lwn.git/security/integrity/evm/evm_main.c, branch v3.6.11

evm: digital signature verification support

2011-11-09T14:51:14+00:00

This patch adds support for digital signature verification to EVM. With this feature file metadata can be protected using digital signature instead of an HMAC. When building an image, which has to be flashed to different devices, an HMAC cannot be used to sign file metadata, because the HMAC key should be different on every device. Signed-off-by: Dmitry Kasatkin Acked-by: Mimi Zohar

evm: permit mode bits to be updated

2011-09-14T19:24:52+00:00

Before permitting 'security.evm' to be updated, 'security.evm' must exist and be valid. In the case that there are no existing EVM protected xattrs, it is safe for posix acls to update the mode bits. To differentiate between no 'security.evm' xattr and no xattrs used to calculate 'security.evm', this patch defines INTEGRITY_NOXATTR. Signed-off-by: Mimi Zohar

evm: posix acls modify i_mode

2011-09-14T19:24:51+00:00

The posix xattr acls are 'system' prefixed, which normally would not affect security.evm. An interesting side affect of writing posix xattr acls is their modifying of the i_mode, which is included in security.evm. This patch updates security.evm when posix xattr acls are written. Signed-off-by: Mimi Zohar

evm: limit verifying current security.evm integrity

2011-09-14T19:24:51+00:00

evm_protect_xattr unnecessarily validates the current security.evm integrity, before updating non-evm protected extended attributes and other file metadata. This patch limits validating the current security.evm integrity to evm protected metadata. Signed-off-by: Mimi Zohar

evm: fix evm_inode_init_security return code

2011-08-11T07:42:41+00:00

evm_inode_init_security() should return 0, when EVM is not enabled. (Returning an error is a remnant of evm_inode_post_init_security.) Signed-off-by: Mimi Zohar Signed-off-by: James Morris

evm: add evm_inode_setattr to prevent updating an invalid security.evm

2011-07-18T16:29:50+00:00

Permit changing of security.evm only when valid, unless in fixmode. Reported-by: Roberto Sassu Signed-off-by: Mimi Zohar

evm: permit only valid security.evm xattrs to be updated

2011-07-18T16:29:49+00:00

In addition to requiring CAP_SYS_ADMIN permission to modify/delete security.evm, prohibit invalid security.evm xattrs from changing, unless in fixmode. This patch prevents inadvertent 'fixing' of security.evm to reflect offline modifications. Changelog v7: - rename boot paramater 'evm_mode' to 'evm' Reported-by: Roberto Sassu Signed-off-by: Mimi Zohar

evm: replace hmac_status with evm_status

2011-07-18T16:29:48+00:00

We will use digital signatures in addtion to hmac. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

evm: evm_verify_hmac must not return INTEGRITY_UNKNOWN

2011-07-18T16:29:48+00:00

If EVM is not supported or enabled, evm_verify_hmac() returns INTEGRITY_UNKNOWN, which ima_appraise_measurement() ignores and sets the appraisal status based solely on the security.ima verification. evm_verify_hmac() also returns INTEGRITY_UNKNOWN for other failures, such as temporary failures like -ENOMEM, resulting in possible attack vectors. This patch changes the default return code for temporary/unexpected failures, like -ENOMEM, from INTEGRITY_UNKNOWN to INTEGRITY_FAIL, making evm_verify_hmac() fail safe. As a result, failures need to be re-evaluated in order to catch both temporary errors, such as the -ENOMEM, as well as errors that have been resolved in fix mode. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

evm: additional parameter to pass integrity cache entry 'iint'

2011-07-18T16:29:47+00:00

Additional iint parameter allows to skip lookup in the cache. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar