166dbc325SMimi ZoharWhat: security/evm 266dbc325SMimi ZoharDate: March 2011 366dbc325SMimi ZoharContact: Mimi Zohar <zohar@us.ibm.com> 466dbc325SMimi ZoharDescription: 566dbc325SMimi Zohar EVM protects a file's security extended attributes(xattrs) 666dbc325SMimi Zohar against integrity attacks. The initial method maintains an 766dbc325SMimi Zohar HMAC-sha1 value across the extended attributes, storing the 866dbc325SMimi Zohar value as the extended attribute 'security.evm'. 966dbc325SMimi Zohar 10f00d7975SMatthew Garrett EVM supports two classes of security.evm. The first is 11f00d7975SMatthew Garrett an HMAC-sha1 generated locally with a 12f00d7975SMatthew Garrett trusted/encrypted key stored in the Kernel Key 13f00d7975SMatthew Garrett Retention System. The second is a digital signature 14f00d7975SMatthew Garrett generated either locally or remotely using an 15f00d7975SMatthew Garrett asymmetric key. These keys are loaded onto root's 16f00d7975SMatthew Garrett keyring using keyctl, and EVM is then enabled by 17ae1ba167SMatthew Garrett echoing a value to <securityfs>/evm made up of the 18ae1ba167SMatthew Garrett following bits: 19f00d7975SMatthew Garrett 2034433332SMauro Carvalho Chehab === ================================================== 21ae1ba167SMatthew Garrett Bit Effect 2234433332SMauro Carvalho Chehab === ================================================== 23ae1ba167SMatthew Garrett 0 Enable HMAC validation and creation 24ae1ba167SMatthew Garrett 1 Enable digital signature validation 25ae1ba167SMatthew Garrett 2 Permit modification of EVM-protected metadata at 26ae1ba167SMatthew Garrett runtime. Not supported if HMAC validation and 27*1434c6a1SRoberto Sassu creation is enabled (deprecated). 28ae1ba167SMatthew Garrett 31 Disable further runtime modification of EVM policy 2934433332SMauro Carvalho Chehab === ================================================== 30f00d7975SMatthew Garrett 3134433332SMauro Carvalho Chehab For example:: 32f00d7975SMatthew Garrett 33ae1ba167SMatthew Garrett echo 1 ><securityfs>/evm 34f00d7975SMatthew Garrett 35ae1ba167SMatthew Garrett will enable HMAC validation and creation 36f00d7975SMatthew Garrett 3734433332SMauro Carvalho Chehab :: 3834433332SMauro Carvalho Chehab 39ae1ba167SMatthew Garrett echo 0x80000003 ><securityfs>/evm 40b33e3cc5SLinus Torvalds 41ae1ba167SMatthew Garrett will enable HMAC and digital signature validation and 42ae1ba167SMatthew Garrett HMAC creation and disable all further modification of policy. 43ae1ba167SMatthew Garrett 4434433332SMauro Carvalho Chehab :: 4534433332SMauro Carvalho Chehab 46ae1ba167SMatthew Garrett echo 0x80000006 ><securityfs>/evm 47ae1ba167SMatthew Garrett 48ae1ba167SMatthew Garrett will enable digital signature validation, permit 49ae1ba167SMatthew Garrett modification of EVM-protected metadata and 50*1434c6a1SRoberto Sassu disable all further modification of policy. This option is now 51*1434c6a1SRoberto Sassu deprecated in favor of:: 52*1434c6a1SRoberto Sassu 53*1434c6a1SRoberto Sassu echo 0x80000002 ><securityfs>/evm 54*1434c6a1SRoberto Sassu 55*1434c6a1SRoberto Sassu as the outstanding issues that prevent the usage of EVM portable 56*1434c6a1SRoberto Sassu signatures have been solved. 57ae1ba167SMatthew Garrett 589acc89d3SRoberto Sassu Echoing a value is additive, the new value is added to the 599acc89d3SRoberto Sassu existing initialization flags. 609acc89d3SRoberto Sassu 619acc89d3SRoberto Sassu For example, after:: 629acc89d3SRoberto Sassu 639acc89d3SRoberto Sassu echo 2 ><securityfs>/evm 649acc89d3SRoberto Sassu 659acc89d3SRoberto Sassu another echo can be performed:: 669acc89d3SRoberto Sassu 679acc89d3SRoberto Sassu echo 1 ><securityfs>/evm 689acc89d3SRoberto Sassu 699acc89d3SRoberto Sassu and the resulting value will be 3. 709acc89d3SRoberto Sassu 719acc89d3SRoberto Sassu Note that once an HMAC key has been loaded, it will no longer 729acc89d3SRoberto Sassu be possible to enable metadata modification. Signaling that an 739acc89d3SRoberto Sassu HMAC key has been loaded will clear the corresponding flag. 749acc89d3SRoberto Sassu For example, if the current value is 6 (2 and 4 set):: 759acc89d3SRoberto Sassu 769acc89d3SRoberto Sassu echo 1 ><securityfs>/evm 779acc89d3SRoberto Sassu 789acc89d3SRoberto Sassu will set the new value to 3 (4 cleared). 799acc89d3SRoberto Sassu 809acc89d3SRoberto Sassu Loading an HMAC key is the only way to disable metadata 819acc89d3SRoberto Sassu modification. 82ae1ba167SMatthew Garrett 83ae1ba167SMatthew Garrett Until key loading has been signaled EVM can not create 84ae1ba167SMatthew Garrett or validate the 'security.evm' xattr, but returns 85ae1ba167SMatthew Garrett INTEGRITY_UNKNOWN. Loading keys and signaling EVM 86ae1ba167SMatthew Garrett should be done as early as possible. Normally this is 87ae1ba167SMatthew Garrett done in the initramfs, which has already been measured 88ae1ba167SMatthew Garrett as part of the trusted boot. For more information on 89ae1ba167SMatthew Garrett creating and loading existing trusted/encrypted keys, 90ae1ba167SMatthew Garrett refer to: 91ae1ba167SMatthew Garrett Documentation/security/keys/trusted-encrypted.rst. Both 92ae1ba167SMatthew Garrett dracut (via 97masterkey and 98integrity) and systemd (via 93f00d7975SMatthew Garrett core/ima-setup) have support for loading keys at boot 94f00d7975SMatthew Garrett time. 95fa516b66SMatthew Garrett 96fa516b66SMatthew GarrettWhat: security/integrity/evm/evm_xattrs 97fa516b66SMatthew GarrettDate: April 2018 98fa516b66SMatthew GarrettContact: Matthew Garrett <mjg59@google.com> 99fa516b66SMatthew GarrettDescription: 100fa516b66SMatthew Garrett Shows the set of extended attributes used to calculate or 101fa516b66SMatthew Garrett validate the EVM signature, and allows additional attributes 102fa516b66SMatthew Garrett to be added at runtime. Any signatures generated after 10334433332SMauro Carvalho Chehab additional attributes are added (and on files possessing those 104fa516b66SMatthew Garrett additional attributes) will only be valid if the same 105fa516b66SMatthew Garrett additional attributes are configured on system boot. Writing 106fa516b66SMatthew Garrett a single period (.) will lock the xattr list from any further 107fa516b66SMatthew Garrett modification. 108