Linux-Integrity Archive on lore.kernel.org
 help / Atom feed
* OTA does not work with IMA due to xattr not supported by zip
@ 2019-01-08  1:26 rishi gupta
  2019-01-08 20:58 ` Mimi Zohar
  0 siblings, 1 reply; 6+ messages in thread
From: rishi gupta @ 2019-01-08  1:26 UTC (permalink / raw)
  To: linux-integrity

Hi Team,

Android and android recovery based implementation for Linux, generates
ota package which is a zipped archive.

I observed that xattr gets dropped when creating zip archive and
therefore after OTA system will not boot if IMA_APPRAISE_SIGNED_INIT
is used.

This essentially means that IMA may not be used in commercial products
requiring OTA or I missed something or there is a workaround to such
problem.

https://source.android.com/devices/tech/ota/tools

Regards,
Rishi

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: OTA does not work with IMA due to xattr not supported by zip
  2019-01-08  1:26 OTA does not work with IMA due to xattr not supported by zip rishi gupta
@ 2019-01-08 20:58 ` Mimi Zohar
  2019-01-10  6:46   ` rishi gupta
  0 siblings, 1 reply; 6+ messages in thread
From: Mimi Zohar @ 2019-01-08 20:58 UTC (permalink / raw)
  To: rishi gupta, linux-integrity

On Tue, 2019-01-08 at 06:56 +0530, rishi gupta wrote:
> Hi Team,
> 
> Android and android recovery based implementation for Linux, generates
> ota package which is a zipped archive.
> 
> I observed that xattr gets dropped when creating zip archive and
> therefore after OTA system will not boot if IMA_APPRAISE_SIGNED_INIT
> is used.
> 
> This essentially means that IMA may not be used in commercial products
> requiring OTA or I missed something or there is a workaround to such
> problem.
> 
> https://source.android.com/devices/tech/ota/tools

Ok.  Some applications support xattrs (eg. RPM, tar); others don't
(eg. Debian packages, CPIO/initramfs).  We worked with the RPM
community to add xattr support.  Multiple attempts have been made to
add xattr support to Debian packages.

Mimi


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: OTA does not work with IMA due to xattr not supported by zip
  2019-01-08 20:58 ` Mimi Zohar
@ 2019-01-10  6:46   ` rishi gupta
  2019-01-10 16:18     ` Mimi Zohar
  2019-01-10 18:20     ` Matthew Garrett
  0 siblings, 2 replies; 6+ messages in thread
From: rishi gupta @ 2019-01-10  6:46 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-integrity

Thanks Mimi. Any plan for zip archive format support.
Also when using EVM, the files has to be signed on target. So after
new files has been flashed on device during OTA, does private key also
needs to be present on system.


On Wed, Jan 9, 2019 at 2:28 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Tue, 2019-01-08 at 06:56 +0530, rishi gupta wrote:
> > Hi Team,
> >
> > Android and android recovery based implementation for Linux, generates
> > ota package which is a zipped archive.
> >
> > I observed that xattr gets dropped when creating zip archive and
> > therefore after OTA system will not boot if IMA_APPRAISE_SIGNED_INIT
> > is used.
> >
> > This essentially means that IMA may not be used in commercial products
> > requiring OTA or I missed something or there is a workaround to such
> > problem.
> >
> > https://source.android.com/devices/tech/ota/tools
>
> Ok.  Some applications support xattrs (eg. RPM, tar); others don't
> (eg. Debian packages, CPIO/initramfs).  We worked with the RPM
> community to add xattr support.  Multiple attempts have been made to
> add xattr support to Debian packages.
>
> Mimi
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: OTA does not work with IMA due to xattr not supported by zip
  2019-01-10  6:46   ` rishi gupta
@ 2019-01-10 16:18     ` Mimi Zohar
  2019-01-10 18:20     ` Matthew Garrett
  1 sibling, 0 replies; 6+ messages in thread
From: Mimi Zohar @ 2019-01-10 16:18 UTC (permalink / raw)
  To: rishi gupta; +Cc: linux-integrity, Dmitry Kasatkin

On Thu, 2019-01-10 at 12:16 +0530, rishi gupta wrote:
> Thanks Mimi. Any plan for zip archive format support.

Are you offering?

> Also when using EVM, the files has to be signed on target. So after
> new files has been flashed on device during OTA, does private key also
> needs to be present on system.

Perhaps someone with Android experience could respond.  Dmitry?


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: OTA does not work with IMA due to xattr not supported by zip
  2019-01-10  6:46   ` rishi gupta
  2019-01-10 16:18     ` Mimi Zohar
@ 2019-01-10 18:20     ` Matthew Garrett
  2019-01-13 10:58       ` rishi gupta
  1 sibling, 1 reply; 6+ messages in thread
From: Matthew Garrett @ 2019-01-10 18:20 UTC (permalink / raw)
  To: rishi gupta; +Cc: Mimi Zohar, linux-integrity

On Wed, Jan 9, 2019 at 10:47 PM rishi gupta <gupt21@gmail.com> wrote:
>
> Thanks Mimi. Any plan for zip archive format support.
> Also when using EVM, the files has to be signed on target. So after
> new files has been flashed on device during OTA, does private key also
> needs to be present on system.

This is what the portable EVM format is for - it allows EVM signatures
to be generated remotely and shipped as part of a package.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: OTA does not work with IMA due to xattr not supported by zip
  2019-01-10 18:20     ` Matthew Garrett
@ 2019-01-13 10:58       ` rishi gupta
  0 siblings, 0 replies; 6+ messages in thread
From: rishi gupta @ 2019-01-13 10:58 UTC (permalink / raw)
  To: Matthew Garrett; +Cc: Mimi Zohar, linux-integrity

Thanks Mimi, I am asking if integrity team is working with zip
community like the RPM. I will have a look at zip code to see if it is
in my capacity to add xattr support or not. A possible solution looks
like replacing zip with tar in OTA solution.

Thanks Matthew, I am at lower version of kernel therefore portable evm
may not be taken in as of now. I will backport it possibly.


On Thu, Jan 10, 2019 at 11:50 PM Matthew Garrett <mjg59@google.com> wrote:
>
> On Wed, Jan 9, 2019 at 10:47 PM rishi gupta <gupt21@gmail.com> wrote:
> >
> > Thanks Mimi. Any plan for zip archive format support.
> > Also when using EVM, the files has to be signed on target. So after
> > new files has been flashed on device during OTA, does private key also
> > needs to be present on system.
>
> This is what the portable EVM format is for - it allows EVM signatures
> to be generated remotely and shipped as part of a package.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-08  1:26 OTA does not work with IMA due to xattr not supported by zip rishi gupta
2019-01-08 20:58 ` Mimi Zohar
2019-01-10  6:46   ` rishi gupta
2019-01-10 16:18     ` Mimi Zohar
2019-01-10 18:20     ` Matthew Garrett
2019-01-13 10:58       ` rishi gupta

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org linux-integrity@archiver.kernel.org
	public-inbox-index linux-integrity


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/ public-inbox