Re: IMA/EVM interfaces

[Denis Efremov <efremov@linux.com>]

On 7/28/20 6:43 PM, Roberto Sassu wrote:
>> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
>> owner@vger.kernel.org] On Behalf Of Denis Efremov
>> Sent: Tuesday, July 28, 2020 12:32 PM
>> Hi,
>>
>> I've started to add integrity interfaces descriptions to syzkaller
>> (https://github.com/google/syzkaller/pull/1970).
>>
>> I've got a question, if you don't mind:
>>
>> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
>> subsequent fs operations will fail with -ENOKEY.
>>
>> $ echo 2 > /sys/kernel/security/integrity/evm/evm
>> $ touch test.txt
>> [  526.976855][ T5771] evm: HMAC key is not set
>> [  526.977892][ T5771] evm: init_desc failed
>> touch: cannot touch 'test.txt': Required key not available
>>
>> Is this a desired behavior? Should there be a check in evm_write_key()
>> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
>> changing the evm_initialized bit? Is it correct to set second bit without
>> first bit?
> 
> Hi Denis
> 
> can you please try this patch?
> 
> https://lore.kernel.org/linux-integrity/20200618160133.937-1-roberto.sassu@huawei.com/
> 
> 

$ cat /proc/cmdline
console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix
$ echo 2 > /sys/kernel/security/integrity/evm/evm
[   44.116084][ T4108] evm: HMAC key is not set
$ touch test.txt
$ cat /sys/kernel/security/integrity/evm/evm
2
$ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
$ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
$ echo 1 > /sys/kernel/security/integrity/evm/evm
[  574.328262] evm: key initialized

Regards,
Denis