166dbc325SMimi ZoharWhat: security/evm 266dbc325SMimi ZoharDate: March 2011 366dbc325SMimi ZoharContact: Mimi Zohar <zohar@us.ibm.com> 466dbc325SMimi ZoharDescription: 566dbc325SMimi Zohar EVM protects a file's security extended attributes(xattrs) 666dbc325SMimi Zohar against integrity attacks. The initial method maintains an 766dbc325SMimi Zohar HMAC-sha1 value across the extended attributes, storing the 866dbc325SMimi Zohar value as the extended attribute 'security.evm'. 966dbc325SMimi Zohar 10f00d7975SMatthew Garrett EVM supports two classes of security.evm. The first is 11f00d7975SMatthew Garrett an HMAC-sha1 generated locally with a 12f00d7975SMatthew Garrett trusted/encrypted key stored in the Kernel Key 13f00d7975SMatthew Garrett Retention System. The second is a digital signature 14f00d7975SMatthew Garrett generated either locally or remotely using an 15f00d7975SMatthew Garrett asymmetric key. These keys are loaded onto root's 16f00d7975SMatthew Garrett keyring using keyctl, and EVM is then enabled by 17f00d7975SMatthew Garrett echoing a value to <securityfs>/evm: 18f00d7975SMatthew Garrett 19f00d7975SMatthew Garrett 1: enable HMAC validation and creation 20f00d7975SMatthew Garrett 2: enable digital signature validation 21f00d7975SMatthew Garrett 3: enable HMAC and digital signature validation and HMAC 22f00d7975SMatthew Garrett creation 23f00d7975SMatthew Garrett 24f00d7975SMatthew Garrett Further writes will be blocked if HMAC support is enabled or 25f00d7975SMatthew Garrett if bit 32 is set: 26f00d7975SMatthew Garrett 27f00d7975SMatthew Garrett echo 0x80000002 ><securityfs>/evm 28f00d7975SMatthew Garrett 29f00d7975SMatthew Garrett will enable digital signature validation and block 30f00d7975SMatthew Garrett further writes to <securityfs>/evm. 31f00d7975SMatthew Garrett 32f00d7975SMatthew Garrett Until this is done, EVM can not create or validate the 33f00d7975SMatthew Garrett 'security.evm' xattr, but returns INTEGRITY_UNKNOWN. 34f00d7975SMatthew Garrett Loading keys and signaling EVM should be done as early 35f00d7975SMatthew Garrett as possible. Normally this is done in the initramfs, 36f00d7975SMatthew Garrett which has already been measured as part of the trusted 37f00d7975SMatthew Garrett boot. For more information on creating and loading 38f00d7975SMatthew Garrett existing trusted/encrypted keys, refer to: 39b33e3cc5SLinus Torvalds 40b33e3cc5SLinus Torvalds Documentation/security/keys/trusted-encrypted.rst. Both dracut 41f00d7975SMatthew Garrett (via 97masterkey and 98integrity) and systemd (via 42f00d7975SMatthew Garrett core/ima-setup) have support for loading keys at boot 43f00d7975SMatthew Garrett time. 44