From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Martin Townsend <mtownsend1973@gmail.com>,
linux-integrity@vger.kernel.org
Cc: Sascha Hauer <s.hauer@pengutronix.de>,
Dmitry Kasatkin <dmitry.kasatkin@huawei.com>,
LSM <linux-security-module@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: Problem mounting pseudo filesystems with SMACK and IMA enabled.
Date: Mon, 19 Mar 2018 11:47:40 -0400 [thread overview]
Message-ID: <1521474460.3503.191.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CABatt_zM0Uu2fEwyORKTLYMC2_KeqSkcye1toBxhyjkgOUr62Q@mail.gmail.com>
On Mon, 2018-03-19 at 14:37 +0000, Martin Townsend wrote:
[...]
> The problem was because systemd couldn't create directories for the
> mounts /dev/shm and /sys/fs/cgroup/systemd, it was returning -ENOKEY.
There's a disconnect between what ima-evm-utils supports and the
kernel. This sounds like the kernel you're using has directory
support, which has not been upstreamed.
> After investigating it looks like I need to set a key for HMAC to stop
> the mkdir failing which I didn't appreciate I needed with a pre-signed
> image.
> I have a question on this, looking at the IMA code it will try and
> replace my signatures with the HMAC unless the immutable attribute is
> set, is this correct?
EVM will replace the file signature with an HMAC, unless the
filesystem is mounted r/o, is immutable, or is signed with the new EVM
portable and immutable signature.
> In the evmctl utility there's mention of an evm
> immutable flag but I see nothing in the kernel code that supports
> this. Is this a feature that never made it into the kernel? or is it
> there but I've missed it?
The portable and immutable EVM signature is being added only in this
release (linux-4.16).
> Second question, I have no TPM module so do I need to add a key for
> HMAC or is there another way? It's not a problem if I have to add a
> key I just want to make 100% sure I have to before patching systemd or
> creating my own init process that adds the key before handing over to
> systemd.
systemd already has support for loading an EVM key.
The EVM encrypted key could be based on either a TPM trusted key or a
user key, without the HW guarantees of the private key not being
exposed in the clear. If you don't need an EVM key, then without a
TPM, you're probably better off backporting the new portable and
immutable EVM key.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: Problem mounting pseudo filesystems with SMACK and IMA enabled.
Date: Mon, 19 Mar 2018 11:47:40 -0400 [thread overview]
Message-ID: <1521474460.3503.191.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CABatt_zM0Uu2fEwyORKTLYMC2_KeqSkcye1toBxhyjkgOUr62Q@mail.gmail.com>
On Mon, 2018-03-19 at 14:37 +0000, Martin Townsend wrote:
[...]
> The problem was because systemd couldn't create directories for the
> mounts /dev/shm and /sys/fs/cgroup/systemd, it was returning -ENOKEY.
There's a disconnect between what ima-evm-utils supports and the
kernel. ?This sounds like the kernel you're using has directory
support, which has not been upstreamed.
??
> After investigating it looks like I need to set a key for HMAC to stop
> the mkdir failing which I didn't appreciate I needed with a pre-signed
> image.
> I have a question on this, looking at the IMA code it will try and
> replace my signatures with the HMAC unless the immutable attribute is
> set, is this correct?
EVM will replace the file signature with an HMAC, unless the
filesystem is mounted r/o, is immutable, or is signed with the new EVM
portable and immutable signature.
> In the evmctl utility there's mention of an evm
> immutable flag but I see nothing in the kernel code that supports
> this. Is this a feature that never made it into the kernel? or is it
> there but I've missed it?
The portable and immutable EVM signature is being added only in this
release (linux-4.16).
> Second question, I have no TPM module so do I need to add a key for
> HMAC or is there another way? It's not a problem if I have to add a
> key I just want to make 100% sure I have to before patching systemd or
> creating my own init process that adds the key before handing over to
> systemd.
systemd already has support for loading an EVM key.
The EVM encrypted key could be based on either a TPM trusted key or a
user key, without the HW guarantees of the private key not being
exposed in the clear. ?If you don't need an EVM key, then without a
TPM, you're probably better off backporting the new portable and
immutable EVM key.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-03-19 15:47 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 9:32 Problem mounting pseudo filesystems with SMACK and IMA enabled Martin Townsend
2018-03-16 13:25 ` Mimi Zohar
2018-03-16 14:34 ` Martin Townsend
2018-03-16 14:49 ` Mimi Zohar
2018-03-16 15:52 ` Casey Schaufler
2018-03-16 15:52 ` Casey Schaufler
2018-03-17 9:20 ` Martin Townsend
2018-03-17 9:20 ` Martin Townsend
2018-03-19 14:37 ` Martin Townsend
2018-03-19 14:37 ` Martin Townsend
2018-03-19 15:47 ` Mimi Zohar [this message]
2018-03-19 15:47 ` Mimi Zohar
2018-03-20 10:23 ` Martin Townsend
2018-03-20 10:23 ` Martin Townsend
2018-03-20 13:32 ` Mimi Zohar
2018-03-20 13:32 ` Mimi Zohar
2018-03-20 15:01 ` Martin Townsend
2018-03-20 15:01 ` Martin Townsend
2018-03-20 16:11 ` Mimi Zohar
2018-03-20 16:11 ` Mimi Zohar
2018-03-20 16:14 ` Casey Schaufler
2018-03-20 16:14 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1521474460.3503.191.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=casey@schaufler-ca.com \
--cc=dmitry.kasatkin@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mtownsend1973@gmail.com \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.