* [PATCH 0/2] EVM: add some debugging info
@ 2021-06-08 13:29 Mimi Zohar
2021-06-08 13:29 ` [PATCH 1/2] ima: differentiate between EVM failures in the audit log Mimi Zohar
2021-06-08 13:29 ` [PATCH 2/2] evm: output EVM digest calculation info Mimi Zohar
0 siblings, 2 replies; 4+ messages in thread
From: Mimi Zohar @ 2021-06-08 13:29 UTC (permalink / raw)
To: linux-integrity
Cc: linux-security-module, Stefan Berger, Russell Coker, Mimi Zohar
With the recent EVM portable & immutable signature usability improvements
and the ability of including the EVM portable signatures in the IMA
measurement list, adding some dynamic debugging information - security
xattrs and file metadata (misc info) - would be useful.
Mimi Zohar (2):
ima: differentiate between EVM failures in the audit log
evm: output EVM digest calculation info
security/integrity/evm/evm_crypto.c | 42 +++++++++++++++++++++++++++
security/integrity/evm/evm_main.c | 4 +++
security/integrity/ima/ima_appraise.c | 3 +-
3 files changed, 48 insertions(+), 1 deletion(-)
--
2.27.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] ima: differentiate between EVM failures in the audit log
2021-06-08 13:29 [PATCH 0/2] EVM: add some debugging info Mimi Zohar
@ 2021-06-08 13:29 ` Mimi Zohar
2021-06-08 13:29 ` [PATCH 2/2] evm: output EVM digest calculation info Mimi Zohar
1 sibling, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2021-06-08 13:29 UTC (permalink / raw)
To: linux-integrity
Cc: linux-security-module, Stefan Berger, Russell Coker, Mimi Zohar,
Roberto Sassu
Differentiate between an invalid EVM portable signature failure
from other EVM HMAC/signature failures.
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
security/integrity/ima/ima_appraise.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 940695e7b535..ef9dcfce45d4 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -422,7 +422,8 @@ int ima_appraise_measurement(enum ima_hooks func,
goto out;
case INTEGRITY_FAIL_IMMUTABLE:
set_bit(IMA_DIGSIG, &iint->atomic_flags);
- fallthrough;
+ cause = "invalid-fail-immutable";
+ goto out;
case INTEGRITY_FAIL: /* Invalid HMAC/signature. */
cause = "invalid-HMAC";
goto out;
--
2.27.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] evm: output EVM digest calculation info
2021-06-08 13:29 [PATCH 0/2] EVM: add some debugging info Mimi Zohar
2021-06-08 13:29 ` [PATCH 1/2] ima: differentiate between EVM failures in the audit log Mimi Zohar
@ 2021-06-08 13:29 ` Mimi Zohar
2021-06-08 16:06 ` nramas
1 sibling, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2021-06-08 13:29 UTC (permalink / raw)
To: linux-integrity
Cc: linux-security-module, Stefan Berger, Russell Coker, Mimi Zohar,
Lakshmi Ramasubramanian
Output the data used in calculating the EVM digest and the resulting
digest as ascii hexadecimal strings.
Suggested-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> (CONFIG_DYNAMIC_DEBUG)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
Changelog:
- Use pr_debug *phN format
- Define dump_security_xattr() for larger binary data
- Based on CONFIG_DYNAMIC_DEBUG
security/integrity/evm/evm_crypto.c | 42 +++++++++++++++++++++++++++++
security/integrity/evm/evm_main.c | 4 +++
2 files changed, 46 insertions(+)
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 1628e2ca9862..900cf8a157b6 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -10,6 +10,8 @@
* Using root's kernel master key (kmk), calculate the HMAC
*/
+#define pr_fmt(fmt) "EVM: "fmt
+
#include <linux/export.h>
#include <linux/crypto.h>
#include <linux/xattr.h>
@@ -175,6 +177,29 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
type != EVM_XATTR_PORTABLE_DIGSIG)
crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid, UUID_SIZE);
crypto_shash_final(desc, digest);
+
+ pr_debug("hmac_misc: (%lu) [%*phN]\n", sizeof(struct h_misc),
+ (int) sizeof(struct h_misc), &hmac_misc);
+}
+
+/*
+ * Dump large security xattr values as a continuous ascii hexademical string.
+ * (pr_debug is limited to 64 bytes.)
