Re: [Linux-ima-devel] IMA/EVM for OpenEmbedded

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, 2015-05-22 at 13:47 +0200, Patrick Ohly wrote:
> Hello!
> 
> I recently started integrating IMA/EVM into the OpenEmbedded [1, 2]
> build system. For those of you not familiar with it, OpenEmbedded uses
> cross-compilation to generate complete images of user-configurable Linux
> distros.

Nice!

> If anyone is interested, the additional build recipes are here:
> https://github.com/01org/meta-intel-iot-security
> https://github.com/01org/meta-intel-iot-security/pull/11
> 
> Because it looked like some of the enhancements made for Tizen last year
> [3] would be useful, I started out with that code and also discussed
> issues on the Tizen dev mailing list [4].
> 
> However, that code turned out to be less mature than I thought, so I
> switched to the official upstream code in the end. I believe I ran into
> some issues which also exist in the official code, so let me summarize
> those key points from that mail thread.
> 
> systemd policy loading is broken and (IMHO) always has been. The commit
> mentioned in the SF Wiki is called "systemd commit c8161158" but the
> actual commit hash is 8161158 (no leading c). That made finding the
> commit [5] a bit harder. That commit seems broken to me because it
> submits the entire policy with a single write() call, whereas the kernel
> API is "one policy per write()". A later modification [6] just made the
> situation worse by switching to copy_bytes(), which uses more complex
> system calls and does not manage to write all data.

The change was added in order to be able to 'cat' the policy.  Either
method should work.

The wiki is a bit dated at this point and should be updated.  I recently
posted dracut patches on the initramfs mailing list.  Those patches load
the EVM and IMA keys that are signed by a key on the system keyring -
http://www.spinics.net/lists/linux-initramfs/msg04022.html

> The original goal was (and still is) to do all signing outside of the
> device, in advance. I've not quite achieved that. Because some files
> still need to be written on the device, those writes cause failures when
> ima_appraise_tcb is active.

Can you be more specific in terms of files?  Are these mutable files,
such as config files?

FYI, there are a couple of bug fixes staged to be upstreamed in the
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity next
branch.

> EVM in the upstream code seems to rely on evm=fix, which does not work
> without confidential keys on the device. The Tizen code introduces X.504
> EVM signing, but is not upstream and also had problems at runtime (when
> compiled in, the EVM kernel code still expected to have confidential
> keys available and prevented writing files without them). I had to
> disable EVM to get around this.

Right, there were some issues with the EVM patches that need to be
addressed, before they're upstreamed.

Mimi

> It's quite likely that I misunderstood something, so I'd be happy to be
> corrected and/or get tips on how to achieve the original goal.
> 
> [1] http://www.openembedded.org/wiki/Main_Page
> [2] https://www.yoctoproject.org/
> [3] http://comments.gmane.org/gmane.comp.handhelds.tizen.devel/6261
> [4] https://wiki.tizen.org/wiki/Security:IntegrityMeasurement
> [5] http://cgit.freedesktop.org/systemd/systemd/commit/?id=8161158
> [6] http://cgit.freedesktop.org/systemd/systemd/commit/?id=4dfb189