166dbc325SMimi ZoharWhat: security/evm 266dbc325SMimi ZoharDate: March 2011 366dbc325SMimi ZoharContact: Mimi Zohar <zohar@us.ibm.com> 466dbc325SMimi ZoharDescription: 566dbc325SMimi Zohar EVM protects a file's security extended attributes(xattrs) 666dbc325SMimi Zohar against integrity attacks. The initial method maintains an 766dbc325SMimi Zohar HMAC-sha1 value across the extended attributes, storing the 866dbc325SMimi Zohar value as the extended attribute 'security.evm'. 966dbc325SMimi Zohar 10f00d7975SMatthew Garrett EVM supports two classes of security.evm. The first is 11f00d7975SMatthew Garrett an HMAC-sha1 generated locally with a 12f00d7975SMatthew Garrett trusted/encrypted key stored in the Kernel Key 13f00d7975SMatthew Garrett Retention System. The second is a digital signature 14f00d7975SMatthew Garrett generated either locally or remotely using an 15f00d7975SMatthew Garrett asymmetric key. These keys are loaded onto root's 16f00d7975SMatthew Garrett keyring using keyctl, and EVM is then enabled by 17ae1ba167SMatthew Garrett echoing a value to <securityfs>/evm made up of the 18ae1ba167SMatthew Garrett following bits: 19f00d7975SMatthew Garrett 2034433332SMauro Carvalho Chehab === ================================================== 21ae1ba167SMatthew Garrett Bit Effect 2234433332SMauro Carvalho Chehab === ================================================== 23ae1ba167SMatthew Garrett 0 Enable HMAC validation and creation 24ae1ba167SMatthew Garrett 1 Enable digital signature validation 25ae1ba167SMatthew Garrett 2 Permit modification of EVM-protected metadata at 26ae1ba167SMatthew Garrett runtime. Not supported if HMAC validation and 27ae1ba167SMatthew Garrett creation is enabled. 28ae1ba167SMatthew Garrett 31 Disable further runtime modification of EVM policy 2934433332SMauro Carvalho Chehab === ================================================== 30f00d7975SMatthew Garrett 3134433332SMauro Carvalho Chehab For example:: 32f00d7975SMatthew Garrett 33ae1ba167SMatthew Garrett echo 1 ><securityfs>/evm 34f00d7975SMatthew Garrett 35ae1ba167SMatthew Garrett will enable HMAC validation and creation 36f00d7975SMatthew Garrett 3734433332SMauro Carvalho Chehab :: 3834433332SMauro Carvalho Chehab 39ae1ba167SMatthew Garrett echo 0x80000003 ><securityfs>/evm 40b33e3cc5SLinus Torvalds 41ae1ba167SMatthew Garrett will enable HMAC and digital signature validation and 42ae1ba167SMatthew Garrett HMAC creation and disable all further modification of policy. 43ae1ba167SMatthew Garrett 4434433332SMauro Carvalho Chehab :: 4534433332SMauro Carvalho Chehab 46ae1ba167SMatthew Garrett echo 0x80000006 ><securityfs>/evm 47ae1ba167SMatthew Garrett 48ae1ba167SMatthew Garrett will enable digital signature validation, permit 49ae1ba167SMatthew Garrett modification of EVM-protected metadata and 50ae1ba167SMatthew Garrett disable all further modification of policy 51ae1ba167SMatthew Garrett 52*9acc89d3SRoberto Sassu Echoing a value is additive, the new value is added to the 53*9acc89d3SRoberto Sassu existing initialization flags. 54*9acc89d3SRoberto Sassu 55*9acc89d3SRoberto Sassu For example, after:: 56*9acc89d3SRoberto Sassu 57*9acc89d3SRoberto Sassu echo 2 ><securityfs>/evm 58*9acc89d3SRoberto Sassu 59*9acc89d3SRoberto Sassu another echo can be performed:: 60*9acc89d3SRoberto Sassu 61*9acc89d3SRoberto Sassu echo 1 ><securityfs>/evm 62*9acc89d3SRoberto Sassu 63*9acc89d3SRoberto Sassu and the resulting value will be 3. 64*9acc89d3SRoberto Sassu 65*9acc89d3SRoberto Sassu Note that once an HMAC key has been loaded, it will no longer 66*9acc89d3SRoberto Sassu be possible to enable metadata modification. Signaling that an 67*9acc89d3SRoberto Sassu HMAC key has been loaded will clear the corresponding flag. 68*9acc89d3SRoberto Sassu For example, if the current value is 6 (2 and 4 set):: 69*9acc89d3SRoberto Sassu 70*9acc89d3SRoberto Sassu echo 1 ><securityfs>/evm 71*9acc89d3SRoberto Sassu 72*9acc89d3SRoberto Sassu will set the new value to 3 (4 cleared). 73*9acc89d3SRoberto Sassu 74*9acc89d3SRoberto Sassu Loading an HMAC key is the only way to disable metadata 75*9acc89d3SRoberto Sassu modification. 76ae1ba167SMatthew Garrett 77ae1ba167SMatthew Garrett Until key loading has been signaled EVM can not create 78ae1ba167SMatthew Garrett or validate the 'security.evm' xattr, but returns 79ae1ba167SMatthew Garrett INTEGRITY_UNKNOWN. Loading keys and signaling EVM 80ae1ba167SMatthew Garrett should be done as early as possible. Normally this is 81ae1ba167SMatthew Garrett done in the initramfs, which has already been measured 82ae1ba167SMatthew Garrett as part of the trusted boot. For more information on 83ae1ba167SMatthew Garrett creating and loading existing trusted/encrypted keys, 84ae1ba167SMatthew Garrett refer to: 85ae1ba167SMatthew Garrett Documentation/security/keys/trusted-encrypted.rst. Both 86ae1ba167SMatthew Garrett dracut (via 97masterkey and 98integrity) and systemd (via 87f00d7975SMatthew Garrett core/ima-setup) have support for loading keys at boot 88f00d7975SMatthew Garrett time. 89fa516b66SMatthew Garrett 90fa516b66SMatthew GarrettWhat: security/integrity/evm/evm_xattrs 91fa516b66SMatthew GarrettDate: April 2018 92fa516b66SMatthew GarrettContact: Matthew Garrett <mjg59@google.com> 93fa516b66SMatthew GarrettDescription: 94fa516b66SMatthew Garrett Shows the set of extended attributes used to calculate or 95fa516b66SMatthew Garrett validate the EVM signature, and allows additional attributes 96fa516b66SMatthew Garrett to be added at runtime. Any signatures generated after 9734433332SMauro Carvalho Chehab additional attributes are added (and on files possessing those 98fa516b66SMatthew Garrett additional attributes) will only be valid if the same 99fa516b66SMatthew Garrett additional attributes are configured on system boot. Writing 100fa516b66SMatthew Garrett a single period (.) will lock the xattr list from any further 101fa516b66SMatthew Garrett modification. 102