Menu
▾
▴
Re: [Linux-ima-user] evm: runaway loop in verify_signature() produce deadlock in process_measurement().
|
From: Mimi Z. <zo...@li...> - 2017-01-03 13:43:04
|
On Mon, 2017-01-02 at 23:34 +0300, Mikhail Kurinnoi wrote: > I switched my tests on another disk and faced with deadlock during > boot. The deadlock are reproducible if EVM enabled and EVM x509 cert > is loaded in kernel code (CONFIG_EVM_LOAD_X509) with default IMA > policy. These build configuration options are designed to be used in an environment with a signed init. If you're not interested in appraising the init, then wait until you're ready to load the keys. Mimi > Deadlock starts from first file signed by EVM digital signature. In my > case it was /sbin/init, since I only now move the system on new disk, > all binary files was signed with: > evmctl sign -a sha512 --imasig -r -t fm --key /privkey_ima.pem ./ > > After some investigation I found: > 1) As soon, as system switched to real root, EVM have to work with > file signed by EVM digital signature. > 2) For EVM digital signature verification, kernel > (comm="kworker/u8:6") trying to detect/load kernel modules related to > "sha1" from user space. > 3) Kernel trying to use /bin/kmod from user space. > 4) Since we have /bin/kmod (and dependencies) also signed by EVM > digital signature we have locked both files (/sbin/init and /bin/kmod > for example) till we don't verify /bin/kmod EVM digital signature. > 5) Since we need /bin/kmod in order to verify /bin/kmod EVM digital > signature, we have runaway loop in verify_signature() that produce > deadlock in process_measurement(). > > In my case, I was forced manually update EVM digital signature to HMAC > for /bin/kmod and all its dependencies, before I was able to boot. > I think, this is really bad situation, when for EVM work we need > proper signed files from user space. > > |
