From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Harald Hoyer <harald.hoyer@gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
James Morris <jmorris@namei.org>,
David Safford <safford@watson.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Greg KH <greg@kroah.com>,
Dmitry Kasatkin <dmitry.kasatkin@nokia.com>,
Mimi Zohar <zohar@us.ibm.com>
Subject: Re: [PATCH v5 03/21] evm: re-release
Date: Fri, 20 May 2011 07:21:25 -0400 [thread overview]
Message-ID: <1305890485.3247.6.camel@localhost.localdomain> (raw)
In-Reply-To: <4DD64CA7.7090307@gmail.com>
On Fri, 2011-05-20 at 13:12 +0200, Harald Hoyer wrote:
> Am 20.05.2011 00:49, schrieb Mimi Zohar:
> > On Thu, 2011-05-19 at 01:05 -0500, Serge E. Hallyn wrote:
> >> Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> >>> EVM protects a file's security extended attributes(xattrs) against integrity
> >>> attacks. This patchset provides the framework and an initial method. The
> >>> initial method maintains an HMAC-sha1 value across the security extended
> >>> attributes, storing the HMAC value as the extended attribute 'security.evm'.
> >>> Other methods of validating the integrity of a file's metadata will be posted
> >>> separately (eg. EVM-digital-signatures).
> >>>
> >>> While this patchset does authenticate the security xattrs, and
> >>> cryptographically binds them to the inode, coming extensions will bind other
> >>> directory and inode metadata for more complete protection. To help simplify
> >>> the review and upstreaming process, each extension will be posted separately
> >>> (eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the
> >>> proposed Linux integrity subsystem, refer to Dave Safford's whitepaper:
> >>> http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.
> >>>
> >>> EVM depends on the Kernel Key Retention System to provide it with a
> >>> trusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the
> >>> root's keyring using keyctl. Until EVM receives notification that the key has
> >>> been successfully loaded onto the keyring (echo 1 > <securityfs>/evm), EVM can
> >>> not create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.
> >>> Loading the key and signaling EVM should be done as early as possible. Normally
> >>> this is done in the initramfs, which has already been measured as part of the
> >>> trusted boot. For more information on creating and loading existing
> >>> trusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A
> >>> sample dracut patch, which loads the trusted/encrypted key and enables EVM, is
> >>> available from http://linu-ima.sourceforge.net/#EVM.
> >>
> >> That should read http://linux-ima.sourceforge.net/#EVM.
> >
> > Thanks for catching that.
>
> The dracut patch, could easily turned into a separate dracut module with its own
> files, without patching. Somebody did not understand the modular nature of
> dracut. While you are at it, I happily integrate that module in upstream, if you
> submit it to the initramfs mailing list.
thanks!
Mimi
next prev parent reply other threads:[~2011-05-20 11:21 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-16 14:44 [PATCH v5 00/21] EVM Mimi Zohar
2011-05-16 14:44 ` [PATCH v5 01/21] integrity: move ima inode integrity data management Mimi Zohar
2011-05-19 2:06 ` Serge E. Hallyn
2011-05-19 22:45 ` Mimi Zohar
2011-05-16 14:44 ` [PATCH v5 02/21] xattr: define vfs_getxattr_alloc and vfs_xattr_cmp Mimi Zohar
2011-05-19 2:11 ` Serge E. Hallyn
2011-05-16 14:44 ` [PATCH v5 03/21] evm: re-release Mimi Zohar
2011-05-19 6:05 ` Serge E. Hallyn
2011-05-19 22:49 ` Mimi Zohar
2011-05-20 11:12 ` Harald Hoyer
