at the point when the key becomes online?

I also thought about similar solutions. Another is for example to keep
the appraisal flags at file close, if security.ima is successfully
added to the file.

Initializing EVM with a key is not a trivial change, but it seemed
better to me as it does not introduce exceptions in the IMA behavior.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI

  reply	other threads:[~2019-06-13 16:40 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-06 11:26 [PATCH v3 0/2] ima/evm fixes for v5.2 Roberto Sassu
2019-06-06 11:26 ` [PATCH v3 1/2] evm: add option to set a random HMAC key at early boot Roberto Sassu
2019-06-06 11:26 ` [PATCH v3 2/2] ima: add enforce-evm and log-evm modes to strictly check EVM status Roberto Sassu
2019-06-07 14:24   ` Mimi Zohar
2019-06-07 14:40     ` Roberto Sassu
2019-06-07 15:08       ` Mimi Zohar
2019-06-07 15:14         ` Roberto Sassu
2019-06-07 15:25           ` Mimi Zohar
2019-06-06 11:43 ` [PATCH v3 0/2] ima/evm fixes for v5.2 Roberto Sassu
2019-06-06 14:49   ` Mimi Zohar
2019-06-06 15:22     ` Roberto Sassu
2019-06-12 11:28 ` Janne Karhunen
2019-06-12 13:11   ` Roberto Sassu
2019-06-12 13:38     ` Janne Karhunen
2019-06-12 16:33       ` Roberto Sassu
2019-06-13  6:01         ` Janne Karhunen
2019-06-13  6:57           ` Roberto Sassu [this message]
2019-06-13  7:39             ` Janne Karhunen
2019-06-13  7:50               ` Roberto Sassu
2019-06-13  8:04                 ` Janne Karhunen
2019-06-13  8:51                   ` Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=144bf319-ea0c-f6b6-5737-0aac34f37186@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=dmitry.kasatkin@huawei.com \
    --cc=janne.karhunen@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=silviu.vlasceanu@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.