1*483f7d69SMauro Carvalho ChehabWhat: /sys/kernel/security/evm 2*483f7d69SMauro Carvalho ChehabWhat: /sys/kernel/security/*/evm 366dbc325SMimi ZoharDate: March 2011 466dbc325SMimi ZoharContact: Mimi Zohar <zohar@us.ibm.com> 566dbc325SMimi ZoharDescription: 666dbc325SMimi Zohar EVM protects a file's security extended attributes(xattrs) 766dbc325SMimi Zohar against integrity attacks. The initial method maintains an 866dbc325SMimi Zohar HMAC-sha1 value across the extended attributes, storing the 966dbc325SMimi Zohar value as the extended attribute 'security.evm'. 1066dbc325SMimi Zohar 11f00d7975SMatthew Garrett EVM supports two classes of security.evm. The first is 12f00d7975SMatthew Garrett an HMAC-sha1 generated locally with a 13f00d7975SMatthew Garrett trusted/encrypted key stored in the Kernel Key 14f00d7975SMatthew Garrett Retention System. The second is a digital signature 15f00d7975SMatthew Garrett generated either locally or remotely using an 16f00d7975SMatthew Garrett asymmetric key. These keys are loaded onto root's 17f00d7975SMatthew Garrett keyring using keyctl, and EVM is then enabled by 18ae1ba167SMatthew Garrett echoing a value to <securityfs>/evm made up of the 19ae1ba167SMatthew Garrett following bits: 20f00d7975SMatthew Garrett 2134433332SMauro Carvalho Chehab === ================================================== 22ae1ba167SMatthew Garrett Bit Effect 2334433332SMauro Carvalho Chehab === ================================================== 24ae1ba167SMatthew Garrett 0 Enable HMAC validation and creation 25ae1ba167SMatthew Garrett 1 Enable digital signature validation 26ae1ba167SMatthew Garrett 2 Permit modification of EVM-protected metadata at 27ae1ba167SMatthew Garrett runtime. Not supported if HMAC validation and 281434c6a1SRoberto Sassu creation is enabled (deprecated). 29ae1ba167SMatthew Garrett 31 Disable further runtime modification of EVM policy 3034433332SMauro Carvalho Chehab === ================================================== 31f00d7975SMatthew Garrett 3234433332SMauro Carvalho Chehab For example:: 33f00d7975SMatthew Garrett 34ae1ba167SMatthew Garrett echo 1 ><securityfs>/evm 35f00d7975SMatthew Garrett 36ae1ba167SMatthew Garrett will enable HMAC validation and creation 37f00d7975SMatthew Garrett 3834433332SMauro Carvalho Chehab :: 3934433332SMauro Carvalho Chehab 40ae1ba167SMatthew Garrett echo 0x80000003 ><securityfs>/evm 41b33e3cc5SLinus Torvalds 42ae1ba167SMatthew Garrett will enable HMAC and digital signature validation and 43ae1ba167SMatthew Garrett HMAC creation and disable all further modification of policy. 44ae1ba167SMatthew Garrett 4534433332SMauro Carvalho Chehab :: 4634433332SMauro Carvalho Chehab 47ae1ba167SMatthew Garrett echo 0x80000006 ><securityfs>/evm 48ae1ba167SMatthew Garrett 49ae1ba167SMatthew Garrett will enable digital signature validation, permit 50ae1ba167SMatthew Garrett modification of EVM-protected metadata and 511434c6a1SRoberto Sassu disable all further modification of policy. This option is now 521434c6a1SRoberto Sassu deprecated in favor of:: 531434c6a1SRoberto Sassu 541434c6a1SRoberto Sassu echo 0x80000002 ><securityfs>/evm 551434c6a1SRoberto Sassu 561434c6a1SRoberto Sassu as the outstanding issues that prevent the usage of EVM portable 571434c6a1SRoberto Sassu signatures have been solved. 58ae1ba167SMatthew Garrett 599acc89d3SRoberto Sassu Echoing a value is additive, the new value is added to the 609acc89d3SRoberto Sassu existing initialization flags. 619acc89d3SRoberto Sassu 629acc89d3SRoberto Sassu For example, after:: 639acc89d3SRoberto Sassu 649acc89d3SRoberto Sassu echo 2 ><securityfs>/evm 659acc89d3SRoberto Sassu 669acc89d3SRoberto Sassu another echo can be performed:: 679acc89d3SRoberto Sassu 689acc89d3SRoberto Sassu echo 1 ><securityfs>/evm 699acc89d3SRoberto Sassu 709acc89d3SRoberto Sassu and the resulting value will be 3. 719acc89d3SRoberto Sassu 729acc89d3SRoberto Sassu Note that once an HMAC key has been loaded, it will no longer 739acc89d3SRoberto Sassu be possible to enable metadata modification. Signaling that an 749acc89d3SRoberto Sassu HMAC key has been loaded will clear the corresponding flag. 759acc89d3SRoberto Sassu For example, if the current value is 6 (2 and 4 set):: 769acc89d3SRoberto Sassu 779acc89d3SRoberto Sassu echo 1 ><securityfs>/evm 789acc89d3SRoberto Sassu 799acc89d3SRoberto Sassu will set the new value to 3 (4 cleared). 809acc89d3SRoberto Sassu 819acc89d3SRoberto Sassu Loading an HMAC key is the only way to disable metadata 829acc89d3SRoberto Sassu modification. 83ae1ba167SMatthew Garrett 84ae1ba167SMatthew Garrett Until key loading has been signaled EVM can not create 85ae1ba167SMatthew Garrett or validate the 'security.evm' xattr, but returns 86ae1ba167SMatthew Garrett INTEGRITY_UNKNOWN. Loading keys and signaling EVM 87ae1ba167SMatthew Garrett should be done as early as possible. Normally this is 88ae1ba167SMatthew Garrett done in the initramfs, which has already been measured 89ae1ba167SMatthew Garrett as part of the trusted boot. For more information on 90ae1ba167SMatthew Garrett creating and loading existing trusted/encrypted keys, 91ae1ba167SMatthew Garrett refer to: 92ae1ba167SMatthew Garrett Documentation/security/keys/trusted-encrypted.rst. Both 93ae1ba167SMatthew Garrett dracut (via 97masterkey and 98integrity) and systemd (via 94f00d7975SMatthew Garrett core/ima-setup) have support for loading keys at boot 95f00d7975SMatthew Garrett time. 96fa516b66SMatthew Garrett 9718e49b30SMauro Carvalho ChehabWhat: /sys/kernel/security/*/evm/evm_xattrs 98fa516b66SMatthew GarrettDate: April 2018 99fa516b66SMatthew GarrettContact: Matthew Garrett <mjg59@google.com> 100fa516b66SMatthew GarrettDescription: 101fa516b66SMatthew Garrett Shows the set of extended attributes used to calculate or 102fa516b66SMatthew Garrett validate the EVM signature, and allows additional attributes 103fa516b66SMatthew Garrett to be added at runtime. Any signatures generated after 10434433332SMauro Carvalho Chehab additional attributes are added (and on files possessing those 105fa516b66SMatthew Garrett additional attributes) will only be valid if the same 106fa516b66SMatthew Garrett additional attributes are configured on system boot. Writing 107fa516b66SMatthew Garrett a single period (.) will lock the xattr list from any further 108fa516b66SMatthew Garrett modification. 109