evmctl argument parsing, HMAC algorithm, HMAC replacement

evmctl argument parsing, HMAC algorithm, HMAC replacement

[Ahmed, Safayet (GE Research, US)]

Hello,

I just had a few questions:

1) evmctl utility source, "evmctl.c", in "sign_ima_file" function on line 713:
the default signing-key path is set to "/etc/keys/privkey_evm.pem".
Should that be "/etc/keys/privkey_ima.pem"?

2) Currently, the hashing algorithm for HMAC signatures in the kernel is hardcoded to SHA1.
SHA1 is considered too short to provide protection against collision attacks. (Such attacks have been demonstrated).
Are there plans to move to more secure hashing algorithms?

3) Is there any document that lists the events that cause the kernel to update asymmetric EVM signatures with HMAC signatures?

I thnk this update happens in "evm_update_evmxattr".
This function is called directly by "evm_verify_hmac", but I didn't fully understand the set of conditions that need to be satisfied before the replacement is performed.

There is a call chain from IMA's "process_measurement" function to "evm_verify_hmac".

I did some experiments where I
- check the "security.evm" extended attribute using the "getfattr" utility on a script with an IMA and EVM RSA signature.
- perform an operation
- check the extended attribute again to see if it's replaced with something much shorter.

In my experiment, just calling the script (which should eventually invoke ""process_measurement") doesn't cause the EVM RSA signature to be replaced with an HMAC signature.

However, I've been able to force the replacement by changing file attributes. I suspect changes to extended attributes will achieve the same as well.

Thank you for your help,

Safayet N. Ahmed Ph.D
Lead Engineer
Embedded Computing Group
GE Research