[Linux-ima-user] questions about the EVM extended attribute data structure

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

hi, all

I have some questions about the EVM extended attribute data structure.

first, why is the EVM xattr data structure different between kernel space
and user space ?

here is the definition of EVM xattr data structure in kernel (3.8.0):

struct evm_ima_xattr_data {
    u8 type;
    u8 digest[SHA1_DIGEST_SIZE];
}  __attribute__((packed));

and the init and update operations in kernel (3.8.0) are all operated with
"struct evm_ima_xattr_data", e.g.

[in evm_main.c]

int evm_inode_init_security(struct inode *inode,
 const struct xattr *lsm_xattr,
  struct xattr *evm_xattr)
{
struct evm_ima_xattr_data *xattr_data;
int rc;
        ...
xattr_data->type = EVM_XATTR_HMAC;
rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
 if (rc < 0)
goto out;

evm_xattr->value = xattr_data;
 evm_xattr->value_len = sizeof(*xattr_data);
evm_xattr->name = kstrdup(XATTR_EVM_SUFFIX, GFP_NOFS);
 return 0;
out:
kfree(xattr_data);
return rc;
}

[in evm_crypto.c]

int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
const char *xattr_value, size_t xattr_value_len)
{
struct inode *inode = dentry->d_inode;
struct evm_ima_xattr_data xattr_data;
int rc = 0;

rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
   xattr_value_len, xattr_data.digest);
 if (rc == 0) {
xattr_data.type = EVM_XATTR_HMAC;
rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM,
    &xattr_data,
   sizeof(xattr_data), 0);
} else if (rc == -ENODATA && inode->i_op->removexattr) {
 rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM);
}
return rc;
}

while in the ima-evm-utils(evmctl),  security.evm is signed with "unsigned
char sig[1024]"

static int sign_evm(const char *file, const char *key)
{
    unsigned char hash[20];
    unsigned char sig[1024] = "\x03";
    ...
        err = setxattr(file, "security.evm", sig, len + 1, 0);
        if (err < 0) {
            log_err("setxattr failed: %s\n", file);
            return err;
        }
    return 0;
}

I am confused here, can anybody help me ?

second, I have already run the IMA module and ima-evm-utils on Gentoo with
these docs:

[1] http://www.gentoo.org/proj/en/hardened/integrity/docs/ima-guide.xml
[2] http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml

and get security.ima and security.evm like this:

tcel keys # getfattr -m . -d ~/pgydyd
# file: root/pgydyd
security.evm=0sAwFKz+1QAAA9Yz7H6RrISQEEAC8rEMhvs9q5HkwTU1EJOCdCTz0KLyhR1knpH/yT
W0EPa241Z+d4gSvX2cQadcKlpNAFw+f5LWHQrNVyXAERY3+GGA3LPaEucGeXv6UseKuhblFD57S
WO901IM4woC2zRcq55dD0rkNYxEz/vKmmYuVjRnh9RX6bQWH68/yvCwSh
security.ima=0sAYP1pcNZ89yDF1GSQOMvH1H2i8BR

the format of the hash or sign result is totally different with [1]'s:

~# getfattr -m . -d /boot/grub/grub.conf
# file: grub.conf
security.selinux="root:object_r:boot_t"
security.ima="76a0d787be14d84dfe3cf3930ac3da38bb389464"

I don't believe this is a programming mistake, maybe I did something wrong,
or it is related with the first question.

thanks in advance :)

btw, i am a student and now i am trying to develop another security module
which is related with IMA,
i have read the source code of "integrity" about 4 or 5 days.

Best Regards,

Zhi Bo