Changes in Kconfig

75a323e6 - evm: Make it independent from 'integrity' LSM

Thu, 15 Feb 2024 10:31:11 +0000

evm: Make it independent from 'integrity' LSMDefine a new structure for EVM-specific metadata, called evm_iint_cache,and embed it in the inode security blob. Introduce evm_iint_inode() toretrieve metadata, and register evm_inode_alloc_security() for theinode_alloc_security LSM hook, to initialize the structure (beforesplitting metadata, this task was done by iint_init_always()).Keep the non-NULL checks after calling evm_iint_inode() except inevm_inode_alloc_security(), to take into account inodes for whichsecurity_inode_alloc() was not called. When using shared metadata,obtaining a NULL pointer from integrity_iint_find() meant that the filewasn't in the IMA policy. Now, because IMA and EVM use disjoint metadata,the EVM status has to be stored for every inode regardless of the IMApolicy.Given that from now on EVM relies on its own metadata, remove the iintparameter from evm_verifyxattr(). Also, directly retrieve the iint inevm_verify_hmac(), called by both evm_verifyxattr() andevm_verify_current_integrity(), since now there is no performance penaltyin retrieving EVM metadata (constant time).Replicate the management of the IMA_NEW_FILE flag, by introducingevm_post_path_mknod() and evm_file_release() to respectively set and clearthe newly introduced flag EVM_NEW_FILE, at the same time IMA does. Like forIMA, select CONFIG_SECURITY_PATH when EVM is enabled, to ensure that filesare marked as new.Unlike ima_post_path_mknod(), evm_post_path_mknod() cannot check if a filemust be appraised. Thus, it marks all affected files. Also, it does notclear EVM_NEW_FILE depending on i_version, but that is not a problembecause IMA_NEW_FILE is always cleared when set in ima_check_last_writer().Move the EVM-specific flag EVM_IMMUTABLE_DIGSIG tosecurity/integrity/evm/evm.h, since that definition is now unnecessary inthe common integrity layer.Finally, switch to the LSM reservation mechanism for the EVM xattr, andconsequently decrement by one the number of xattrs to allocate insecurity_inode_init_security().Signed-off-by: Roberto Sassu Reviewed-by: Casey Schaufler Reviewed-by: Stefan Berger Reviewed-by: Mimi Zohar Acked-by: Mimi Zohar Signed-off-by: Paul Moore List of files: /linux-6.15/security/integrity/evm/Kconfig

90f6f691 - integrity: Enforce digitalSignature usage in the ima and evm keyrings

Mon, 22 May 2023 23:09:43 +0000

integrity: Enforce digitalSignature usage in the ima and evm keyringsAfter being vouched for by a system keyring, only allow keys into the .imaand .evm keyrings that have the digitalSignature usage field set.Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.comSuggested-by: Mimi Zohar Signed-off-by: Eric Snowberg Acked-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen List of files: /linux-6.15/security/integrity/evm/Kconfig

ec8f24b7 - treewide: Add SPDX license identifier - Makefile/Kconfig

Sun, 19 May 2019 12:07:45 +0000

treewide: Add SPDX license identifier - Makefile/KconfigAdd SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any formThese files fall under the project license, GPL v2 only. The resulting SPDXlicense identifier is: GPL-2.0-onlySigned-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/security/integrity/evm/Kconfig

5feeb611 - evm: Allow non-SHA1 digital signatures

Fri, 08 Jun 2018 21:57:43 +0000

evm: Allow non-SHA1 digital signaturesSHA1 is reasonable in HMAC constructs, but it's desirable to be able touse stronger hashes in digital signatures. Modify the EVM crypto code sothe hash type is imported from the digital signature and passed down tothe hash calculation code, and return the digest size to higher layersfor validation.Signed-off-by: Matthew Garrett Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

fa516b66 - EVM: Allow runtime modification of the set of verified xattrs

Tue, 15 May 2018 17:38:26 +0000

EVM: Allow runtime modification of the set of verified xattrsSites may wish to provide additional metadata alongside files in orderto make more fine-grained security decisions[1]. The security of this isenhanced if this metadata is protected, something that EVM makespossible. However, the kernel cannot know about the set of extendedattributes that local admins may wish to protect, and hardcoding thispolicy in the kernel makes it difficult to change over time and lessconvenient for distributions to enable.This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node,which can be read to obtain the current set of EVM-protected extendedattributes or written to in order to add new entries. Extending this listwill not change the validity of any existing signatures provided that thefile in question does not have any of the additional extended attributes -missing xattrs are skipped when calculating the EVM hash.[1] For instance, a package manager could install information about thepackage uploader in an additional extended attribute. Local LSM policycould then be associated with that extended attribute in order torestrict the privileges available to packages from less trusteduploaders.Signed-off-by: Matthew Garrett Reviewed-by: James Morris Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

