Re: [PATCH 5/7] evm: Verify portable signatures against all protected xattrs

From: Mimi Zohar
Date: Mon May 24 2021 - 14:22:27 EST


On Thu, 2021-05-20 at 10:56 +0200, Roberto Sassu wrote:
> Currently, the evm_config_default_xattrnames array contains xattr names
> only related to LSMs which are enabled in the kernel configuration.
> However, EVM portable signatures do not depend on local information and a
> vendor might include in the signature calculation xattrs that are not
> enabled in the target platform.
>
> Just including all xattrs names in evm_config_default_xattrnames is not a
> safe approach, because a target system might have already calculated
> signatures or HMACs based only on the enabled xattrs. After applying this
> patch, EVM would verify those signatures and HMACs with all xattrs instead.
> The non-enabled ones, which could possibly exist, would cause a
> verification error.
>
> Thus, this patch adds a new field named enabled to the xattr_list
> structure, which is set to true if the LSM associated to a given xattr name
> is enabled in the kernel configuration. The non-enabled xattrs are taken
> into account in only evm_calc_hmac_or_hash(), if the passed security.evm
> type is EVM_XATTR_PORTABLE_DIGSIG.
>
> The new function evm_protected_xattr_if_enabled() has been defined so that
> IMA can include all protected xattrs and not only the enabled ones in the
> measurement list, if the new template field evmxattrs has been included in
> the template format.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

Nice, I really like this idea.

Mimi