All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>, mjg59@google.com
Cc: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com,
	stable@vger.kernel.org
Subject: Re: [PATCH v2 04/12] evm: Execute evm_inode_init_security() only when the HMAC key is loaded
Date: Wed, 16 Sep 2020 12:15:18 -0400	[thread overview]
Message-ID: <3183edb20e3a84c29be6f3e3b459bf51c3355b6b.camel@linux.ibm.com> (raw)
In-Reply-To: <20200904092339.19598-5-roberto.sassu@huawei.com>

Hi Roberto,

On Fri, 2020-09-04 at 11:23 +0200, Roberto Sassu wrote:
> evm_inode_init_security() requires the HMAC key to calculate the HMAC on
> initial xattrs provided by LSMs. Unfortunately, with the evm_key_loaded()
> check, the function continues even if the HMAC key is not loaded
> (evm_key_loaded() returns true also if EVM has been initialized only with a
> public key). If the HMAC key is not loaded, evm_inode_init_security()
> returns an error later when it calls evm_init_hmac().

This is all true, but the context for why it wasn't an issue previously
is missing.

The original usecase for allowing signature verificaton prior to
loading the HMAC key was a fully signed, possibly immutable, initrd. 
No new files were created or, at least, were in policy until the HMAC
key was loaded.   More recently support for requiring an EVM HMAC key
was removed.  Files having a portable and immutable signature were
given additional privileges.

Please update the patch description with the context of what has
changed.

Mimi


  parent reply	other threads:[~2020-09-16 21:02 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-04  9:23 [PATCH v2 00/12] IMA/EVM fixes Roberto Sassu
2020-09-04  9:23 ` [PATCH v2 01/12] ima: Don't ignore errors from crypto_shash_update() Roberto Sassu
2020-09-07 15:03   ` Sasha Levin
2020-09-04  9:23 ` [PATCH v2 02/12] ima: Remove semicolon at the end of ima_get_binary_runtime_size() Roberto Sassu
2020-09-04  9:23 ` [PATCH v2 03/12] evm: Check size of security.evm before using it Roberto Sassu
2020-09-04  9:23 ` [PATCH v2 04/12] evm: Execute evm_inode_init_security() only when the HMAC key is loaded Roberto Sassu
2020-09-07 15:03   ` Sasha Levin
2020-09-16 16:15   ` Mimi Zohar [this message]
2020-09-04  9:26 ` [PATCH v2 05/12] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
2020-09-04  9:26 ` [PATCH v2 06/12] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded Roberto Sassu
2020-09-04  9:26 ` [PATCH v2 07/12] evm: Introduce EVM_RESET_STATUS atomic flag Roberto Sassu
2020-09-17 12:01   ` Mimi Zohar
2020-09-17 17:36     ` Roberto Sassu
2020-09-17 17:47       ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 08/12] evm: Allow xattr/attr operations for portable signatures if check fails Roberto Sassu
2020-09-17 12:32   ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 09/12] evm: Allow setxattr() and setattr() if metadata digest won't change Roberto Sassu
2020-09-17 13:15   ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 10/12] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
2020-09-04  9:26 ` [PATCH v2 11/12] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
2020-09-17 14:25   ` Mimi Zohar
2020-09-17 15:05     ` Roberto Sassu
2020-09-17 15:55       ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 12/12] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
2020-09-16 16:14 ` [PATCH v2 00/12] IMA/EVM fixes Mimi Zohar
2020-09-17 14:33   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3183edb20e3a84c29be6f3e3b459bf51c3355b6b.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=roberto.sassu@huawei.com \
    --cc=silviu.vlasceanu@huawei.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.