Menu
▾
▴
Re: [Linux-ima-user] evm: runaway loop in verify_signature() produce deadlock in process_measurement().
|
From: Mimi Z. <zo...@li...> - 2017-01-03 15:55:53
|
On Tue, 2017-01-03 at 18:02 +0300, Mikhail Kurinnoi wrote: > В Tue, 03 Jan 2017 08:42:50 -0500 > Mimi Zohar <zo...@li...> пишет: > > > On Mon, 2017-01-02 at 23:34 +0300, Mikhail Kurinnoi wrote: > > > I switched my tests on another disk and faced with deadlock during > > > boot. The deadlock are reproducible if EVM enabled and EVM x509 cert > > > is loaded in kernel code (CONFIG_EVM_LOAD_X509) with default IMA > > > policy. > > > > These build configuration options are designed to be used in an > > environment with a signed init. If you're not interested in > > appraising the init, then wait until you're ready to load the keys. > > I have this issue if I load cert and EVM keys from initramfs by > script with CONFIG_EVM_LOAD_X509 disabled in kernel. > > I have no issue with EVM digital signature or HMAC during boot or > after boot, I faced with deadlock on switch root only because kernel > want to check what crypto-related kernel modules I have installed on > real root with /bin/kmod, but, since /bin/kmod also was signed by EVM > digital signature, and I could have crypto-related kernel modules > installed in real root, kernel call /bin/kmod one more time, but we > already have this inode locked in process_measurement()... I lost you here... If the EVM and IMA keys used to verify /bin/kmod are loaded onto their respective keyrings, then there shouldn't be a problem. The verification status result of the first /bin/kmod would be cached. > Is the any way tell crypto modules don't check external (non build-in) > kernel modules on verify_signature() call in asymmetric_verify()? The IMA policy is really flexible, allowing you to do whatever you want, but I'm not convinced this is a good idea. Kernel modules can be verified using the normal kernel build methods and/or verified using IMA. The normal kernel build has a couple of different options controlling whether kernel module signatures are required or not. CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y Assuming that the kernel build method requires all kernel modules to be signed, the IMA policy "appraise func=module_check" rule can be used in conjunction with the kernel build method. These kernel modules would not require IMA/EVM signatures as well. All other kernel modules, that haven't been signed using the builtin kernel method, would require IMA/EVM signatures. The builtin "ima_appraise_tcb" policy does not require kernel modules to be signed. I hope I answered your question. Mimi |
