Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* IMA/EVM interfaces
@ 2020-07-28 10:32 Denis Efremov
  2020-07-28 15:43 ` Roberto Sassu
  0 siblings, 1 reply; 5+ messages in thread
From: Denis Efremov @ 2020-07-28 10:32 UTC (permalink / raw)
  To: Mimi Zohar, linux-integrity, Dmitry Kasatkin; +Cc: Dmitry Vyukov

Hi,

I've started to add integrity interfaces descriptions to syzkaller
(https://github.com/google/syzkaller/pull/1970).

I've got a question, if you don't mind:

If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
subsequent fs operations will fail with -ENOKEY.

$ echo 2 > /sys/kernel/security/integrity/evm/evm
$ touch test.txt
[  526.976855][ T5771] evm: HMAC key is not set
[  526.977892][ T5771] evm: init_desc failed
touch: cannot touch 'test.txt': Required key not available

Is this a desired behavior? Should there be a check in evm_write_key()
for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
changing the evm_initialized bit? Is it correct to set second bit without
first bit?

Thanks,
Denis

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: IMA/EVM interfaces
  2020-07-28 10:32 IMA/EVM interfaces Denis Efremov
@ 2020-07-28 15:43 ` Roberto Sassu
  2020-07-29 21:59   ` Denis Efremov
  0 siblings, 1 reply; 5+ messages in thread
From: Roberto Sassu @ 2020-07-28 15:43 UTC (permalink / raw)
  To: efremov, Mimi Zohar, linux-integrity, Dmitry Kasatkin
  Cc: Dmitry Vyukov, Silviu Vlasceanu

> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> owner@vger.kernel.org] On Behalf Of Denis Efremov
> Sent: Tuesday, July 28, 2020 12:32 PM
> Hi,
> 
> I've started to add integrity interfaces descriptions to syzkaller
> (https://github.com/google/syzkaller/pull/1970).
> 
> I've got a question, if you don't mind:
> 
> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
> subsequent fs operations will fail with -ENOKEY.
> 
> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> $ touch test.txt
> [  526.976855][ T5771] evm: HMAC key is not set
> [  526.977892][ T5771] evm: init_desc failed
> touch: cannot touch 'test.txt': Required key not available
> 
> Is this a desired behavior? Should there be a check in evm_write_key()
> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
> changing the evm_initialized bit? Is it correct to set second bit without
> first bit?

Hi Denis

can you please try this patch?

https://lore.kernel.org/linux-integrity/20200618160133.937-1-roberto.sassu@huawei.com/

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IMA/EVM interfaces
  2020-07-28 15:43 ` Roberto Sassu
@ 2020-07-29 21:59   ` Denis Efremov
  2020-07-30  6:50     ` Roberto Sassu
  0 siblings, 1 reply; 5+ messages in thread
From: Denis Efremov @ 2020-07-29 21:59 UTC (permalink / raw)
  To: Roberto Sassu, Mimi Zohar, linux-integrity, Dmitry Kasatkin
  Cc: Dmitry Vyukov, Silviu Vlasceanu



On 7/28/20 6:43 PM, Roberto Sassu wrote:
>> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
>> owner@vger.kernel.org] On Behalf Of Denis Efremov
>> Sent: Tuesday, July 28, 2020 12:32 PM
>> Hi,
>>
>> I've started to add integrity interfaces descriptions to syzkaller
>> (https://github.com/google/syzkaller/pull/1970).
>>
>> I've got a question, if you don't mind:
>>
>> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
>> subsequent fs operations will fail with -ENOKEY.
>>
>> $ echo 2 > /sys/kernel/security/integrity/evm/evm
>> $ touch test.txt
>> [  526.976855][ T5771] evm: HMAC key is not set
>> [  526.977892][ T5771] evm: init_desc failed
>> touch: cannot touch 'test.txt': Required key not available
>>
>> Is this a desired behavior? Should there be a check in evm_write_key()
>> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
>> changing the evm_initialized bit? Is it correct to set second bit without
>> first bit?
> 
> Hi Denis
> 
> can you please try this patch?
> 
> https://lore.kernel.org/linux-integrity/20200618160133.937-1-roberto.sassu@huawei.com/
> 
> 

$ cat /proc/cmdline
console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix
$ echo 2 > /sys/kernel/security/integrity/evm/evm
[   44.116084][ T4108] evm: HMAC key is not set
$ touch test.txt
$ cat /sys/kernel/security/integrity/evm/evm
2
$ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
$ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
$ echo 1 > /sys/kernel/security/integrity/evm/evm
[  574.328262] evm: key initialized

