From: Subodh N. <nij...@gm...> - 2011-09-14 03:10:18
|
On Tue, Sep 13, 2011 at 1:37 AM, Kasatkin, Dmitry <dmi...@in...> wrote: > Hello, > > See inline and bellow. > > On Tue, Sep 13, 2011 at 2:41 AM, Mimi Zohar <zo...@li...> wrote: >> On Mon, 2011-09-12 at 14:49 -0700, Subodh Nijsure wrote: >>> On Mon, Sep 12, 2011 at 1:35 PM, Mimi Zohar <zo...@li...> wrote: >>> > On Mon, 2011-09-12 at 11:50 -0700, Subodh Nijsure wrote: >>> >> Hello, >>> >> >>> >> I have been using repo that Dmitry pointed to few days ago to get >>> >> familiar with IMA/EVM feature set. >>> >> >>> >> I work for a embedded software hw/sw company and we are greatly >>> >> interested in this feature, and exactly what we are looking to assure >>> >> customers that stuff running on our device is not being compromised. >>> >> >>> >> Anyway, I have compiled the kernel as described at >>> >> http://linux-ima.sourceforge.net/. For testing I am running the this >>> >> kernel to boot a Ubuntu system under Virtualbox. >>> >> >>> >> I am running evm_enable.sh script that is part of evm-utils. >>> >> >>> >> So I booted the system with kernel parameters rootflags=i_version >>> >> ima_audit=1 ima_appraise=fix evm=fix and ran the script >>> >> evm_label_all.sh. I created a test script call /bin/myscript.sh this >>> >> script had following security.* info >>> >> (This script just does echo "Hello World". ) >>> >> > > evm_label_all.sh is necessary to label security.evm with digital signatures. > It is not for using it with ima_appraise=fix or evm=fix. > It is for building images... > > On running system you can use ima_fix_dir.sh to label everything with HMAC... > > And bellow you do not see, obviously, digital signature.. Yes once I modified my script to put digital IMA signature things work as I expected. I used "evmctl sign --imasig " to sign binaries as well to get expected behavior -- executables are immutable. Is there a specific reason why evm_label_all.sh only puts digital signature on kernel modules, but only hash on executables owned by uid 0? -Subodh > >>> >> # file: bin/myscript.sh >>> >> security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2 >>> >> security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba >>> >> >>> >> Now I rebooted this machine with kernel parameters rootflags=i_version >>> >> ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo >>> >> "Hello World1". Now this updates the security.* info on this file as >>> >> shown below. >>> >> >>> >> # file: bin/myscript.sh >>> >> security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe >>> >> security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee >>> >> >>> >> My keyctl show following output: >>> >> >>> >> sudo keyctl list @u >>> >> 4 keys in keyring: >>> >> 666858261: --alswrv 0 0 user: kmk >>> >> 461487313: --alswrv 0 0 encrypted: evm-key >>> >> 715895674: --alswrv 0 0 keyring: _ima >>> >> 793114560: --alswrv 0 0 keyring: _evm >>> >> >>> >> >>> >> But I expected since I booted the system with ima_tcb I shouldn't be >>> >> able to execute the updated myscript.sh? What am doing wrong in doing >>> >> the basic IMA/EVM test? >>> > >>> > Nothing went wrong. :-) It's working as designed, permitting >>> > 'security.ima' and 'security.evm' to be updated, assuming the original >>> > values are valid. Modifying either security xattr offline will prevent >>> > the myscript.sh from being modified online. >>> > >>> > If 'security.ima' had been a digital signature, it wouldn't have been >>> > updated. As a result, executing myscripts.sh would subsequently fail. >>> > >>> >>> Sorry if this is obvious. >> >> Not at all. Having this discussion here on the mailing list is also >> important for those who didn't attend LSS. >> >>> I thought Dmitry's demo last week at Linux Plumbers conference showed >>> that it was possible i.e. once myscript.sh has security.ima signed by >>> security.ema, subsequent changes to myscript.sh would prevent its >>> execution. >> >> Dmitry's talk, given by Casey, and demo focused on the EVM/IMA-appraisal >> digital signatures extension. Initially, both security.ima and >> security.evm are flashed to the device containing digital signatures. >> Once verified, for performance, security.evm is converted to an HMAC. >> For immutable files, security.ima remains as a digital signature in >> order to prove authenticity. If the file changes, security.ima can not >> be updated as the system does not have the private key. I assume we're >> good to here. >> >> For mutable files, such as configuration files or scripts, which are >> system dependent, security.ima contains the file hash. EVM protects >> security.ima from an offline modification, but IMA-appraisal is >> dependent on DAC/MAC protecting the running system. >> >> There are a number of ways of demonstrating EVM/IMA-appraisal. For >> example, booting a kernel without EVM or IMA-appraisal enabled, >> modifying the file, and rebooting with EVM/IMA-appraisal enabled. The >> file's HMAC will not match security.evm, causing any file read/execute >> to fail. >> >>> May be I missed some of the steps from Dmitry's demo at LSS, or that >>> demo used some additional patch set? >> >> Perhaps Dmitry will make the demo available so that we can review it >> here in more detail. >> >>> Should I be merging changes from >>> git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.gitt/#next-ima-appraisal >>> for my testing? If yes, since kernel.org is still down is there >>> another place where I can look at those changes? >> >> As you're interested in the EVM/IMA-appraisal digital signatures >> extension, you can continue using #ima-ksign, which tracks the >> EVM/IMA-appraisal tree. I am planning on making the trees available on >> github. >> >> thanks, >> >> Mimi >> >> >> ------------------------------------------------------------------------------ >> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >> Learn about the latest advances in developing for the >> BlackBerry® mobile platform with sessions, labs & more. >> See new tools and technologies. Register for BlackBerry® DevCon today! >> http://p.sf.net/sfu/rim-devcon-copy1 >> _______________________________________________ >> Linux-ima-user mailing list >> Lin...@li... >> https://lists.sourceforge.net/lists/listinfo/linux-ima-user >> > > IMA/EVM with digital signature signature extension while korg is done > is located here: > https://meego.gitorious.org/meego-platform-security/ima-ksign > It doesn't look like this repo has applied patches below, should it? http://marc.info/?l=linux-security-module&m=131462935219688&w=2 http://marc.info/?l=linux-security-module&m=131462935319695&w=2 /Subodh |