From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down
Date: Wed, 13 Mar 2019 21:08:18 -0400 [thread overview]
Message-ID: <1552525698.24794.237.camel@linux.ibm.com> (raw)
In-Reply-To: <CACdnJutmJDLhrdsU9UZtzE+S=Tw39RYqZ3q+TP35PbFbfsL76w@mail.gmail.com>
On Wed, 2019-03-13 at 14:59 -0700, Matthew Garrett wrote:
> On Wed, Mar 13, 2019 at 2:29 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Wed, 2019-03-13 at 13:36 -0700, Matthew Garrett wrote:
> > > Oh hm. The only case I can see where this isn't sufficient is if the
> > > filesystem returns EOPNOTSUPP for the EVM xattr, but in that case we
> > > should already have failed to get the IMA xattr and will fail
> > > appraisal as a result?
> >
> > The evm_initialized flag is an indication that EVM has been
> > initialized on the system. Both hmac and signatures could be
> > supported. Even checking for EVM_INIT_X509 doesn't provide any
> > guarantees that the particular file has an EVM signature.
> >
> > (The hmac can be updated (eg. change in security xattrs,
> > remove/additional of protected xattr), so we can't rely on them.)
>
> So having IMA appraisal of the hash and hmac-based EVM validation of
> the xattr security isn't sufficient? Is this just because of the
> offline attack case?
The IMA hash and EVM hmac combination is fine for offline protection.
It's used for mutable files. For immutable files, there must be
either an IMA or EVM signature.
Mimi
next prev parent reply other threads:[~2019-03-14 1:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-12 19:57 [RFC] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett
2019-03-13 11:58 ` Mimi Zohar
2019-03-13 20:36 ` Matthew Garrett
2019-03-13 21:29 ` Mimi Zohar
2019-03-13 21:59 ` Matthew Garrett
2019-03-14 1:08 ` Mimi Zohar [this message]
2019-03-14 21:08 ` Matthew Garrett
2019-03-14 22:31 ` Mimi Zohar
2019-03-14 22:54 ` Matthew Garrett
2019-03-14 23:58 ` Mimi Zohar
2019-03-15 22:03 ` Matthew Garrett
2019-03-17 11:39 ` Mimi Zohar
2019-03-17 11:39 ` Mimi Zohar
2019-03-18 19:51 ` Matthew Garrett
2019-03-18 19:51 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1552525698.24794.237.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.