+ */
+static void dump_security_xattr(const char *prefix, const void *src, size_t count)
+{
+#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
+ char *asciihex, *p;
+
+ p = asciihex = kmalloc(count * 2 + 1, GFP_KERNEL);
+ if (!asciihex)
+ return;
+
+ p = bin2hex(p, src, count);
+ *p = 0;
+ pr_debug("%s: (%lu) %.*s\n", prefix, count, (int) count * 2, asciihex);
+ kfree(asciihex);
+#endif
}
/*
@@ -230,6 +255,16 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
req_xattr_value_len);
if (is_ima)
ima_present = true;
+
+ if (req_xattr_value_len < 64)
+ pr_debug("%s: (%lu) [%*phN]\n", req_xattr_name,
+ req_xattr_value_len,
+ (int)req_xattr_value_len,
+ req_xattr_value);
+ else
+ dump_security_xattr(req_xattr_name,
+ req_xattr_value,
+ req_xattr_value_len);
continue;
}
size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr->name,
@@ -246,6 +281,13 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size);
if (is_ima)
ima_present = true;
+
+ if (xattr_size < 64)
+ pr_debug("%s: (%lu) [%*phN]", xattr->name, xattr_size,
+ (int)xattr_size, xattr_value);
+ else
+ dump_security_xattr(xattr->name, xattr_value,
+ xattr_size);
}
hmac_add_misc(desc, inode, type, data->digest);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 2c226e634ae9..059ac17a0041 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -11,6 +11,8 @@
* evm_inode_removexattr, and evm_verifyxattr
*/
+#define pr_fmt(fmt) "EVM: "fmt
+
#include <linux/init.h>
#include <linux/crypto.h>
#include <linux/audit.h>
@@ -272,6 +274,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
else
evm_status = INTEGRITY_FAIL;
}
+ pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
+ digest.digest);
out:
if (iint)
iint->evm_status = evm_status;
--
2.27.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] evm: output EVM digest calculation info
2021-06-08 13:29 ` [PATCH 2/2] evm: output EVM digest calculation info Mimi Zohar
@ 2021-06-08 16:06 ` nramas
0 siblings, 0 replies; 4+ messages in thread
From: nramas @ 2021-06-08 16:06 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity
Cc: linux-security-module, Stefan Berger, Russell Coker
On Tue, 2021-06-08 at 09:29 -0400, Mimi Zohar wrote:
> Output the data used in calculating the EVM digest and the resulting
> digest as ascii hexadecimal strings.
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>
> Suggested-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> (CONFIG_DYNAMIC_DEBUG)
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> Changelog:
> - Use pr_debug *phN format
> - Define dump_security_xattr() for larger binary data
> - Based on CONFIG_DYNAMIC_DEBUG
>
> security/integrity/evm/evm_crypto.c | 42
> +++++++++++++++++++++++++++++
> security/integrity/evm/evm_main.c | 4 +++
> 2 files changed, 46 insertions(+)
>
> diff --git a/security/integrity/evm/evm_crypto.c
> b/security/integrity/evm/evm_crypto.c
> index 1628e2ca9862..900cf8a157b6 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -10,6 +10,8 @@
> * Using root's kernel master key (kmk), calculate the HMAC
> */
>
> +#define pr_fmt(fmt) "EVM: "fmt
> +
> #include <linux/export.h>
> #include <linux/crypto.h>
> #include <linux/xattr.h>
> @@ -175,6 +177,29 @@ static void hmac_add_misc(struct shash_desc
> *desc, struct inode *inode,
> type != EVM_XATTR_PORTABLE_DIGSIG)
> crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid,
> UUID_SIZE);
> crypto_shash_final(desc, digest);
> +
> + pr_debug("hmac_misc: (%lu) [%*phN]\n", sizeof(struct h_misc),
> + (int) sizeof(struct h_misc), &hmac_misc);
> +}
> +
> +/*
> + * Dump large security xattr values as a continuous ascii
> hexademical string.
> + * (pr_debug is limited to 64 bytes.)
> + */
> +static void dump_security_xattr(const char *prefix, const void *src,
> size_t count)
> +{
> +#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
> + char *asciihex, *p;
> +
> + p = asciihex = kmalloc(count * 2 + 1, GFP_KERNEL);
> + if (!asciihex)
> + return;
> +
> + p = bin2hex(p, src, count);
> + *p = 0;
> + pr_debug("%s: (%lu) %.*s\n", prefix, count, (int) count * 2,
> asciihex);
> + kfree(asciihex);
> +#endif
> }
>
> /*
> @@ -230,6 +255,16 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
> req_xattr_value_len);
> if (is_ima)
> ima_present = true;
> +
> + if (req_xattr_value_len < 64)
> + pr_debug("%s: (%lu) [%*phN]\n",
> req_xattr_name,
> + req_xattr_value_len,
> + (int)req_xattr_value_len,
> + req_xattr_value);
> + else
> + dump_security_xattr(req_xattr_name,
> + req_xattr_value,
> + req_xattr_value_len
> );
> continue;
> }
> size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr-
> >name,
> @@ -246,6 +281,13 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
> crypto_shash_update(desc, (const u8 *)xattr_value,
> xattr_size);
> if (is_ima)
> ima_present = true;
> +
> + if (xattr_size < 64)
> + pr_debug("%s: (%lu) [%*phN]", xattr->name,
> xattr_size,
> + (int)xattr_size, xattr_value);
> + else
> + dump_security_xattr(xattr->name, xattr_value,
> + xattr_size);
> }
> hmac_add_misc(desc, inode, type, data->digest);
>
> diff --git a/security/integrity/evm/evm_main.c
> b/security/integrity/evm/evm_main.c
> index 2c226e634ae9..059ac17a0041 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -11,6 +11,8 @@
> * evm_inode_removexattr, and evm_verifyxattr
> */
>
> +#define pr_fmt(fmt) "EVM: "fmt
> +
> #include <linux/init.h>
> #include <linux/crypto.h>
> #include <linux/audit.h>
> @@ -272,6 +274,8 @@ static enum integrity_status
> evm_verify_hmac(struct dentry *dentry,
> else
> evm_status = INTEGRITY_FAIL;
> }
> + pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length,
> digest.hdr.length,
> + digest.digest);
> out:
> if (iint)
> iint->evm_status = evm_status;
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-08 16:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-08 13:29 [PATCH 0/2] EVM: add some debugging info Mimi Zohar
2021-06-08 13:29 ` [PATCH 1/2] ima: differentiate between EVM failures in the audit log Mimi Zohar
2021-06-08 13:29 ` [PATCH 2/2] evm: output EVM digest calculation info Mimi Zohar
2021-06-08 16:06 ` nramas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).