166dbc325SMimi ZoharWhat: security/evm 266dbc325SMimi ZoharDate: March 2011 366dbc325SMimi ZoharContact: Mimi Zohar <zohar@us.ibm.com> 466dbc325SMimi ZoharDescription: 566dbc325SMimi Zohar EVM protects a file's security extended attributes(xattrs) 666dbc325SMimi Zohar against integrity attacks. The initial method maintains an 766dbc325SMimi Zohar HMAC-sha1 value across the extended attributes, storing the 866dbc325SMimi Zohar value as the extended attribute 'security.evm'. 966dbc325SMimi Zohar 10f00d7975SMatthew Garrett EVM supports two classes of security.evm. The first is 11f00d7975SMatthew Garrett an HMAC-sha1 generated locally with a 12f00d7975SMatthew Garrett trusted/encrypted key stored in the Kernel Key 13f00d7975SMatthew Garrett Retention System. The second is a digital signature 14f00d7975SMatthew Garrett generated either locally or remotely using an 15f00d7975SMatthew Garrett asymmetric key. These keys are loaded onto root's 16f00d7975SMatthew Garrett keyring using keyctl, and EVM is then enabled by 17ae1ba167SMatthew Garrett echoing a value to <securityfs>/evm made up of the 18ae1ba167SMatthew Garrett following bits: 19f00d7975SMatthew Garrett 20ae1ba167SMatthew Garrett Bit Effect 21ae1ba167SMatthew Garrett 0 Enable HMAC validation and creation 22ae1ba167SMatthew Garrett 1 Enable digital signature validation 23ae1ba167SMatthew Garrett 2 Permit modification of EVM-protected metadata at 24ae1ba167SMatthew Garrett runtime. Not supported if HMAC validation and 25ae1ba167SMatthew Garrett creation is enabled. 26ae1ba167SMatthew Garrett 31 Disable further runtime modification of EVM policy 27f00d7975SMatthew Garrett 28ae1ba167SMatthew Garrett For example: 29f00d7975SMatthew Garrett 30ae1ba167SMatthew Garrett echo 1 ><securityfs>/evm 31f00d7975SMatthew Garrett 32ae1ba167SMatthew Garrett will enable HMAC validation and creation 33f00d7975SMatthew Garrett 34ae1ba167SMatthew Garrett echo 0x80000003 ><securityfs>/evm 35b33e3cc5SLinus Torvalds 36ae1ba167SMatthew Garrett will enable HMAC and digital signature validation and 37ae1ba167SMatthew Garrett HMAC creation and disable all further modification of policy. 38ae1ba167SMatthew Garrett 39ae1ba167SMatthew Garrett echo 0x80000006 ><securityfs>/evm 40ae1ba167SMatthew Garrett 41ae1ba167SMatthew Garrett will enable digital signature validation, permit 42ae1ba167SMatthew Garrett modification of EVM-protected metadata and 43ae1ba167SMatthew Garrett disable all further modification of policy 44ae1ba167SMatthew Garrett 45ae1ba167SMatthew Garrett Note that once a key has been loaded, it will no longer be 46ae1ba167SMatthew Garrett possible to enable metadata modification. 47ae1ba167SMatthew Garrett 48ae1ba167SMatthew Garrett Until key loading has been signaled EVM can not create 49ae1ba167SMatthew Garrett or validate the 'security.evm' xattr, but returns 50ae1ba167SMatthew Garrett INTEGRITY_UNKNOWN. Loading keys and signaling EVM 51ae1ba167SMatthew Garrett should be done as early as possible. Normally this is 52ae1ba167SMatthew Garrett done in the initramfs, which has already been measured 53ae1ba167SMatthew Garrett as part of the trusted boot. For more information on 54ae1ba167SMatthew Garrett creating and loading existing trusted/encrypted keys, 55ae1ba167SMatthew Garrett refer to: 56ae1ba167SMatthew Garrett Documentation/security/keys/trusted-encrypted.rst. Both 57ae1ba167SMatthew Garrett dracut (via 97masterkey and 98integrity) and systemd (via 58f00d7975SMatthew Garrett core/ima-setup) have support for loading keys at boot 59f00d7975SMatthew Garrett time. 60*fa516b66SMatthew Garrett 61*fa516b66SMatthew GarrettWhat: security/integrity/evm/evm_xattrs 62*fa516b66SMatthew GarrettDate: April 2018 63*fa516b66SMatthew GarrettContact: Matthew Garrett <mjg59@google.com> 64*fa516b66SMatthew GarrettDescription: 65*fa516b66SMatthew Garrett Shows the set of extended attributes used to calculate or 66*fa516b66SMatthew Garrett validate the EVM signature, and allows additional attributes 67*fa516b66SMatthew Garrett to be added at runtime. Any signatures generated after 68*fa516b66SMatthew Garrett additional attributes are added (and on files posessing those 69*fa516b66SMatthew Garrett additional attributes) will only be valid if the same 70*fa516b66SMatthew Garrett additional attributes are configured on system boot. Writing 71*fa516b66SMatthew Garrett a single period (.) will lock the xattr list from any further 72*fa516b66SMatthew Garrett modification. 73