2011-05-20 11:21 ` Mimi Zohar [this message]
2011-05-19 21:37 ` Serge E. Hallyn
2011-05-20 12:29 ` Mimi Zohar
2011-05-20 13:43 ` Serge E. Hallyn
2011-05-16 14:44 ` [PATCH v5 04/21] evm: add support for different security.evm data types Mimi Zohar
2011-05-16 14:44 ` [PATCH v5 05/21] ima: move ima_file_free before releasing the file Mimi Zohar
2011-05-19 22:06 ` Serge E. Hallyn
2011-05-20 0:55 ` Mimi Zohar
2011-05-20 13:40 ` Serge E. Hallyn
2011-05-20 14:34 ` Mimi Zohar
2011-05-20 15:25 ` Serge E. Hallyn
2011-05-16 14:45 ` [PATCH v5 06/21] security: imbed evm calls in security hooks Mimi Zohar
2011-05-19 22:13 ` Serge E. Hallyn
2011-05-16 14:45 ` [PATCH v5 07/21] evm: evm_inode_post_removexattr Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 08/21] evm: imbed evm_inode_post_setattr Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 09/21] evm: evm_inode_post_init Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 10/21] fs: add evm_inode_post_init calls Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 11/21] evm: crypto hash replaced by shash Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 12/21] evm: add evm_inode_post_init call in btrfs Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 13/21] evm: add evm_inode_post_init call in gfs2 Mimi Zohar
2011-05-16 15:30 ` Steven Whitehouse
2011-05-16 15:50 ` Mimi Zohar
2011-05-16 16:14 ` Steven Whitehouse
2011-05-16 16:35 ` Mimi Zohar
2011-05-16 17:50 ` Mimi Zohar
2011-05-16 17:57 ` Steven Whitehouse
2011-05-16 18:20 ` Mimi Zohar
2011-05-16 18:23 ` Casey Schaufler
2011-05-16 18:48 ` Mimi Zohar
2011-05-16 19:25 ` Casey Schaufler
2011-05-19 0:55 ` Mimi Zohar
2011-05-19 9:25 ` Steven Whitehouse
2011-05-16 14:45 ` [PATCH v5 14/21] evm: add evm_inode_post_init call in jffs2 Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 15/21] evm: add evm_inode_post_init call in jfs Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 16/21] evm: add evm_inode_post_init call in xfs Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 17/21] evm: additional parameter to pass integrity cache entry 'iint' Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 18/21] evm: evm_verify_hmac must not return INTEGRITY_UNKNOWN Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 19/21] evm: replace hmac_status with evm_status Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 20/21] evm: permit only valid security.evm xattrs to be updated Mimi Zohar
2011-05-16 14:45 ` [PATCH v5 21/21] evm: add evm_inode_setattr to prevent updating an invalid security.evm Mimi Zohar
2011-05-19 0:25 ` [PATCH v5 00/21] EVM Andrew Morton
2011-05-19 1:51 ` Mimi Zohar
2011-05-20 0:51 ` James Morris
2011-05-20 1:07 ` Mimi Zohar
2011-05-20 13:06 ` David Safford
2011-05-20 14:13 ` Casey Schaufler
2011-05-26 6:08 ` Pavel Machek
2011-05-26 16:34 ` Casey Schaufler
2011-05-26 18:11 ` David Safford
2011-05-26 18:38 ` Pavel Machek
2011-05-26 19:30 ` Casey Schaufler
2011-05-26 20:02 ` Pavel Machek
2011-05-26 20:32 ` Casey Schaufler
2011-05-26 19:49 ` Mimi Zohar
2011-05-26 20:17 ` Pavel Machek
2011-05-27 17:45 ` David Safford
2011-05-29 6:58 ` Pavel Machek
2011-05-31 12:05 ` Mimi Zohar
2011-05-31 13:40 ` Valdis.Kletnieks
2011-06-01 22:11 ` Dmitry Kasatkin
2011-05-20 18:50 ` Serge E. Hallyn
2011-05-23 22:09 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1305890485.3247.6.camel@localhost.localdomain \
--to=zohar@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=dmitry.kasatkin@nokia.com \
--cc=greg@kroah.com \
--cc=harald.hoyer@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=safford@watson.ibm.com \
--cc=serge@hallyn.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).