Re: [Linux-ima-user] Deadlock after enabling EVM in fix mode

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I forgot to mention - I do not use initramfs/initrd. 

Normally it may not make sense to use hash based security without having initramfs. However the plan is to protect evm-key in different, platform-specific way. 

Altgough I think hash based IMA/EVM without ram disk is still legal, isn't it?

Regards, 
Marek

-----Original Message-----
From: Mimi Zohar [mailto:zo...@li...] 
Sent: Wednesday, February 12, 2014 2:06 PM
To: Lipinski, MarekX
Cc: lin...@li...; Dmitry Kasatkin
Subject: Re: [Linux-ima-user] Deadlock after enabling EVM in fix mode

On Wed, 2014-02-12 at 08:41 +0000, Lipinski, MarekX wrote:
> Hi Mimi,
> 
> I never used signatures - just hashes. Thanks to Dimitry I noticed that hmac(sha1) is not automatically registering at boot time (is not listed in /proc/crypto). 
> 
> It seems that the scenario is as follows:
> 1) kernel boots - no registration of hmac(sha1)
> 2) init script loads evm-key
> 3) init script starts evm
> 4) init script tries to execute any other binary
>   a) evm is to verify the hash of the 'other binary'
>   b) evm initializes hmac algorithm
>   c) algorithm initialization calls request_module
>   d) request_module before accessing /sbin/modprobe does evm verification 
>   e) since the verification is called from the context of other 
> verification function stops on mutext lock
> 
> The kernel I'm using is 3.8.0

Ok.  Looking at kernel/kmod.c, the default modprobe path is /sbin/modprobe, which would be the initramfs.  I'm not seeing the problem, since some other module dracut copies modprobe to the initramfs.  (The initramfs is not appraised.) The EVM dracut module should have its own dependency on modprobe.

thanks,

Mimi

Intel GmbH
Dornacher Strasse 1
85622 Feldkirchen/Muenchen, Deutschland
Sitz der Gesellschaft: Feldkirchen bei Muenchen
Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk
Registergericht: Muenchen HRB 47456
Ust.-IdNr./VAT Registration No.: DE129385895
Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052