[Linux-ima-user] Deadlock after enabling EVM in fix mode

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi, 

I'm trying to enable IMA/EVM on my box. I'm experiencing problems in the following situation: 
System is booted with rootflags=i_version ima_appraise_tcb ima_appraise=fix evm=fix.
EVM is being enabled at the very begining of the booting. Init script (passed to the kernel) mounts /sys, /proc, /dev, loads the emv-key file and starts the EVM by echoing "1" into /sys/kernel/security/evm. Untill now everything is ok and I'm getting  'EVM: initialized' message. 

After that running any other executable causes the deadlock. It looks as if before execution EVM tries to calculate the HMAC. init_desc function is being called, which tries to load hmac(sha1) algorithm. Crypto API calls request_module, which tries to run /sbin/modprobe. Before executing modprobe executable is being verified To have correct EVM HMAC. This again causes the init_desc to be executed and hang on the mutex_lock. 

Can anyone tell me what I'm doing wrong? 

The only workaround that comes to my mind is to force evms init_desc to be run before evm is enabled so the algorithm is loaded and any subsequent call will not require requesting module. 

Kernel debug message:

[   90.993569] INFO: task modprobe:110 blocked for more than 30 seconds.
[   91.000801] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[   91.009576] modprobe        D 00000000     0   110    109 0x00000000
[   91.016754]  f3051cac 00000046 00000249 00000000 f30783b0 c182a200 c16e3000 c182a200
[   91.025632]  2bdcc63b 00000008 2ae91efb 00000008 f30783b0 f3051c64 00000006 00000019
[   91.034514]  00000001 00000000 c11be254 f30783b0 c192b8b4 00000040 f30783b0 00000001
[   91.043371] Call Trace:
[   91.046137]  [<c11be254>] ? trace_hardirqs_on_thunk+0xc/0x10
[   91.052491]  [<c10722c3>] ? mark_held_locks+0xae/0xd0
[   91.058163]  [<c14201cb>] ? mutex_lock_nested+0x152/0x2a2
[   91.064288]  [<c1421517>] schedule+0x51/0x53
[   91.069086]  [<c1421712>] schedule_preempt_disabled+0x12/0x1e
[   91.075534]  [<c14201e7>] mutex_lock_nested+0x16e/0x2a2
[   91.081399]  [<c1195f7e>] ? init_desc+0x52/0x177
[   91.086585]  [<c1195f7e>] init_desc+0x52/0x177
[   91.091576]  [<c1196144>] evm_calc_hmac_or_hash+0x47/0xed
[   91.097636]  [<c10f3404>] ? vfs_getxattr_alloc+0x8d/0xa9
[   91.103598]  [<c11961fa>] evm_calc_hmac+0x10/0x12
[   91.108880]  [<c1195ccf>] evm_verify_hmac+0xdd/0x149
[   91.114468]  [<c102cac7>] ? vprintk_emit+0x391/0x3cf
[   91.120042]  [<c1195dcd>] evm_verifyxattr+0x53/0x63
[   91.125520]  [<c11958fc>] ima_appraise_measurement+0xaa/0x1b9
[   91.131970]  [<c1194b39>] process_measurement+0x13d/0x182
[   91.138021]  [<c1194ce8>] ima_file_check+0x16a/0x182
[   91.143597]  [<c10e2962>] do_last.clone.26+0x7c1/0x90e
[   91.149355]  [<c10e0145>] ? inode_permission+0x3f/0x41
[   91.155123]  [<c10e01ac>] ? link_path_walk+0x65/0x670
[   91.160793]  [<c10e2b44>] path_openat.clone.27+0x95/0x352
[   91.166852]  [<c1070107>] ? trace_hardirqs_off+0xb/0xd
[   91.172619]  [<c10e3022>] do_filp_open+0x21/0x5d
[   91.177805]  [<c10edd68>] ? __alloc_fd+0x178/0x183
[   91.183185]  [<c10d769c>] do_sys_open+0x104/0x17d
[   91.188468]  [<c10d7736>] sys_open+0x21/0x29
[   91.193265]  [<c1422ffe>] sysenter_do_call+0x12/0x36

The kernel I'm using is 3.8.0

Thanks, 
Marek
Intel GmbH
Dornacher Strasse 1
85622 Feldkirchen/Muenchen, Deutschland
Sitz der Gesellschaft: Feldkirchen bei Muenchen
Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk
Registergericht: Muenchen HRB 47456
Ust.-IdNr./VAT Registration No.: DE129385895
Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052