Commit 82bbd447 authored by Stefan Berger's avatar Stefan Berger Committed by Mimi Zohar
Browse files

evm: Enforce signatures version 3 with new EVM policy 'bit 3' 



Enable the configuration of EVM so that it requires that asymmetric
signatures it accepts are of version 3 (sigv3). To enable this, introduce
bit 3 (value 0x0008) that the user may write to EVM's securityfs policy
configuration file 'evm' for sigv3 enforcement.

Mention bit 3 in the documentation.

Signed-off-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent bab8e90b

Documentation/ABI/testing/evm

+1 −0
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ Description: 
		2	  Permit modification of EVM-protected metadata at

			  runtime. Not supported if HMAC validation and

			  creation is enabled (deprecated).

		3	  Require asymmetric signatures to be version 3

		31	  Disable further runtime modification of EVM policy

		===	  ==================================================

security/integrity/evm/evm.h

+2 −1
Original line number Diff line number Diff line
@@ -20,11 +20,12 @@ 
#define EVM_INIT_HMAC	0x0001

#define EVM_INIT_X509	0x0002

#define EVM_ALLOW_METADATA_WRITES	0x0004

#define EVM_SIGV3_REQUIRED		0x0008

#define EVM_SETUP_COMPLETE 0x80000000 /* userland has signaled key load */



#define EVM_KEY_MASK (EVM_INIT_HMAC | EVM_INIT_X509)

#define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \

		       EVM_ALLOW_METADATA_WRITES)

		       EVM_ALLOW_METADATA_WRITES | EVM_SIGV3_REQUIRED)



struct xattr_list {

	struct list_head list;

security/integrity/evm/evm_main.c

+14 −0
Original line number Diff line number Diff line
@@ -136,6 +136,14 @@ static bool evm_hmac_disabled(void) 
	return true;

}



static bool evm_sigv3_required(void)

{

	if (evm_initialized & EVM_SIGV3_REQUIRED)

		return true;



	return false;

}



static int evm_find_protected_xattrs(struct dentry *dentry)

{

	struct inode *inode = d_backing_inode(dentry);
@@ -258,6 +266,12 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, 
		}



		hdr = (struct signature_v2_hdr *)xattr_data;



		if (evm_sigv3_required() && hdr->version != 3) {

			evm_status = INTEGRITY_FAIL;

			goto out;

		}



		digest.hdr.algo = hdr->hash_algo;

		rc = evm_calc_hash(dentry, xattr_name, xattr_value,

				   xattr_value_len, xattr_data->type, &digest,