Menu
▾
▴
Re: [Linux-ima-user] Questions about using IMA/EVM feature
|
From: Kasatkin, D. <dmi...@in...> - 2011-09-13 08:37:12
|
Hello, See inline and bellow. On Tue, Sep 13, 2011 at 2:41 AM, Mimi Zohar <zo...@li...> wrote: > On Mon, 2011-09-12 at 14:49 -0700, Subodh Nijsure wrote: >> On Mon, Sep 12, 2011 at 1:35 PM, Mimi Zohar <zo...@li...> wrote: >> > On Mon, 2011-09-12 at 11:50 -0700, Subodh Nijsure wrote: >> >> Hello, >> >> >> >> I have been using repo that Dmitry pointed to few days ago to get >> >> familiar with IMA/EVM feature set. >> >> >> >> I work for a embedded software hw/sw company and we are greatly >> >> interested in this feature, and exactly what we are looking to assure >> >> customers that stuff running on our device is not being compromised. >> >> >> >> Anyway, I have compiled the kernel as described at >> >> http://linux-ima.sourceforge.net/. For testing I am running the this >> >> kernel to boot a Ubuntu system under Virtualbox. >> >> >> >> I am running evm_enable.sh script that is part of evm-utils. >> >> >> >> So I booted the system with kernel parameters rootflags=i_version >> >> ima_audit=1 ima_appraise=fix evm=fix and ran the script >> >> evm_label_all.sh. I created a test script call /bin/myscript.sh this >> >> script had following security.* info >> >> (This script just does echo "Hello World". ) >> >> evm_label_all.sh is necessary to label security.evm with digital signatures. It is not for using it with ima_appraise=fix or evm=fix. It is for building images... On running system you can use ima_fix_dir.sh to label everything with HMAC... And bellow you do not see, obviously, digital signature.. >> >> # file: bin/myscript.sh >> >> security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2 >> >> security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba >> >> >> >> Now I rebooted this machine with kernel parameters rootflags=i_version >> >> ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo >> >> "Hello World1". Now this updates the security.* info on this file as >> >> shown below. >> >> >> >> # file: bin/myscript.sh >> >> security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe >> >> security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee >> >> >> >> My keyctl show following output: >> >> >> >> sudo keyctl list @u >> >> 4 keys in keyring: >> >> 666858261: --alswrv 0 0 user: kmk >> >> 461487313: --alswrv 0 0 encrypted: evm-key >> >> 715895674: --alswrv 0 0 keyring: _ima >> >> 793114560: --alswrv 0 0 keyring: _evm >> >> >> >> >> >> But I expected since I booted the system with ima_tcb I shouldn't be >> >> able to execute the updated myscript.sh? What am doing wrong in doing >> >> the basic IMA/EVM test? >> > >> > Nothing went wrong. :-) It's working as designed, permitting >> > 'security.ima' and 'security.evm' to be updated, assuming the original >> > values are valid. Modifying either security xattr offline will prevent >> > the myscript.sh from being modified online. >> > >> > If 'security.ima' had been a digital signature, it wouldn't have been >> > updated. As a result, executing myscripts.sh would subsequently fail. >> > >> >> Sorry if this is obvious. > > Not at all. Having this discussion here on the mailing list is also > important for those who didn't attend LSS. > >> I thought Dmitry's demo last week at Linux Plumbers conference showed >> that it was possible i.e. once myscript.sh has security.ima signed by >> security.ema, subsequent changes to myscript.sh would prevent its >> execution. > > Dmitry's talk, given by Casey, and demo focused on the EVM/IMA-appraisal > digital signatures extension. Initially, both security.ima and > security.evm are flashed to the device containing digital signatures. > Once verified, for performance, security.evm is converted to an HMAC. > For immutable files, security.ima remains as a digital signature in > order to prove authenticity. If the file changes, security.ima can not > be updated as the system does not have the private key. I assume we're > good to here. > > For mutable files, such as configuration files or scripts, which are > system dependent, security.ima contains the file hash. EVM protects > security.ima from an offline modification, but IMA-appraisal is > dependent on DAC/MAC protecting the running system. > > There are a number of ways of demonstrating EVM/IMA-appraisal. For > example, booting a kernel without EVM or IMA-appraisal enabled, > modifying the file, and rebooting with EVM/IMA-appraisal enabled. The > file's HMAC will not match security.evm, causing any file read/execute > to fail. > >> May be I missed some of the steps from Dmitry's demo at LSS, or that >> demo used some additional patch set? > > Perhaps Dmitry will make the demo available so that we can review it > here in more detail. > >> Should I be merging changes from >> git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.gitt/#next-ima-appraisal >> for my testing? If yes, since kernel.org is still down is there >> another place where I can look at those changes? > > As you're interested in the EVM/IMA-appraisal digital signatures > extension, you can continue using #ima-ksign, which tracks the > EVM/IMA-appraisal tree. I am planning on making the trees available on > github. > > thanks, > > Mimi > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > Learn about the latest advances in developing for the > BlackBerry® mobile platform with sessions, labs & more. > See new tools and technologies. Register for BlackBerry® DevCon today! > http://p.sf.net/sfu/rim-devcon-copy1 > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > IMA/EVM with digital signature signature extension while korg is done is located here: https://meego.gitorious.org/meego-platform-security/ima-ksign - Dmitry |
