All of lore.kernel.org
 help / color / mirror / Atom feed
* Usage of inode number in EVM signatures
@ 2017-10-27 15:08 Peter P.
  2017-10-30 10:29 ` Matthew Garrett
  0 siblings, 1 reply; 2+ messages in thread
From: Peter P. @ 2017-10-27 15:08 UTC (permalink / raw)
  To: linux-integrity

Hi,

I would like to better understand how the inclusion of the inode
number and the other return values from stat add to the protection of
the xattrs when security.evm contains a digital signature.

If any of the security xattrs are tampered with, then I would expect
EVM signature verification will fail. What added protections does one
gain by including file information?

Thank you,

Peter

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Usage of inode number in EVM signatures
  2017-10-27 15:08 Usage of inode number in EVM signatures Peter P.
@ 2017-10-30 10:29 ` Matthew Garrett
  0 siblings, 0 replies; 2+ messages in thread
From: Matthew Garrett @ 2017-10-30 10:29 UTC (permalink / raw)
  To: Peter P.; +Cc: linux-integrity

On Fri, Oct 27, 2017 at 4:08 PM, Peter P. <p.pan48711@gmail.com> wrote:
> Hi,
>
> I would like to better understand how the inclusion of the inode
> number and the other return values from stat add to the protection of
> the xattrs when security.evm contains a digital signature.
>
> If any of the security xattrs are tampered with, then I would expect
> EVM signature verification will fail. What added protections does one
> gain by including file information?

There's no real security advantage as long as IMA is in use. However,
EVM can be used without IMA, and in that case you'd end up with
signatures that could be moved between files. See the discussion of
the portable signature format going on at the moment.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-10-30 10:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-27 15:08 Usage of inode number in EVM signatures Peter P.
2017-10-30 10:29 ` Matthew Garrett

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.