Re: [Linux-ima-user] Deadlock after enabling EVM in fix mode

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Mimi,

I never used signatures - just hashes. Thanks to Dimitry I noticed that hmac(sha1) is not automatically registering at boot time (is not listed in /proc/crypto). 

It seems that the scenario is as follows:
1) kernel boots - no registration of hmac(sha1)
2) init script loads evm-key 
3) init script starts evm
4) init script tries to execute any other binary
  a) evm is to verify the hash of the 'other binary'
  b) evm initializes hmac algorithm
  c) algorithm initialization calls request_module
  d) request_module before accessing /sbin/modprobe does evm verification 
  e) since the verification is called from the context of other verification function stops on mutext lock

The kernel I'm using is 3.8.0

Regards, 
Marek

-----Original Message-----
From: Mimi Zohar [mailto:zo...@li...] 
Sent: Wednesday, February 12, 2014 12:25 AM
To: Dmitry Kasatkin
Cc: Lipinski, MarekX; lin...@li...
Subject: Re: [Linux-ima-user] Deadlock after enabling EVM in fix mode

Hi Marek,

Sorry, I can't seem to reproduce this problem. I have EVM, IMA, IMA-appraisal, and encrypted-keys enabled (builtin), but not trusted-keys.

Assuming modprobe is signed, not hashed, have you loaded the public keys on the _ima and _evm keyrings, before enabling EVM?  The public keys should be included in the initramfs.  Lastly, which kernel are you using?

thanks,

Mimi

On Mon, 2014-02-10 at 11:07 +0200, Dmitry Kasatkin wrote:
> Hi,
> 
> Thanks for great help.
> We will fix it.
> 
> - Dmitry
> 
> On 07/02/14 17:37, Lipinski, MarekX wrote:
> > I found out I had CONFIG_TRUSTED_KEYS not set (as I do not have TPM in my box). 
> > I enabled trusted keys in the configuration. Now once init is reached hmac(sha1) is already registered and EVM works fine, no deadlock anymore. 
> > I guess either EVM support should depend on TRUSTED_KEYS, or the registration of hmac(sha1) should be enforced before enabing EVM. 
> >
> > Regards,
> > Marek

Intel GmbH
Dornacher Strasse 1
85622 Feldkirchen/Muenchen, Deutschland
Sitz der Gesellschaft: Feldkirchen bei Muenchen
Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk
Registergericht: Muenchen HRB 47456
Ust.-IdNr./VAT Registration No.: DE129385895
Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052