Re: [PATCH v5 00/21] EVM

From: David Safford
Date: Fri May 27 2011 - 13:46:22 EST

Next message: Ingo Molnar: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Previous message: David Miller: "Re: Kernel crash after using new Intel NIC (igb)"
In reply to: Pavel Machek: "Re: [PATCH v5 00/21] EVM"
Next in thread: Pavel Machek: "Re: [PATCH v5 00/21] EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2011-05-26 at 22:17 +0200, Pavel Machek wrote:

> I suggest you explain the patchset in the emails, then? Everyone here
> seems to be confused... Attack it protects against, and what kind of
> hardware is needed for the protection to be effective?

The white paper is over 15 pages, and it barely scratches the surface.
Every customer has different security threat models and requirements.
Discussing this in general on the mailing list is really hard.

So let's try to simplify this just down to digital signatures in
the cellphone environment, as you state:

> Because AFAICT, file signatures, as proposed, are only useful for
> locking down my cellphone against myself. (That's -- evil).

The proposed digital signatures can enforce authenticity of a file's
data (IMA-Appraisal with Digital Signature), and of a file's metadata
(EVM with Digital Signature). For most users, enforcing authenticity
of files is a good thing - a user knows that they are running authentic
software signed by their phone manufacturer, and not malicious files
that they, or someone else installed. In this threat model, EVM is
mainly authenticating the meta-data of a file (owner, mode, LSM label...).
IMA-Appraisal and EVM are policy driven, so that the owner is free to
tailor them or turn them off. There are clearly many other use cases for
digitally signed data and metadata - authenticity is an important
kernel feature, one which should be done once, done correctly, and
upstreamed.

You argue that EVM can be abused to lock down your phone against
rooting, but

1. EVM has no control over rooting through the loader, or rooting
through vulnerabilities in the kernel, or rooting through
vulnerabilities in signed applications, or rooting through
the adb shell, or rooting in any way I have seen.

2. The real issue with phones is manufacturers who try to prevent you
from running the kernel and software of your choice. Locked
bootloaders are not a technical problem - they are a market
problem that can only be addressed with market or regulatory
forces. In some countries, manufacturers are simply not allowed
to do such locking.

Blocking signature verification would serve only to punish Linux
users who care about the authenticity of their files, while doing
_nothing_ to stop manufacturers from locking their bootloaders.

dave
>
> Pavel

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Previous message: David Miller: "Re: Kernel crash after using new Intel NIC (igb)"
In reply to: Pavel Machek: "Re: [PATCH v5 00/21] EVM"
Next in thread: Pavel Machek: "Re: [PATCH v5 00/21] EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]