Menu
▾
▴
Re: [Linux-ima-user] evm: runaway loop in verify_signature() produce deadlock in process_measurement().
|
From: Mikhail K. <vie...@vi...> - 2017-01-03 15:02:51
|
В Tue, 03 Jan 2017 08:42:50 -0500 Mimi Zohar <zo...@li...> пишет: > On Mon, 2017-01-02 at 23:34 +0300, Mikhail Kurinnoi wrote: > > I switched my tests on another disk and faced with deadlock during > > boot. The deadlock are reproducible if EVM enabled and EVM x509 cert > > is loaded in kernel code (CONFIG_EVM_LOAD_X509) with default IMA > > policy. > > These build configuration options are designed to be used in an > environment with a signed init. If you're not interested in > appraising the init, then wait until you're ready to load the keys. I have this issue if I load cert and EVM keys from initramfs by script with CONFIG_EVM_LOAD_X509 disabled in kernel. I have no issue with EVM digital signature or HMAC during boot or after boot, I faced with deadlock on switch root only because kernel want to check what crypto-related kernel modules I have installed on real root with /bin/kmod, but, since /bin/kmod also was signed by EVM digital signature, and I could have crypto-related kernel modules installed in real root, kernel call /bin/kmod one more time, but we already have this inode locked in process_measurement()... Is the any way tell crypto modules don't check external (non build-in) kernel modules on verify_signature() call in asymmetric_verify()? -- Best regards, Mikhail Kurinnoi |
