From: Mimi Z. <zo...@li...> - 2014-02-12 13:06:12
|
On Wed, 2014-02-12 at 08:41 +0000, Lipinski, MarekX wrote: > Hi Mimi, > > I never used signatures - just hashes. Thanks to Dimitry I noticed that hmac(sha1) is not automatically registering at boot time (is not listed in /proc/crypto). > > It seems that the scenario is as follows: > 1) kernel boots - no registration of hmac(sha1) > 2) init script loads evm-key > 3) init script starts evm > 4) init script tries to execute any other binary > a) evm is to verify the hash of the 'other binary' > b) evm initializes hmac algorithm > c) algorithm initialization calls request_module > d) request_module before accessing /sbin/modprobe does evm verification > e) since the verification is called from the context of other verification function stops on mutext lock > > The kernel I'm using is 3.8.0 Ok. Looking at kernel/kmod.c, the default modprobe path is /sbin/modprobe, which would be the initramfs. I'm not seeing the problem, since some other module dracut copies modprobe to the initramfs. (The initramfs is not appraised.) The EVM dracut module should have its own dependency on modprobe. thanks, Mimi |