> -----Original Message----- > From: Patrick Ohly [mailto:[email protected]] > Sent: Monday, May 11, 2015 11:19 AM > > Hello! > > Before coming back to the signing problems below, a quick question about > ima-evm-utils: is http://sourceforge.net/projects/linux-ima/ or Tizen's > platform/upstream/ima-evm-utils the official repo of the latest stable > source? > > Tizen's copy has several commits which add new APIs on top of the 0.9 > release. > > Okay, back to EVM... ;-} > Hello!
Sourceforge.net is official repository. On tizen.org additional commits refers only to our still non-official IMA/EVM changes. > > Without our patches I think it's only option. > > I have added all of the Tizen patches on top of 3.19.2. Were you thinking of > "evm: add interface to read and write EVM state"? That is a bit awkward to > use for debugging boot issues, because I would have to write a systemd unit > file turning off evm and get that unit to run before the other units which > fail > when evm is active. > Yes, I was referring to this patch. Agreed. It's only useful if you can boot device in fix mode with already set up IMA/EVM > > Right now, I only see these solutions for getting evm to work (please correct > me if I'm wrong or miss something): > 1. read-only file system and all files signed in advance Good case scenario > 2. private key stored on the device and > A. booting with evm=fix or > B. manipulate files only through a process which has > exclusive access to the private key Special case scenario > 3. read-only file system with an overlay file system where EVM and > IMA are disabled Best case scenario. > 4. do not store private key and exclude certain files from evm > enforcement > I think it's not possible to exclude certain files from EVM since there is no such think like EVM policy. > For option 2A you wanted to add instructions to the Wiki - any progress for > that? > I think tizen.org Wiki 'Sign working device' covers this case. > 2B would require modifying upstream software and writing such a daemon. > I guess that's similar to the example daemon in ima-evm-reference-utils > (which I haven't looked at yet). > Yes. > Option 3 and 4 both depend on somehow configuring EVM. I'm still unsure > whether that's already possible. As you said earlier, the IMA policy is really > just for IMA. So EVM really is "all or nothing" when it comes to files and > file > systems? > Maybe I was a little bit inaccurate with my explanation and please @Dmitry, correct me if I'm wrong. You can enable only EVM sub-system but IMA-appraise is the one responsible for enforcing it. So you can have IMA-appraise without EVM but EVM without IMA-appraise makes no sense. > > > > If you use only hashes for IMA you don't need key at all. If you use > > digital signatures I think you need to manually recalculate them. > > Is that the difference between --imahash and --imasig in the evmctl > invocation below? > Yes > But then how does the kernel decide during ima_appraise=fix? Will it always > operate in --imahash mode, for all files, or does it somehow depend on how > a file was labeled earlier? > Ima fix works for non-digitally signed files. Kernel can automatically recalculate file hash and update security.ima xattr. With digital signatures you need to do it manually providing private key for signing for evmctl sign --imasig. > > You need to add encrypted key (or trusted if used with TPM) to the kernel > keyring for EVM. > > So EVM hashes are never signed with a private key? I thought they were (or > at least could be), based on the comments in the Wiki about "you should > consider generate separate key for EVM - use the same script which you've > used for generate IMA certificate". EVM uses HMAC or digital signatures made with private key. > > And how does evmctl deal with this? There's only one --key option for > "evmctl sign", so when doing both signing operations at the same time, how > would I specify a separate EVM private key? > > It also does not seem possible to call evmctl once for evm and once for ima, > because there is only one "sign" operation which does both at the same time > (right?). > > I also find this example confusing: > http://sourceforge.net/p/linux-ima/wiki/Home/#labeling-the-filesystem- > with-securityevm > > #!/bin/sh > #label "immutable" files with EVM/IMA digital signatures > #label everything else with just EVM digital signatures > > file $1 | grep 'ELF' > /dev/null > if [ $? -eq 0 ]; then > evmctl sign --imasig $1 /home/zohar/privkey_evm.pem > else > evmctl sign --imahash $1 /home/zohar/privkey_evm.pem > fi > > The "label everything else with just EVM digital signatures" is a bit > misleading > IMHO, because security.ima is still getting created. The content hash just > doesn't seem to be signed (judging from the output of getfattr). > Agreed, evmctl options could be misleading. 1) sign file with EVM signature and calculate hash value for IMA: evmctl sign --imahash <file> 2) sign file with both IMA and EVM signatures: evmctl sign --imasig <file> 3) sign file with IMA signature: evmctl ima_sign <file> I think it's our mistake in Wiki referring to a separate EVM key. Regards Zbigniew Jasinski _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
