| Message ID | 20201111092302.1589-2-roberto.sassu@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | evm: Improve usability of portable signatures | expand |
On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote: > evm_inode_init_security() requires an HMAC key to calculate the HMAC on > initial xattrs provided by LSMs. However, it checks generically whether a > key has been loaded, including also public keys, which is not correct as > public keys are not suitable to calculate the HMAC. > > Originally, support for signature verification was introduced to verify a > possibly immutable initial ram disk, when no new files are created, and to > switch to HMAC for the root filesystem. By that time, an HMAC key should > have been loaded and usable to calculate HMACs for new files. > > More recently support for requiring an HMAC key was removed from the > kernel, so that signature verification can be used alone. Since this is a > legitimate use case, evm_inode_init_security() should not return an error > when no HMAC key has been loaded. > > This patch fixes this problem by replacing the evm_key_loaded() check with > a check of the EVM_INIT_HMAC flag in evm_initialized. > > Cc: stable@vger.kernel.org # 4.5.x > Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/evm/evm_main.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c > index 76d19146d74b..001e001eae01 100644 > --- a/security/integrity/evm/evm_main.c > +++ b/security/integrity/evm/evm_main.c > @@ -530,7 +530,8 @@ int evm_inode_init_security(struct inode *inode, > struct evm_xattr *xattr_data; > int rc; > > - if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) > + if (!(evm_initialized & EVM_INIT_HMAC) || > + !evm_protected_xattr(lsm_xattr->name)) > return 0; > > xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); Let's update the function description to make it explicit. Something like: "evm_inode_init_security - initializes security.evm HMAC value" Mimi
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 76d19146d74b..001e001eae01 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -530,7 +530,8 @@ int evm_inode_init_security(struct inode *inode, struct evm_xattr *xattr_data; int rc; - if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) + if (!(evm_initialized & EVM_INIT_HMAC) || + !evm_protected_xattr(lsm_xattr->name)) return 0; xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
evm_inode_init_security() requires an HMAC key to calculate the HMAC on initial xattrs provided by LSMs. However, it checks generically whether a key has been loaded, including also public keys, which is not correct as public keys are not suitable to calculate the HMAC. Originally, support for signature verification was introduced to verify a possibly immutable initial ram disk, when no new files are created, and to switch to HMAC for the root filesystem. By that time, an HMAC key should have been loaded and usable to calculate HMACs for new files. More recently support for requiring an HMAC key was removed from the kernel, so that signature verification can be used alone. Since this is a legitimate use case, evm_inode_init_security() should not return an error when no HMAC key has been loaded. This patch fixes this problem by replacing the evm_key_loaded() check with a check of the EVM_INIT_HMAC flag in evm_initialized. Cc: stable@vger.kernel.org # 4.5.x Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/evm/evm_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)