Menu
▾
▴
Re: [Linux-ima-user] Deadlock after enabling EVM in fix mode
|
From: Lipinski, M. <mar...@in...> - 2014-02-14 13:22:14
|
> On 12/02/14 16:09, Mimi Zohar wrote: > > I guess we'll find out. :) Is there any reason for attempting to load > > a kernel module, when hmac(sha1) should be built in? We really want > > to skip the modprobe entirely. Wondering what would happen if the > > modprobe proc entry was NULL... It looks like the modprobe would be > skipped. > > The last line of crypto/api.c: crypto_larval_lookup() will simply call > > crypto_larval_add() to add it. > I actually have the same deadlock problem on Tizen platform when not using > initramfs. I tried to go through the crypto API and understand the process of registering algorithms but it looks bit complex to me. > For hacking purpose and not to mess up with modprobe I just added this at > the beginning of the evm_init_key(). > (...) Other workaround, without modifying the code, is to build-in trusted keys as they register hmac(sha1) during initialization stage. > But in real system, you still need to enable IMA/EVM BEFORE reading > anything from storage.... > initramfs is one of the choices... My plan is to inject the secured key inside the kernel during boot. I hope that will work fine. Regarding EVM I'm wondering why the hash/hmac algorithm is initialized and freed every time the calculation is requested (init_desc/kfree). I noticed that in IMA this approach was changed around 3.9 to single initialization at startup. Wouldn't it bring performance improvement if EVM is implemented the same way? Also for trusted keys crypto algorithm initialization is done once, during startup. Regards, Marek Intel GmbH Dornacher Strasse 1 85622 Feldkirchen/Muenchen, Deutschland Sitz der Gesellschaft: Feldkirchen bei Muenchen Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk Registergericht: Muenchen HRB 47456 Ust.-IdNr./VAT Registration No.: DE129385895 Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052 |
