Menu
▾
▴
Re: [Linux-ima-user] Questions about using IMA/EVM feature
|
From: Mimi Z. <zo...@li...> - 2011-09-12 23:41:27
|
On Mon, 2011-09-12 at 14:49 -0700, Subodh Nijsure wrote: > On Mon, Sep 12, 2011 at 1:35 PM, Mimi Zohar <zo...@li...> wrote: > > On Mon, 2011-09-12 at 11:50 -0700, Subodh Nijsure wrote: > >> Hello, > >> > >> I have been using repo that Dmitry pointed to few days ago to get > >> familiar with IMA/EVM feature set. > >> > >> I work for a embedded software hw/sw company and we are greatly > >> interested in this feature, and exactly what we are looking to assure > >> customers that stuff running on our device is not being compromised. > >> > >> Anyway, I have compiled the kernel as described at > >> http://linux-ima.sourceforge.net/. For testing I am running the this > >> kernel to boot a Ubuntu system under Virtualbox. > >> > >> I am running evm_enable.sh script that is part of evm-utils. > >> > >> So I booted the system with kernel parameters rootflags=i_version > >> ima_audit=1 ima_appraise=fix evm=fix and ran the script > >> evm_label_all.sh. I created a test script call /bin/myscript.sh this > >> script had following security.* info > >> (This script just does echo "Hello World". ) > >> > >> # file: bin/myscript.sh > >> security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2 > >> security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba > >> > >> Now I rebooted this machine with kernel parameters rootflags=i_version > >> ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo > >> "Hello World1". Now this updates the security.* info on this file as > >> shown below. > >> > >> # file: bin/myscript.sh > >> security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe > >> security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee > >> > >> My keyctl show following output: > >> > >> sudo keyctl list @u > >> 4 keys in keyring: > >> 666858261: --alswrv 0 0 user: kmk > >> 461487313: --alswrv 0 0 encrypted: evm-key > >> 715895674: --alswrv 0 0 keyring: _ima > >> 793114560: --alswrv 0 0 keyring: _evm > >> > >> > >> But I expected since I booted the system with ima_tcb I shouldn't be > >> able to execute the updated myscript.sh? What am doing wrong in doing > >> the basic IMA/EVM test? > > > > Nothing went wrong. :-) It's working as designed, permitting > > 'security.ima' and 'security.evm' to be updated, assuming the original > > values are valid. Modifying either security xattr offline will prevent > > the myscript.sh from being modified online. > > > > If 'security.ima' had been a digital signature, it wouldn't have been > > updated. As a result, executing myscripts.sh would subsequently fail. > > > > Sorry if this is obvious. Not at all. Having this discussion here on the mailing list is also important for those who didn't attend LSS. > I thought Dmitry's demo last week at Linux Plumbers conference showed > that it was possible i.e. once myscript.sh has security.ima signed by > security.ema, subsequent changes to myscript.sh would prevent its > execution. Dmitry's talk, given by Casey, and demo focused on the EVM/IMA-appraisal digital signatures extension. Initially, both security.ima and security.evm are flashed to the device containing digital signatures. Once verified, for performance, security.evm is converted to an HMAC. For immutable files, security.ima remains as a digital signature in order to prove authenticity. If the file changes, security.ima can not be updated as the system does not have the private key. I assume we're good to here. For mutable files, such as configuration files or scripts, which are system dependent, security.ima contains the file hash. EVM protects security.ima from an offline modification, but IMA-appraisal is dependent on DAC/MAC protecting the running system. There are a number of ways of demonstrating EVM/IMA-appraisal. For example, booting a kernel without EVM or IMA-appraisal enabled, modifying the file, and rebooting with EVM/IMA-appraisal enabled. The file's HMAC will not match security.evm, causing any file read/execute to fail. > May be I missed some of the steps from Dmitry's demo at LSS, or that > demo used some additional patch set? Perhaps Dmitry will make the demo available so that we can review it here in more detail. > Should I be merging changes from > git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.gitt/#next-ima-appraisal > for my testing? If yes, since kernel.org is still down is there > another place where I can look at those changes? As you're interested in the EVM/IMA-appraisal digital signatures extension, you can continue using #ima-ksign, which tracks the EVM/IMA-appraisal tree. I am planning on making the trees available on github. thanks, Mimi |
