From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
"mjg59@google.com" <mjg59@google.com>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>
Subject: Re: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded
Date: Mon, 31 Aug 2020 17:31:26 -0400 [thread overview]
Message-ID: <b74a68cb22656e4646d61c651aeb5ebee234530c.camel@linux.ibm.com> (raw)
In-Reply-To: <0c1c8fb398c340d89531360be7e3418b@huawei.com>
On Mon, 2020-08-31 at 08:24 +0000, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> > Sent: Friday, August 21, 2020 10:15 PM
> > Hi Roberto,
> >
> > On Thu, 2020-06-18 at 18:01 +0200, Roberto Sassu wrote:
> > > Granting metadata write is safe if the HMAC key is not loaded, as it won't
> > > let an attacker obtain a valid HMAC from corrupted xattrs.
> > evm_write_key()
> > > however does not allow it if any key is loaded, including a public key,
> > > which should not be a problem.
> > >
> >
> > Why is the existing hebavior a problem? What is the problem being
> > solved?
>
> Hi Mimi
>
> currently it is not possible to set EVM_ALLOW_METADATA_WRITES when
> only a public key is loaded and the HMAC key is not. The patch removes
> this limitation.
Yes, I understand. You're describing "what" the problem is, not "why"
this is a problem. Support for loading EVM HMAC and x509 certificates
isn't new. Please add a line or two prior to this paragraph providing
the context for why this is now a problem.
Is the problem related to previoulsy not beginning EVM verification
until after the EVM HMAC key was loaded? Or perhaps EVM signatures
were not that common since they weren't portable. Now, with portable
and immutable signatures loading x509 certificates is more common.
thanks,
Mimi
next prev parent reply other threads:[~2020-08-31 21:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-18 16:01 [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded Roberto Sassu
2020-06-18 16:01 ` [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
2020-08-21 18:45 ` Mimi Zohar
2020-08-31 9:44 ` Roberto Sassu
2020-08-31 19:26 ` Mimi Zohar
2020-06-18 16:01 ` [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded Roberto Sassu
2020-08-21 20:14 ` Mimi Zohar
2020-08-31 8:24 ` Roberto Sassu
2020-08-31 21:31 ` Mimi Zohar [this message]
2020-06-18 16:01 ` [PATCH 04/11] evm: Check size of security.evm before using it Roberto Sassu
2020-08-24 12:14 ` Mimi Zohar
2020-06-18 16:01 ` [PATCH 05/11] evm: Allow xattr/attr operations for portable signatures if check fails Roberto Sassu
2020-08-24 12:16 ` Mimi Zohar
2020-08-21 18:30 ` [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded Mimi Zohar
2020-08-24 17:45 ` Mimi Zohar
2020-09-02 11:42 ` Roberto Sassu
2020-09-02 13:40 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b74a68cb22656e4646d61c651aeb5ebee234530c.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=Silviu.Vlasceanu@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=roberto.sassu@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).