Re: [Linux-ima-user] [PATCH] evm: provide portable EVM signature version.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

[cc'ing Dmitry Kasatkin]

Hi Mikhail,

On Sat, 2016-12-24 at 01:59 +0300, Mikhail Kurinnoi wrote:
> I am not sure, if portable EVM signature version is still in
> discussion or not, but, in case of someone interested in this feature
> too, I propose to discuss patch that I am using. This patch are used
> for custom kernels in order to provide initial EVM signed files in
> packages from package build server to desktop PCs.

A portable EVM signature, which can be included in an archive, is
important.   There were good reasons for including file system specific
information in the HMAC calculation.  By removing these fields,  the new
format does not provide the same security guarantees as the existing
format.  

Instead of converting the EVM signature to an HMAC on first access,  I
would prefer that the new format never be written out to the file
system, but converted to an HMAC after verification in
evm_inode_post_setxattr().  This would provide the benefits of a
portable EVM format, without loosing the existing security guarantees.

Mimi