Menu
▾
▴
Re: [Linux-ima-user] Questions about using IMA/EVM feature
|
From: Kasatkin, D. <dmi...@in...> - 2011-09-14 09:09:24
|
On Wed, Sep 14, 2011 at 6:10 AM, Subodh Nijsure <nij...@gm...> wrote: > On Tue, Sep 13, 2011 at 1:37 AM, Kasatkin, Dmitry > <dmi...@in...> wrote: >> Hello, >> >> See inline and bellow. >> >> On Tue, Sep 13, 2011 at 2:41 AM, Mimi Zohar <zo...@li...> wrote: >>> On Mon, 2011-09-12 at 14:49 -0700, Subodh Nijsure wrote: >>>> On Mon, Sep 12, 2011 at 1:35 PM, Mimi Zohar <zo...@li...> wrote: >>>> > On Mon, 2011-09-12 at 11:50 -0700, Subodh Nijsure wrote: >>>> >> Hello, >>>> >> >>>> >> I have been using repo that Dmitry pointed to few days ago to get >>>> >> familiar with IMA/EVM feature set. >>>> >> >>>> >> I work for a embedded software hw/sw company and we are greatly >>>> >> interested in this feature, and exactly what we are looking to assure >>>> >> customers that stuff running on our device is not being compromised. >>>> >> >>>> >> Anyway, I have compiled the kernel as described at >>>> >> http://linux-ima.sourceforge.net/. For testing I am running the this >>>> >> kernel to boot a Ubuntu system under Virtualbox. >>>> >> >>>> >> I am running evm_enable.sh script that is part of evm-utils. >>>> >> >>>> >> So I booted the system with kernel parameters rootflags=i_version >>>> >> ima_audit=1 ima_appraise=fix evm=fix and ran the script >>>> >> evm_label_all.sh. I created a test script call /bin/myscript.sh this >>>> >> script had following security.* info >>>> >> (This script just does echo "Hello World". ) >>>> >> >> >> evm_label_all.sh is necessary to label security.evm with digital signatures. >> It is not for using it with ima_appraise=fix or evm=fix. >> It is for building images... >> >> On running system you can use ima_fix_dir.sh to label everything with HMAC... >> >> And bellow you do not see, obviously, digital signature.. > > Yes once I modified my script to put digital IMA signature things work > as I expected. > I used "evmctl sign --imasig " to sign binaries as well to get > expected behavior -- executables are immutable. > > Is there a specific reason why evm_label_all.sh only puts digital > signature on kernel modules, but only hash on executables owned by uid > 0? > Simply I only need IMA signatures for modules to load them... > > -Subodh >> >>>> >> # file: bin/myscript.sh >>>> >> security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2 >>>> >> security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba May be not... It depends on ima-2.6#next-ima-appraisal repository >>>> >> >>>> >> Now I rebooted this machine with kernel parameters rootflags=i_version >>>> >> ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo >>>> >> "Hello World1". Now this updates the security.* info on this file as >>>> >> shown below. >>>> >> >>>> >> # file: bin/myscript.sh >>>> >> security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe >>>> >> security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee >>>> >> >>>> >> My keyctl show following output: >>>> >> >>>> >> sudo keyctl list @u >>>> >> 4 keys in keyring: >>>> >> 666858261: --alswrv 0 0 user: kmk >>>> >> 461487313: --alswrv 0 0 encrypted: evm-key >>>> >> 715895674: --alswrv 0 0 keyring: _ima >>>> >> 793114560: --alswrv 0 0 keyring: _evm >>>> >> >>>> >> >>>> >> But I expected since I booted the system with ima_tcb I shouldn't be >>>> >> able to execute the updated myscript.sh? What am doing wrong in doing >>>> >> the basic IMA/EVM test? >>>> > >>>> > Nothing went wrong. :-) It's working as designed, permitting >>>> > 'security.ima' and 'security.evm' to be updated, assuming the original >>>> > values are valid. Modifying either security xattr offline will prevent >>>> > the myscript.sh from being modified online. >>>> > >>>> > If 'security.ima' had been a digital signature, it wouldn't have been >>>> > updated. As a result, executing myscripts.sh would subsequently fail. >>>> > >>>> >>>> Sorry if this is obvious. >>> >>> Not at all. Having this discussion here on the mailing list is also >>> important for those who didn't attend LSS. >>> >>>> I thought Dmitry's demo last week at Linux Plumbers conference showed >>>> that it was possible i.e. once myscript.sh has security.ima signed by >>>> security.ema, subsequent changes to myscript.sh would prevent its >>>> execution. >>> >>> Dmitry's talk, given by Casey, and demo focused on the EVM/IMA-appraisal >>> digital signatures extension. Initially, both security.ima and >>> security.evm are flashed to the device containing digital signatures. >>> Once verified, for performance, security.evm is converted to an HMAC. >>> For immutable files, security.ima remains as a digital signature in >>> order to prove authenticity. If the file changes, security.ima can not >>> be updated as the system does not have the private key. I assume we're >>> good to here. >>> >>> For mutable files, such as configuration files or scripts, which are >>> system dependent, security.ima contains the file hash. EVM protects >>> security.ima from an offline modification, but IMA-appraisal is >>> dependent on DAC/MAC protecting the running system. >>> >>> There are a number of ways of demonstrating EVM/IMA-appraisal. For >>> example, booting a kernel without EVM or IMA-appraisal enabled, >>> modifying the file, and rebooting with EVM/IMA-appraisal enabled. The >>> file's HMAC will not match security.evm, causing any file read/execute >>> to fail. >>> >>>> May be I missed some of the steps from Dmitry's demo at LSS, or that >>>> demo used some additional patch set? >>> >>> Perhaps Dmitry will make the demo available so that we can review it >>> here in more detail. >>> >>>> Should I be merging changes from >>>> git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.gitt/#next-ima-appraisal >>>> for my testing? If yes, since kernel.org is still down is there >>>> another place where I can look at those changes? >>> >>> As you're interested in the EVM/IMA-appraisal digital signatures >>> extension, you can continue using #ima-ksign, which tracks the >>> EVM/IMA-appraisal tree. I am planning on making the trees available on >>> github. >>> >>> thanks, >>> >>> Mimi >>> >>> >>> ------------------------------------------------------------------------------ >>> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >>> Learn about the latest advances in developing for the >>> BlackBerry® mobile platform with sessions, labs & more. >>> See new tools and technologies. Register for BlackBerry® DevCon today! >>> http://p.sf.net/sfu/rim-devcon-copy1 >>> _______________________________________________ >>> Linux-ima-user mailing list >>> Lin...@li... >>> https://lists.sourceforge.net/lists/listinfo/linux-ima-user >>> >> >> IMA/EVM with digital signature signature extension while korg is done >> is located here: >> https://meego.gitorious.org/meego-platform-security/ima-ksign >> > > It doesn't look like this repo has applied patches below, should it? > > http://marc.info/?l=linux-security-module&m=131462935219688&w=2 > http://marc.info/?l=linux-security-module&m=131462935319695&w=2 > > /Subodh > |
