Hello!
Before coming back to the signing problems below, a quick question about
ima-evm-utils: is http://sourceforge.net/projects/linux-ima/ or Tizen's
platform/upstream/ima-evm-utils the official repo of the latest stable
source?
Tizen's copy has several commits which add new APIs on top of the 0.9
release.
Okay, back to EVM... ;-}
On Fri, 2015-05-08 at 17:21 +0200, Zbigniew Jasiński wrote:
> > On Thu, 2015-05-07 at 15:50 +0200, Zbigniew Jasiński wrote:
> > My hypothesis is that EVM is active, but fails to initialize properly
> > ("evm: init_desc failed"), and thus gets in the way. I would test that
> > hypothesis if I knew how to turn it off - I can try by compiling it out of
> > the
> > kernel, but is that really the only option?
> >
>
> Without our patches I think it's only option.
I have added all of the Tizen patches on top of 3.19.2. Were you
thinking of "evm: add interface to read and write EVM state"? That is a
bit awkward to use for debugging boot issues, because I would have to
write a systemd unit file turning off evm and get that unit to run
before the other units which fail when evm is active.
Anyway, I have disabled evm in the kernel config and now can boot with
"ima_appraise=log ima_tcb" without problems. I think that confirms my
hypothesis that it was evm which caused the issues.
Right now, I only see these solutions for getting evm to work (please
correct me if I'm wrong or miss something):
1. read-only file system and all files signed in advance
2. private key stored on the device and
A. booting with evm=fix or
B. manipulate files only through a process which has
exclusive access to the private key
3. read-only file system with an overlay file system where EVM and
IMA are disabled
4. do not store private key and exclude certain files from evm
enforcement
For option 2A you wanted to add instructions to the Wiki - any progress
for that?
2B would require modifying upstream software and writing such a daemon.
I guess that's similar to the example daemon in ima-evm-reference-utils
(which I haven't looked at yet).
Option 3 and 4 both depend on somehow configuring EVM. I'm still unsure
whether that's already possible. As you said earlier, the IMA policy is
really just for IMA. So EVM really is "all or nothing" when it comes to
files and file systems?
> > > If you add/modify file to protected system in which you use digital
> > > signatures you need to provide private key for that.
> >
> > I'm unsure about this part here. How do I tell the kernel for
> > ima_appraise=fix
> > which private key it is meant to use?
> >
>
> If you use only hashes for IMA you don't need key at all. If you use
> digital signatures I think you need to manually recalculate them.
Is that the difference between --imahash and --imasig in the evmctl
invocation below?
But then how does the kernel decide during ima_appraise=fix? Will it
always operate in --imahash mode, for all files, or does it somehow
depend on how a file was labeled earlier?
> You need to add encrypted key (or trusted if used with TPM) to the kernel
> keyring for EVM.
So EVM hashes are never signed with a private key? I thought they were
(or at least could be), based on the comments in the Wiki about "you
should consider generate separate key for EVM - use the same script
which you've used for generate IMA certificate".
And how does evmctl deal with this? There's only one --key option for
"evmctl sign", so when doing both signing operations at the same time,
how would I specify a separate EVM private key?
It also does not seem possible to call evmctl once for evm and once for
ima, because there is only one "sign" operation which does both at the
same time (right?).
I also find this example confusing:
http://sourceforge.net/p/linux-ima/wiki/Home/#labeling-the-filesystem-with-securityevm
#!/bin/sh
#label "immutable" files with EVM/IMA digital signatures
#label everything else with just EVM digital signatures
file $1 | grep 'ELF' > /dev/null
if [ $? -eq 0 ]; then
evmctl sign --imasig $1 /home/zohar/privkey_evm.pem
else
evmctl sign --imahash $1 /home/zohar/privkey_evm.pem
fi
The "label everything else with just EVM digital signatures" is a bit
misleading IMHO, because security.ima is still getting created. The
content hash just doesn't seem to be signed (judging from the output of
getfattr).
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
