* IMA/EVM interfaces
@ 2020-07-28 10:32 Denis Efremov
2020-07-28 15:43 ` Roberto Sassu
0 siblings, 1 reply; 5+ messages in thread
From: Denis Efremov @ 2020-07-28 10:32 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity, Dmitry Kasatkin; +Cc: Dmitry Vyukov
Hi,
I've started to add integrity interfaces descriptions to syzkaller
(https://github.com/google/syzkaller/pull/1970).
I've got a question, if you don't mind:
If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
subsequent fs operations will fail with -ENOKEY.
$ echo 2 > /sys/kernel/security/integrity/evm/evm
$ touch test.txt
[ 526.976855][ T5771] evm: HMAC key is not set
[ 526.977892][ T5771] evm: init_desc failed
touch: cannot touch 'test.txt': Required key not available
Is this a desired behavior? Should there be a check in evm_write_key()
for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
changing the evm_initialized bit? Is it correct to set second bit without
first bit?
Thanks,
Denis
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: IMA/EVM interfaces
2020-07-28 10:32 IMA/EVM interfaces Denis Efremov
@ 2020-07-28 15:43 ` Roberto Sassu
2020-07-29 21:59 ` Denis Efremov
0 siblings, 1 reply; 5+ messages in thread
From: Roberto Sassu @ 2020-07-28 15:43 UTC (permalink / raw)
To: efremov, Mimi Zohar, linux-integrity, Dmitry Kasatkin
Cc: Dmitry Vyukov, Silviu Vlasceanu
> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> owner@vger.kernel.org] On Behalf Of Denis Efremov
> Sent: Tuesday, July 28, 2020 12:32 PM
> Hi,
>
> I've started to add integrity interfaces descriptions to syzkaller
> (https://github.com/google/syzkaller/pull/1970).
>
> I've got a question, if you don't mind:
>
> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
> subsequent fs operations will fail with -ENOKEY.
>
> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> $ touch test.txt
> [ 526.976855][ T5771] evm: HMAC key is not set
> [ 526.977892][ T5771] evm: init_desc failed
> touch: cannot touch 'test.txt': Required key not available
>
> Is this a desired behavior? Should there be a check in evm_write_key()
> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
> changing the evm_initialized bit? Is it correct to set second bit without
> first bit?
Hi Denis
can you please try this patch?
https://lore.kernel.org/linux-integrity/20200618160133.937-1-roberto.sassu@huawei.com/
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IMA/EVM interfaces
2020-07-28 15:43 ` Roberto Sassu
@ 2020-07-29 21:59 ` Denis Efremov
2020-07-30 6:50 ` Roberto Sassu
0 siblings, 1 reply; 5+ messages in thread
From: Denis Efremov @ 2020-07-29 21:59 UTC (permalink / raw)
To: Roberto Sassu, Mimi Zohar, linux-integrity, Dmitry Kasatkin
Cc: Dmitry Vyukov, Silviu Vlasceanu
On 7/28/20 6:43 PM, Roberto Sassu wrote:
>> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
>> owner@vger.kernel.org] On Behalf Of Denis Efremov
>> Sent: Tuesday, July 28, 2020 12:32 PM
>> Hi,
>>
>> I've started to add integrity interfaces descriptions to syzkaller
>> (https://github.com/google/syzkaller/pull/1970).
>>
>> I've got a question, if you don't mind:
>>
>> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading keys,
>> subsequent fs operations will fail with -ENOKEY.
>>
>> $ echo 2 > /sys/kernel/security/integrity/evm/evm
>> $ touch test.txt
>> [ 526.976855][ T5771] evm: HMAC key is not set
>> [ 526.977892][ T5771] evm: init_desc failed
>> touch: cannot touch 'test.txt': Required key not available
>>
>> Is this a desired behavior? Should there be a check in evm_write_key()
>> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings) before
>> changing the evm_initialized bit? Is it correct to set second bit without
>> first bit?
>
> Hi Denis
>
> can you please try this patch?