Regards,
Denis

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: IMA/EVM interfaces
  2020-07-29 21:59   ` Denis Efremov
@ 2020-07-30  6:50     ` Roberto Sassu
  2020-07-31 18:45       ` Mimi Zohar
  0 siblings, 1 reply; 5+ messages in thread
From: Roberto Sassu @ 2020-07-30  6:50 UTC (permalink / raw)
  To: efremov, Mimi Zohar, linux-integrity, Dmitry Kasatkin
  Cc: Dmitry Vyukov, Silviu Vlasceanu

> From: Denis Efremov [mailto:efremov@linux.com]
> Sent: Wednesday, July 29, 2020 11:59 PM
> 
> 
> 
> On 7/28/20 6:43 PM, Roberto Sassu wrote:
> >> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> >> owner@vger.kernel.org] On Behalf Of Denis Efremov
> >> Sent: Tuesday, July 28, 2020 12:32 PM
> >> Hi,
> >>
> >> I've started to add integrity interfaces descriptions to syzkaller
> >> (https://github.com/google/syzkaller/pull/1970).
> >>
> >> I've got a question, if you don't mind:
> >>
> >> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading
> keys,
> >> subsequent fs operations will fail with -ENOKEY.
> >>
> >> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> >> $ touch test.txt

Looks good. Mimi, could you please take this patch, and if
possible, the others in the patch set?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> >> [  526.976855][ T5771] evm: HMAC key is not set
> >> [  526.977892][ T5771] evm: init_desc failed
> >> touch: cannot touch 'test.txt': Required key not available
> >>
> >> Is this a desired behavior? Should there be a check in evm_write_key()
> >> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings)
> before
> >> changing the evm_initialized bit? Is it correct to set second bit without
> >> first bit?
> >
> > Hi Denis
> >
> > can you please try this patch?
> >
> > https://lore.kernel.org/linux-integrity/20200618160133.937-1-
> roberto.sassu@huawei.com/
> >
> >
> 
> $ cat /proc/cmdline
> console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix
> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> [   44.116084][ T4108] evm: HMAC key is not set
> $ touch test.txt
> $ cat /sys/kernel/security/integrity/evm/evm
> 2
> $ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
> $ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
> $ echo 1 > /sys/kernel/security/integrity/evm/evm
> [  574.328262] evm: key initialized
> 
> Regards,
> Denis

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IMA/EVM interfaces
  2020-07-30  6:50     ` Roberto Sassu
@ 2020-07-31 18:45       ` Mimi Zohar
  0 siblings, 0 replies; 5+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:45 UTC (permalink / raw)
  To: Roberto Sassu, efremov, linux-integrity, Dmitry Kasatkin
  Cc: Dmitry Vyukov, Silviu Vlasceanu

On Thu, 2020-07-30 at 06:50 +0000, Roberto Sassu wrote:
> > From: Denis Efremov [mailto:efremov@linux.com]
> > Sent: Wednesday, July 29, 2020 11:59 PM
> > 
> > 
> > 
> > On 7/28/20 6:43 PM, Roberto Sassu wrote:
> > > > From: linux-integrity-owner@vger.kernel.org [mailto:linux-
> > > > integrity-
> > > > owner@vger.kernel.org] On Behalf Of Denis Efremov
> > > > Sent: Tuesday, July 28, 2020 12:32 PM
> > > > Hi,
> > > > 
> > > > I've started to add integrity interfaces descriptions to
> > > > syzkaller
> > > > (https://github.com/google/syzkaller/pull/1970).
> > > > 
> > > > I've got a question, if you don't mind:
> > > > 
> > > > If I write 2 to /sys/kernel/security/integrity/evm/evm before
> > > > loading
> > keys,
> > > > subsequent fs operations will fail with -ENOKEY.
> > > > 
> > > > $ echo 2 > /sys/kernel/security/integrity/evm/evm
> > > > $ touch test.txt
> 
> Looks good. Mimi, could you please take this patch, and if
> possible, the others in the patch set?

 Just needing to finish up the ima-evm-utils release and finish
reviewing Kees' " Introduce partial kernel_read_file() support" patchset.   Will circle back around to EVM shortly.

In the meantime, could you take a look at the syzbot "possible deadlock
in process_measurement" report.   According to Amir Goldstein, this
isn't a lock order inversion.  It just needs to be properly annotated.

thanks,

Mimi


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 10:32 IMA/EVM interfaces Denis Efremov
2020-07-28 15:43 ` Roberto Sassu
2020-07-29 21:59   ` Denis Efremov
2020-07-30  6:50     ` Roberto Sassu
2020-07-31 18:45       ` Mimi Zohar

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git