Menu
▾
▴
Re: [Linux-ima-user] Deadlock after enabling EVM in fix mode
|
From: Mimi Z. <zo...@li...> - 2014-02-14 15:07:12
|
On Fri, 2014-02-14 at 13:21 +0000, Lipinski, MarekX wrote: > > On 12/02/14 16:09, Mimi Zohar wrote: > > > I guess we'll find out. :) Is there any reason for attempting to load > > > a kernel module, when hmac(sha1) should be built in? We really want > > > to skip the modprobe entirely. Wondering what would happen if the > > > modprobe proc entry was NULL... It looks like the modprobe would be > > skipped. > > > The last line of crypto/api.c: crypto_larval_lookup() will simply call > > > crypto_larval_add() to add it. > > I actually have the same deadlock problem on Tizen platform when not using > > initramfs. > > I tried to go through the crypto API and understand the process of > registering algorithms but it looks bit complex to me. I'm guessing the modprobe is to find HW versions, before using the builtin one. > > For hacking purpose and not to mess up with modprobe I just added > this at > > the beginning of the evm_init_key(). > > (...) > > Other workaround, without modifying the code, is to build-in trusted > keys as they register hmac(sha1) during initialization stage. Yes, but without an initramfs, it would be using the system's modprobe. > > But in real system, you still need to enable IMA/EVM BEFORE reading > > anything from storage.... > > initramfs is one of the choices... > > My plan is to inject the secured key inside the kernel during boot. I > hope that will work fine. A 'real' solution will need to be compatible with secure boot. I'm not sure this solution would be. > Regarding EVM I'm wondering why the hash/hmac algorithm is initialized > and freed every time the calculation is requested (init_desc/kfree). I > noticed that in IMA this approach was changed around 3.9 to single > initialization at startup. Wouldn't it bring performance improvement > if EVM is implemented the same way? Also for trusted keys crypto > algorithm initialization is done once, during startup. Will add to the 'todo' list... thanks, Mimi |