>
> https://lore.kernel.org/linux-integrity/20200618160133.937-1-roberto.sassu@huawei.com/
>
>
$ cat /proc/cmdline
console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix
$ echo 2 > /sys/kernel/security/integrity/evm/evm
[ 44.116084][ T4108] evm: HMAC key is not set
$ touch test.txt
$ cat /sys/kernel/security/integrity/evm/evm
2
$ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
$ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
$ echo 1 > /sys/kernel/security/integrity/evm/evm
[ 574.328262] evm: key initialized
Regards,
Denis
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: IMA/EVM interfaces
2020-07-29 21:59 ` Denis Efremov
@ 2020-07-30 6:50 ` Roberto Sassu
2020-07-31 18:45 ` Mimi Zohar
0 siblings, 1 reply; 5+ messages in thread
From: Roberto Sassu @ 2020-07-30 6:50 UTC (permalink / raw)
To: efremov, Mimi Zohar, linux-integrity, Dmitry Kasatkin
Cc: Dmitry Vyukov, Silviu Vlasceanu
> From: Denis Efremov [mailto:efremov@linux.com]
> Sent: Wednesday, July 29, 2020 11:59 PM
>
>
>
> On 7/28/20 6:43 PM, Roberto Sassu wrote:
> >> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> >> owner@vger.kernel.org] On Behalf Of Denis Efremov
> >> Sent: Tuesday, July 28, 2020 12:32 PM
> >> Hi,
> >>
> >> I've started to add integrity interfaces descriptions to syzkaller
> >> (https://github.com/google/syzkaller/pull/1970).
> >>
> >> I've got a question, if you don't mind:
> >>
> >> If I write 2 to /sys/kernel/security/integrity/evm/evm before loading
> keys,
> >> subsequent fs operations will fail with -ENOKEY.
> >>
> >> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> >> $ touch test.txt
Looks good. Mimi, could you please take this patch, and if
possible, the others in the patch set?
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> >> [ 526.976855][ T5771] evm: HMAC key is not set
> >> [ 526.977892][ T5771] evm: init_desc failed
> >> touch: cannot touch 'test.txt': Required key not available
> >>
> >> Is this a desired behavior? Should there be a check in evm_write_key()
> >> for loaded keys (encrypted evm-key, keys in _evm, _ima keyrings)
> before
> >> changing the evm_initialized bit? Is it correct to set second bit without
> >> first bit?
> >
> > Hi Denis
> >
> > can you please try this patch?
> >
> > https://lore.kernel.org/linux-integrity/20200618160133.937-1-
> roberto.sassu@huawei.com/
> >
> >
>
> $ cat /proc/cmdline
> console=ttyS0 root=/dev/sda earlyprintk=serial ima_appraise=fix evm=fix
> $ echo 2 > /sys/kernel/security/integrity/evm/evm
> [ 44.116084][ T4108] evm: HMAC key is not set
> $ touch test.txt
> $ cat /sys/kernel/security/integrity/evm/evm
> 2
> $ keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
> $ keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
> $ echo 1 > /sys/kernel/security/integrity/evm/evm
> [ 574.328262] evm: key initialized
>
> Regards,
> Denis
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IMA/EVM interfaces
2020-07-30 6:50 ` Roberto Sassu
@ 2020-07-31 18:45 ` Mimi Zohar
0 siblings, 0 replies; 5+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:45 UTC (permalink / raw)
To: Roberto Sassu, efremov, linux-integrity, Dmitry Kasatkin
Cc: Dmitry Vyukov, Silviu Vlasceanu
On Thu, 2020-07-30 at 06:50 +0000, Roberto Sassu wrote:
> > From: Denis Efremov [mailto:efremov@linux.com]
> > Sent: Wednesday, July 29, 2020 11:59 PM
> >
> >
> >
> > On 7/28/20 6:43 PM, Roberto Sassu wrote:
> > > > From: linux-integrity-owner@vger.kernel.org [mailto:linux-
> > > > integrity-
> > > > owner@vger.kernel.org] On Behalf Of Denis Efremov
> > > > Sent: Tuesday, July 28, 2020 12:32 PM
> > > > Hi,
> > > >
> > > > I've started to add integrity interfaces descriptions to
> > > > syzkaller
> > > > (https://github.com/google/syzkaller/pull/1970).
> > > >
> > > > I've got a question, if you don't mind:
> > > >
> > > > If I write 2 to /sys/kernel/security/integrity/evm/evm before
> > > > loading
> > keys,
> > > > subsequent fs operations will fail with -ENOKEY.
> > > >
> > > > $ echo 2 > /sys/kernel/security/integrity/evm/evm
> > > > $ touch test.txt
>
> Looks good. Mimi, could you please take this patch, and if
> possible, the others in the patch set?
Just needing to finish up the ima-evm-utils release and finish
reviewing Kees' " Introduce partial kernel_read_file() support" patchset. Will circle back around to EVM shortly.
In the meantime, could you take a look at the syzbot "possible deadlock
in process_measurement" report. According to Amir Goldstein, this
isn't a lock order inversion. It just needs to be properly annotated.
thanks,
Mimi
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-31 18:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 10:32 IMA/EVM interfaces Denis Efremov
2020-07-28 15:43 ` Roberto Sassu
2020-07-29 21:59 ` Denis Efremov
2020-07-30 6:50 ` Roberto Sassu
2020-07-31 18:45 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).