From: Mimi Z. <zo...@li...> - 2011-09-14 12:16:47
|
On Tue, 2011-09-13 at 20:09 -0700, Subodh Nijsure wrote: > On Mon, Sep 12, 2011 at 4:41 PM, Mimi Zohar <zo...@li...> wrote: > > On Mon, 2011-09-12 at 14:49 -0700, Subodh Nijsure wrote: > >> On Mon, Sep 12, 2011 at 1:35 PM, Mimi Zohar <zo...@li...> wrote: > >> > On Mon, 2011-09-12 at 11:50 -0700, Subodh Nijsure wrote: > >> >> Hello, > >> >> > >> >> I have been using repo that Dmitry pointed to few days ago to get > >> >> familiar with IMA/EVM feature set. > >> >> > >> >> I work for a embedded software hw/sw company and we are greatly > >> >> interested in this feature, and exactly what we are looking to assure > >> >> customers that stuff running on our device is not being compromised. > >> >> > >> >> Anyway, I have compiled the kernel as described at > >> >> http://linux-ima.sourceforge.net/. For testing I am running the this > >> >> kernel to boot a Ubuntu system under Virtualbox. > >> >> > >> >> I am running evm_enable.sh script that is part of evm-utils. > >> >> > >> >> So I booted the system with kernel parameters rootflags=i_version > >> >> ima_audit=1 ima_appraise=fix evm=fix and ran the script > >> >> evm_label_all.sh. I created a test script call /bin/myscript.sh this > >> >> script had following security.* info > >> >> (This script just does echo "Hello World". ) > >> >> > >> >> # file: bin/myscript.sh > >> >> security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2 > >> >> security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba > >> >> > >> >> Now I rebooted this machine with kernel parameters rootflags=i_version > >> >> ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo > >> >> "Hello World1". Now this updates the security.* info on this file as > >> >> shown below. > >> >> > >> >> # file: bin/myscript.sh > >> >> security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe > >> >> security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee > >> >> > >> >> My keyctl show following output: > >> >> > >> >> sudo keyctl list @u > >> >> 4 keys in keyring: > >> >> 666858261: --alswrv 0 0 user: kmk > >> >> 461487313: --alswrv 0 0 encrypted: evm-key > >> >> 715895674: --alswrv 0 0 keyring: _ima > >> >> 793114560: --alswrv 0 0 keyring: _evm > >> >> > >> >> > >> >> But I expected since I booted the system with ima_tcb I shouldn't be > >> >> able to execute the updated myscript.sh? What am doing wrong in doing > >> >> the basic IMA/EVM test? > >> > > >> > Nothing went wrong. :-) It's working as designed, permitting > >> > 'security.ima' and 'security.evm' to be updated, assuming the original > >> > values are valid. Modifying either security xattr offline will prevent > >> > the myscript.sh from being modified online. > >> > > >> > If 'security.ima' had been a digital signature, it wouldn't have been > >> > updated. As a result, executing myscripts.sh would subsequently fail. > >> > > >> > >> Sorry if this is obvious. > > > > Not at all. Having this discussion here on the mailing list is also > > important for those who didn't attend LSS. > > > >> I thought Dmitry's demo last week at Linux Plumbers conference showed > >> that it was possible i.e. once myscript.sh has security.ima signed by > >> security.ema, subsequent changes to myscript.sh would prevent its > >> execution. > > > > Dmitry's talk, given by Casey, and demo focused on the EVM/IMA-appraisal > > digital signatures extension. Initially, both security.ima and > > security.evm are flashed to the device containing digital signatures. > > Once verified, for performance, security.evm is converted to an HMAC. > > For immutable files, security.ima remains as a digital signature in > > order to prove authenticity. If the file changes, security.ima can not > > be updated as the system does not have the private key. I assume we're > > good to here. > > > > Understood. > > Yes I have been able to verify this. > > One more suggestion for document. Looking at the code > (default_appraise_setup) ima_appraise is "on" by default, if this > option is not specified on the kernel command line. Could this be made > explicit in http://linux-ima.sourceforge.net/linux-ima-content.html-20110907#Enabling_IMA-appraisal? Sure. > On a side note, don't all the kernel command line options need to be > documented in Documentation/kernel-parameters.txt file? I didn't see > that in any of the patches, don't mean to push this off on to you > folks, can help if required. I just don't want folks to have reason to > reject this work when it comes time to moving this code to mainline > ;-) > > -Subodh The 'evm=' and 'ima_appraise=' boot command line options, as well as 'rootflags=', are documented in Documentation/kernel-parameters.txt. The other options specified on the boot command line, such as 'masterkey=' and 'evmkey=', are parsed by dracut and never make it to the kernel. Perhaps there is a list of dracut options that needs to be updated. thanks, Mimi |