From: Mimi Z. <zo...@li...> - 2015-05-22 13:23:06
|
On Fri, 2015-05-22 at 13:47 +0200, Patrick Ohly wrote: > Hello! > > I recently started integrating IMA/EVM into the OpenEmbedded [1, 2] > build system. For those of you not familiar with it, OpenEmbedded uses > cross-compilation to generate complete images of user-configurable Linux > distros. Nice! > If anyone is interested, the additional build recipes are here: > https://github.com/01org/meta-intel-iot-security > https://github.com/01org/meta-intel-iot-security/pull/11 > > Because it looked like some of the enhancements made for Tizen last year > [3] would be useful, I started out with that code and also discussed > issues on the Tizen dev mailing list [4]. > > However, that code turned out to be less mature than I thought, so I > switched to the official upstream code in the end. I believe I ran into > some issues which also exist in the official code, so let me summarize > those key points from that mail thread. > > systemd policy loading is broken and (IMHO) always has been. The commit > mentioned in the SF Wiki is called "systemd commit c8161158" but the > actual commit hash is 8161158 (no leading c). That made finding the > commit [5] a bit harder. That commit seems broken to me because it > submits the entire policy with a single write() call, whereas the kernel > API is "one policy per write()". A later modification [6] just made the > situation worse by switching to copy_bytes(), which uses more complex > system calls and does not manage to write all data. The change was added in order to be able to 'cat' the policy. Either method should work. The wiki is a bit dated at this point and should be updated. I recently posted dracut patches on the initramfs mailing list. Those patches load the EVM and IMA keys that are signed by a key on the system keyring - http://www.spinics.net/lists/linux-initramfs/msg04022.html > The original goal was (and still is) to do all signing outside of the > device, in advance. I've not quite achieved that. Because some files > still need to be written on the device, those writes cause failures when > ima_appraise_tcb is active. Can you be more specific in terms of files? Are these mutable files, such as config files? FYI, there are a couple of bug fixes staged to be upstreamed in the git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity next branch. > EVM in the upstream code seems to rely on evm=fix, which does not work > without confidential keys on the device. The Tizen code introduces X.504 > EVM signing, but is not upstream and also had problems at runtime (when > compiled in, the EVM kernel code still expected to have confidential > keys available and prevented writing files without them). I had to > disable EVM to get around this. Right, there were some issues with the EVM patches that need to be addressed, before they're upstreamed. Mimi > It's quite likely that I misunderstood something, so I'd be happy to be > corrected and/or get tips on how to achieve the original goal. > > [1] http://www.openembedded.org/wiki/Main_Page > [2] https://www.yoctoproject.org/ > [3] http://comments.gmane.org/gmane.comp.handhelds.tizen.devel/6261 > [4] https://wiki.tizen.org/wiki/Security:IntegrityMeasurement > [5] http://cgit.freedesktop.org/systemd/systemd/commit/?id=8161158 > [6] http://cgit.freedesktop.org/systemd/systemd/commit/?id=4dfb189 |