Menu
▾
▴
Re: [Linux-ima-user] questions about the EVM extended attribute data structure
|
From: Mimi Z. <zo...@li...> - 2013-04-03 12:45:52
|
On Tue, 2013-04-02 at 03:19 +0800, Bo Zhi wrote:
> hi, all
>
> I have some questions about the EVM extended attribute data structure.
>
> first, why is the EVM xattr data structure different between kernel
> space and user space ?
>
> here is the definition of EVM xattr data structure in kernel (3.8.0):
>
> struct evm_ima_xattr_data {
> u8 type;
> u8 digest[SHA1_DIGEST_SIZE];
> } __attribute__((packed));
>
> and the init and update operations in kernel (3.8.0) are all operated
> with "struct evm_ima_xattr_data", e.g.
>
> [in evm_main.c]
> int evm_inode_init_security(struct inode *inode,
> const struct xattr *lsm_xattr,
> struct xattr *evm_xattr)
> {
> struct evm_ima_xattr_data *xattr_data;
> int rc;
> ...
> xattr_data->type = EVM_XATTR_HMAC;
> rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
> if (rc < 0)
> goto out;
>
>
> evm_xattr->value = xattr_data;
> evm_xattr->value_len = sizeof(*xattr_data);
> evm_xattr->name = kstrdup(XATTR_EVM_SUFFIX, GFP_NOFS);
> return 0;
> out:
> kfree(xattr_data);
> return rc;
> }
>
>
> [in evm_crypto.c]
> int evm_update_evmxattr(struct dentry *dentry, const char
> *xattr_name,
> const char *xattr_value, size_t xattr_value_len)
> {
> struct inode *inode = dentry->d_inode;
> struct evm_ima_xattr_data xattr_data;
> int rc = 0;
>
>
> rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
> xattr_value_len, xattr_data.digest);
> if (rc == 0) {
> xattr_data.type = EVM_XATTR_HMAC;
> rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM,
> &xattr_data,
> sizeof(xattr_data), 0);
> } else if (rc == -ENODATA && inode->i_op->removexattr) {
> rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM);
> }
> return rc;
> }
>
>
>
>
> while in the ima-evm-utils(evmctl), security.evm is signed with
> "unsigned char sig[1024]"
>
>
> static int sign_evm(const char *file, const char *key)
> {
> unsigned char hash[20];
> unsigned char sig[1024] = "\x03";
> ...
> err = setxattr(file, "security.evm", sig, len + 1, 0);
> if (err < 0) {
> log_err("setxattr failed: %s\n", file);
> return err;
> }
> return 0;
> }
>
> I am confused here, can anybody help me ?
>
> second, I have already run the IMA module and ima-evm-utils on Gentoo
> with these docs:
>
> [1]
> http://www.gentoo.org/proj/en/hardened/integrity/docs/ima-guide.xml
> [2]
> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml
>
>
> and get security.ima and security.evm like this:
>
>
> tcel keys # getfattr -m . -d ~/pgydyd
> # file: root/pgydyd
> security.evm=0sAwFKz
> +1QAAA9Yz7H6RrISQEEAC8rEMhvs9q5HkwTU1EJOCdCTz0KLyhR1knpH/yT
> W0EPa241Z+d4gSvX2cQadcKlpNAFw+f5LWHQrNVyXAERY3
> +GGA3LPaEucGeXv6UseKuhblFD57S
> WO901IM4woC2zRcq55dD0rkNYxEz/vKmmYuVjRnh9RX6bQWH68/yvCwSh
> security.ima=0sAYP1pcNZ89yDF1GSQOMvH1H2i8BR
>
>
> the format of the hash or sign result is totally different with [1]'s:
>
>
> ~# getfattr -m . -d /boot/grub/grub.conf
> # file: grub.conf
> security.selinux="root:object_r:boot_t"
> security.ima="76a0d787be14d84dfe3cf3930ac3da38bb389464"
>
>
> I don't believe this is a programming mistake, maybe I did something
> wrong, or it is related with the first question.
>
>
> thanks in advance :)
'security.evm' contains either an HMAC or a digital signature, of which
there are two formats - original, asymmetric. 'security.ima' contains
either a hash or a digital signature. Based on the evmctl arguments,
determines both the 'security.evm' and 'security.ima' xattr contents.
evm_verify_hmac() verifies the HMAC or calls integrity_digsig_verify(),
which in turn calls either digsig_verify() or asymmetric_verify(), to
verify the digital signature.
Try using the getfattr '--e hex' option to output the binary data in
hex.
thanks,
Mimi
>
> btw, i am a student and now i am trying to develop another security
> module which is related with IMA,
> i have read the source code of "integrity" about 4 or 5 days.
>
>
> Best Regards,
>
> Zhi Bo
|