05d3884b - evm: EVM_LOAD_X509 depends on EVM

Fri, 27 Nov 2015 13:52:33 +0000

evm: EVM_LOAD_X509 depends on EVMThe newly added EVM_LOAD_X509 code can be configured even ifCONFIG_EVM is disabled, but that causes a link error:security/built-in.o: In function `integrity_load_keys':digsig_asymmetric.c:(.init.text+0x400): undefined reference to `evm_load_x509'This adds a Kconfig dependency to ensure it is only enabled whenCONFIG_EVM is set as well.Signed-off-by: Arnd Bergmann Fixes: 2ce523eb8976 ("evm: load x509 certificate from the kernel")Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

2ce523eb - evm: load an x509 certificate from the kernel

Thu, 22 Oct 2015 18:26:21 +0000

evm: load an x509 certificate from the kernelThis patch defines a configuration option and the evm_load_x509() hookto load an X509 certificate onto the EVM trusted kernel keyring.Changes in v4:* Patch description updatedChanges in v3:* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used directly.Changes in v2:* default key patch changed to /etc/keysSigned-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

6341e62b - kconfig: use bool instead of boolean for type definition attributes

Sat, 20 Dec 2014 20:41:11 +0000

kconfig: use bool instead of boolean for type definition attributesSupport for keyword 'boolean' will be dropped later on.No functional change.Reference: http://lkml.kernel.org/r/cover.1418003065.git.cj@linux.comSigned-off-by: Christoph Jaeger Signed-off-by: Michal Marek List of files: /linux-6.15/security/integrity/evm/Kconfig

7ef84e65 - integrity: base integrity subsystem kconfig options on integrity

Thu, 17 Apr 2014 12:07:15 +0000

integrity: base integrity subsystem kconfig options on integrityThe integrity subsystem has lots of options and takes more thanhalf of the security menu. This patch consolidates the optionsunder "integrity", which are hidden if not enabled. This changedoes not affect existing configurations. Re-configuration is notneeded.Changes v4:- no need to change "integrity subsystem" to menuconfig asoptions are hidden, when not enabled. (Mimi)- add INTEGRITY Kconfig help descriptionChanges v3:- dependency to INTEGRITY removed when behind 'if INTEGRITY'Changes v2:- previous patch moved integrity out of the 'security' menu. This version keeps integrity as a security option (Mimi).Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

3e38df56 - evm: provide option to protect additional SMACK xattrs

Fri, 28 Mar 2014 12:31:14 +0000

evm: provide option to protect additional SMACK xattrsNewer versions of SMACK introduced following security xattrs:SMACK64EXEC, SMACK64TRANSMUTE and SMACK64MMAP.To protect these xattrs, this patch includes them in the HMACcalculation. However, for backwards compatibility with existinglabeled filesystems, including these xattrs needs to beconfigurable.Changelog:- Add SMACK dependency on new option (Mimi)Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

d3b33679 - evm: replace HMAC version with attribute mask

Fri, 28 Mar 2014 12:31:04 +0000

evm: replace HMAC version with attribute maskUsing HMAC version limits the posibility to arbitrarily add newattributes such as SMACK64EXEC to the hmac calculation.This patch replaces hmac version with attribute mask.Desired attributes can be enabled with configuration parameter.It allows to build kernels which works with previously labeledfilesystems.Currently supported attribute is 'fsuuid' which is equivalent ofthe former version 2.Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

a3aef94b - evm: enable key retention service automatically

Fri, 28 Feb 2014 12:18:09 +0000

evm: enable key retention service automaticallyIf keys are not enabled, EVM is not visible in the configuration menu.It may be difficult to figure out what to do unless you really know.Other subsystems as NFS, CIFS select keys automatically. This patch doesthe same.This patch also removes '(TRUSTED_KEYS=y || TRUSTED_KEYS=n)' dependency,which is unnecessary. EVM does not depend on trusted keys, but onencrypted keys. evm.h provides compile time dependency.Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

e0420039 - evm: EVM does not use MD5

Wed, 26 Feb 2014 15:47:46 +0000

evm: EVM does not use MD5EVM does not use MD5 HMAC. Selection of CRYPTO_MD5 can be safely removed.Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

74de6684 - evm: add file system uuid to EVM hmac

Mon, 10 Sep 2012 07:37:20 +0000

evm: add file system uuid to EVM hmacEVM uses the same key for all file systems to calculate the HMAC,making it possible to paste inodes from one file system on to anotherone, without EVM being able to detect it. To prevent such an attack,it is necessary to make the EVM HMAC file system specific.This patch uses the file system UUID, a file system unique identifier,to bind the EVM HMAC to the file system. The value inode->i_sb->s_uuidis used for the HMAC hash calculation, instead of using it for derivingthe file system specific key. Initializing the key for every inode HMACcalculation is a bit more expensive operation than adding the uuid tothe HMAC hash.Changing the HMAC calculation method or adding additional info to thecalculation, requires existing EVM labeled file systems to be relabeled.This patch adds a Kconfig HMAC version option for backwards compatability.Changelog v1:- squash "hmac version setting"Changelog v0:- add missing Kconfig depends (Mimi)Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

