[Linux-ima-user] evm: runaway loop in verify_signature() produce deadlock in process_measurement().

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I switched my tests on another disk and faced with deadlock during boot. The deadlock are reproducible if EVM enabled and EVM x509 cert is loaded in kernel code (CONFIG_EVM_LOAD_X509) with default IMA policy.

Deadlock starts from first file signed by EVM digital signature. In my case it was /sbin/init, since I only now move the system on new disk, all binary files was signed with:
evmctl sign -a sha512 --imasig -r -t fm --key /privkey_ima.pem ./

After some investigation I found:
1) As soon, as system switched to real root, EVM have to work with file signed by EVM digital signature.
2) For EVM digital signature verification, kernel (comm="kworker/u8:6") trying to detect/load kernel modules related to "sha1" from user space.
3) Kernel trying to use /bin/kmod from user space.
4) Since we have /bin/kmod (and dependencies) also signed by EVM digital signature we have locked both files (/sbin/init and /bin/kmod for example) till we don't verify /bin/kmod EVM digital signature.
5) Since we need /bin/kmod in order to verify /bin/kmod EVM digital signature, we have runaway loop in verify_signature() that produce deadlock in process_measurement().

In my case, I was forced manually update EVM digital signature to HMAC for /bin/kmod and all its dependencies, before I was able to boot.
I think, this is really bad situation, when for EVM work we need proper signed files from user space.

-- 
Best regards,
Mikhail Kurinnoi