Re: [PATCH v3 0/2] ima/evm fixes for v5.2

[Roberto Sassu <roberto.sassu@huawei.com>]

On 6/13/2019 8:01 AM, Janne Karhunen wrote:
> On Wed, Jun 12, 2019 at 7:33 PM Roberto Sassu <roberto.sassu@huawei.com> wrote:
> 
>>> That's a pretty big change for the userland IMHO. Quite a few
>>> configurations out there will break, including mine I believe, so I
>>> hope there is a solid reason asking people to change their stuff. I'm
>>> fine holding off all writing until it is safe to do so for now..
>>
>> The goal of appraisal is to allow access only to files with a valid
>> signature or HMAC. With the current behavior, that cannot be guaranteed.
>>
>> Unfortunately, dracut-state.sh is created very early. It could be
>> possible to unseal the key before, but this probably means modifying
>> systemd.
> 
> Ok, I see the use case. Now, if you pull a urandom key that early on
> during the boot, the state of the system entropy is at all time low,
> and you are not really protecting against any sort of offline attack
> since the file is created during that boot cycle. Is there really use
> for using such key? Wouldn't it be possible to create a new config
> option, say IMA_ALLOW_EARLY_WRITERS, that would hold the NEW_FILE flag
> until the persistent key becomes available? In other words, it would
> start the measuring at the point when the key becomes online?

I also thought about similar solutions. Another is for example to keep
the appraisal flags at file close, if security.ima is successfully
added to the file.

Initializing EVM with a key is not a trivial change, but it seemed
better to me as it does not introduce exceptions in the IMA behavior.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI