From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-integrity@vger.kernel.org,
Mikhail Kurinnoi <viewizard@viewizard.com>
Subject: Re: RFC: Make it practical to ship EVM signatures
Date: Sat, 30 Sep 2017 22:36:37 -0400 [thread overview]
Message-ID: <1506825397.5691.186.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CACdnJutXT6yU70R07m7Nd=7d6RbZr0Nti_r54Z7CffiK2r17zA@mail.gmail.com>
On Fri, 2017-09-29 at 13:09 -0700, Matthew Garrett wrote:
> On Fri, Sep 29, 2017 at 1:01 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Fri, 2017-09-29 at 12:17 -0700, Matthew Garrett wrote:
> >> I'm arguing that (for our case at least) the only way we can use IMA
> >> is to rely on using a digital signature - we can either have that
> >> digital signature be in security.ima, or we can have it in
> >> security.evm. Since we need that signature in any case, we derive no
> >> benefit from having security.evm be an hmac - our two reasonable
> >> choices are:
> >>
> >> 1) security.ima as a digital signature, security.evm as an hmac
> >> 2) security.ima as a hash, security.evm as a digital signature
> >
> > There's a major difference between security.ima containing a file hash
> > vs a signature. A signature, assuming the file_check hook is in
> > policy, prevents the file from being modified, making the file
> > "immutable".
>
> But the same is effectively true if security.evm is a digital
> signature and there's no symmetric key? For what we want to do (ensure
> that executables that are allowed to run with elevated privileges
> haven't been tampered with), that's completely ok.
>
> >> I'm not really clear on what attacks are prevented by using the inode
> >> number. If I'm able to preserve all the other security metadata when
> >> copying a file, I can just create a hardlink to the original instead
> >> and have the same outcome.
> >
> > The issue is the ability of having different security metadata, not
> > the same security metadata. (I need to refresh my memory as to hard
> > links, and whether they can have different security metadata.)
>
> If the security metadata is different then copying another
> security.evm will fail, surely?
A copy of the file could exist with a valid hmac on the system with
different security xattrs. Without the inode/uuid, the xattrs could
be cut & pasted.
Ok, I agree this would be less of an issue for security.evm
signatures, since the signatures are not being generated on the
locally running system.
Mimi
next prev parent reply other threads:[~2017-10-01 2:36 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-27 22:16 RFC: Make it practical to ship EVM signatures Matthew Garrett
2017-09-27 22:16 ` [PATCH 1/6] IMA: Allow EVM validation on appraisal even without a symmetric key Matthew Garrett
2017-10-01 2:08 ` Mimi Zohar
2017-10-02 17:02 ` Matthew Garrett
2017-10-02 19:41 ` Mimi Zohar
2017-09-27 22:16 ` [PATCH 2/6] EVM: Add infrastructure for making EVM fields optional Matthew Garrett
2017-09-27 22:16 ` [PATCH 3/6] EVM: Allow userland to override the default EVM attributes Matthew Garrett
2017-09-27 22:16 ` [PATCH 4/6] EVM: Add an hmac_ng xattr format Matthew Garrett
2017-09-27 22:16 ` [PATCH 5/6] EVM: Write out HMAC xattrs in the new format Matthew Garrett
2017-09-27 22:16 ` [PATCH 6/6] EVM: Add a new digital signature format Matthew Garrett
2017-09-28 20:12 ` RFC: Make it practical to ship EVM signatures Mimi Zohar
2017-09-28 21:13 ` Matthew Garrett
2017-09-29 0:53 ` Mimi Zohar
2017-09-29 18:09 ` Matthew Garrett
2017-09-29 19:02 ` Mimi Zohar
2017-09-29 19:17 ` Matthew Garrett
2017-09-29 20:01 ` Mimi Zohar
2017-09-29 20:09 ` Matthew Garrett
2017-10-01 2:36 ` Mimi Zohar [this message]
2017-10-02 17:09 ` Matthew Garrett
2017-10-02 19:54 ` Mimi Zohar
[not found] ` <CACdnJutYw7Pgh-EwWuwp9Wz+5KzoreZVr+c6UV30zC__8FZSVA@mail.gmail.com>
[not found] ` <1506974574.5691.304.camel@linux.vnet.ibm.com>
2017-10-02 20:07 ` Matthew Garrett
2017-10-09 17:51 ` Mimi Zohar
2017-10-09 17:59 ` Matthew Garrett
2017-10-09 18:15 ` Mimi Zohar
2017-10-09 18:18 ` Matthew Garrett
2017-10-09 18:40 ` Mimi Zohar
[not found] ` <20171009232314.545de76a@totoro>
[not found] ` <1507583449.3748.46.camel@linux.vnet.ibm.com>
[not found] ` <20171010003326.6409ae23@totoro>
2017-10-09 21:40 ` Mimi Zohar
2017-10-09 23:10 ` Mikhail Kurinnoi
2017-10-10 19:07 ` Mimi Zohar
2017-10-12 23:09 ` Dmitry Kasatkin
2017-10-18 19:48 ` Dmitry Kasatkin
2017-10-18 20:30 ` Mimi Zohar
2017-10-18 20:37 ` Dmitry Kasatkin
2017-10-18 21:02 ` Mikhail Kurinnoi
2017-10-18 21:07 ` Mimi Zohar
2017-10-19 10:14 ` Dmitry Kasatkin
2017-10-19 11:43 ` Mimi Zohar
2017-10-19 17:08 ` Matthew Garrett
2017-10-19 18:38 ` Dmitry Kasatkin
2017-10-19 10:36 ` Dmitry Kasatkin
2017-10-19 11:45 ` Mimi Zohar
2017-10-02 14:53 ` Roberto Sassu
2017-10-02 8:55 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1506825397.5691.186.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
--cc=viewizard@viewizard.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.