1d714057 - evm: remove TCG_TPM dependency

Sun, 28 Aug 2011 12:57:11 +0000

evm: remove TCG_TPM dependencyAll tristates selected by EVM(boolean) are forced to be builtin, exceptin the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes theKconfig bug as, "So it would seem direct dependency state influence thestate of reverse dependencies.." For a detailed explanation, refer toArnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498.With the "encrypted-keys: remove trusted-keys dependency" patch, EVMcan now be built without a dependency on TCG_TPM. The trusted-keysdependency requires trusted-keys to either be builtin or not selected.This dependency will prevent the boolean/tristate mismatch fromoccuring.Reported-by: Stephen Rothwell , Randy Dunlap Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/evm/Kconfig

dbe5ad17 - evm: add Kconfig TCG_TPM dependency

Wed, 17 Aug 2011 22:51:36 +0000

evm: add Kconfig TCG_TPM dependencyAlthough the EVM encrypted-key should be encrypted/decrypted using atrusted-key, a user-defined key could be used instead. When using a user-defined key, a TCG_TPM dependency should not be required. Unfortunately,the encrypted-key code needs to be refactored a bit in order to removethis dependency.This patch adds the TCG_TPM dependency.Reported-by: Stephen Rothwell , Randy Dunlap Signed-off-by: Mimi Zohar Signed-off-by: James Morris List of files: /linux-6.15/security/integrity/evm/Kconfig

0b024d24 - EVM: ensure trusted and encypted key symbols are available to EVM

Tue, 09 Aug 2011 01:33:36 +0000

EVM: ensure trusted and encypted key symbols are available to EVMSelect trusted and encrypted keys if EVM is selected, to ensurethe requisite symbols are available. Otherwise, these can beselected as modules while EVM is static, leading to a kernelbuild failure.Signed-off-by: James Morris List of files: /linux-6.15/security/integrity/evm/Kconfig

66dbc325 - evm: re-release

Tue, 15 Mar 2011 20:12:09 +0000

evm: re-releaseEVM protects a file's security extended attributes(xattrs) against integrityattacks. This patchset provides the framework and an initial method. Theinitial method maintains an HMAC-sha1 value across the security extendedattributes, storing the HMAC value as the extended attribute 'security.evm'.Other methods of validating the integrity of a file's metadata will be postedseparately (eg. EVM-digital-signatures).While this patchset does authenticate the security xattrs, andcryptographically binds them to the inode, coming extensions will bind otherdirectory and inode metadata for more complete protection. To help simplifythe review and upstreaming process, each extension will be posted separately(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of theproposed Linux integrity subsystem, refer to Dave Safford's whitepaper:http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.EVM depends on the Kernel Key Retention System to provide it with atrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto theroot's keyring using keyctl. Until EVM receives notification that the key hasbeen successfully loaded onto the keyring (echo 1 > /evm), EVM cannot create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.Loading the key and signaling EVM should be done as early as possible. Normallythis is done in the initramfs, which has already been measured as part of thetrusted boot. For more information on creating and loading existingtrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. Asample dracut patch, which loads the trusted/encrypted key and enables EVM, isavailable from http://linux-ima.sourceforge.net/#EVM.Based on the LSMs enabled, the set of EVM protected security xattrs is definedat compile. EVM adds the following three calls to the existing security hooks:evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. Toinitialize and update the 'security.evm' extended attribute, EVM defines threecalls: evm_inode_post_init(), evm_inode_post_setattr() andevm_inode_post_removexattr() hooks. To verify the integrity of a securityxattr, EVM exports evm_verifyxattr().Changelog v7:- Fixed URL in EVM ABI documentationChangelog v6: (based on Serge Hallyn's review)- fix URL in patch description- remove evm_hmac_size definition- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)- moved linux include before other includes- test for crypto_hash_setkey failure- fail earlier for invalid key- clear entire encrypted key, even on failure- check xattr name length before comparing xattr namesChangelog:- locking based on i_mutex, remove evm_mutex- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1 operation.- replaced crypto hash with shash (Dmitry Kasatkin)- support for additional methods of verifying the security xattrs (Dmitry Kasatkin)- iint not allocated for all regular files, but only for those appraised- Use cap_sys_admin in lieu of cap_mac_admin- Use __vfs_setxattr_noperm(), without permission checks, from EVMSigned-off-by: Mimi Zohar Acked-by: Serge Hallyn List of files: /linux-6.15/security/integrity/evm/Kconfig