Re: [Linux-ima-user] Initramfs and IMA Appraisal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 27/11/14 11:15, Christophe Fillot wrote:
> On 11/26/2014 11:12 PM, Mimi Zohar wrote:
>
>> With commit "8feba3f Add support for signing a file hash", evmctl now
>> supports signing file hashes.  You might want to create a manifest file
>> containing all the files and their hashes, similar to the .deb md5sums
>> file, and then sign the files hashes.
>>
>> find <dir> -type f -exec sha256sum {} \;  >> ./sha256sums
>> cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > sha256sums.sig
> Thanks for the tip!
>
>>>       - At boot, before reading and enabling the IMA policy, the attributes
>>>         are loaded from the attribute file and applied to the TMPFS. Then,
>>>         when the policy is loaded, no appraisal error occurs.
>> Interesting that the EVM signatures are valid, as the HMAC calculation
>> includes the i_ino.  This means that the extracted files have the same
>> i_ino as the original version that you signed.  I'm not sure that we can
>> really count on that, nor am I sure how to resolve this problem.
> In fact I create and restore the EVM signatures, but I don't enable EVM 
> at the moment.
> I don't see an easy solution for that, if I understand correctly the 
> tmpfs code, it
> calls get_next_ino() to generate inode numbers, and they will probably 
> be random at
> each boot.
>
> Also, even if tar format (for xattr support) is used instead of cpio to 
> uncompress
> initramfs into tmpfs FS, we will still have this problem for EVM signatures.
>
> Maybe a solution would be to ignore inode number for specific 
> filesystems during
> EVM signature calculation (and have an option in evmctl for that too) ?

I have patches I am working on  - Immutable EVM signatures, which will
not include i_no and iversion.
It should solve this problem.

- Dmitry

>> Are you using an initrd not an initramfs?  According to
>> Documentation/filesystems/ramfs-rootfs-initramfs.txt, "If CONFIG_TMPFS
>> is enabled, rootfs will use tmpfs instead of ramfs by default".
>>
> Yes, that what I thought too, but it seems that it is not really the 
> case because
> of this test:
>
>      if (IS_ENABLED(CONFIG_TMPFS) && !saved_root_name[0] &&
>          (!root_fs_names || strstr(root_fs_names, "tmpfs"))) {
>          err = shmem_init();
>          is_tmpfs = true;
>      } else {
>          err = init_ramfs_fs();
>      }
>
> Christophe
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>