From: Mimi Zohar Date: Tue, 1 Jun 2021 19:09:45 +0000 (-0400) Subject: Merge branch 'misc-evm-v7' into next-integrity X-Git-Tag: block-5.14-2021-07-08~69^2~12 X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=5a25d8ceb8611c06797b74e22d04af2b9fefd130;p=linux-2.6-block.git Merge branch 'misc-evm-v7' into next-integrity From cover letter: EVM portable signatures are particularly suitable for the protection of metadata of immutable files where metadata is signed by a software vendor. They can be used for example in conjunction with an IMA policy that appraises only executed and memory mapped files. However, until now portable signatures can be properly installed only if the EVM_ALLOW_METADATA_WRITES initialization flag is also set, which disables metadata verification until an HMAC key is loaded. This will cause metadata writes to be allowed even in the situations where they shouldn't (metadata protected by a portable signature is immutable). The main reason why setting the flag is necessary is that the operations necessary to install portable signatures and protected metadata would be otherwise denied, despite being legitimate, due to the fact that the decision logic has to avoid an unsafe recalculation of the HMAC that would make the unsuccessfully verified metadata valid. However, the decision logic is too coarse, and does not fully take into account all the possible situations where metadata operations could be allowed. For example, if the HMAC key is not loaded and it cannot be loaded in the future due the EVM_SETUP_COMPLETE flag being set, it wouldn't be a problem to allow metadata operations, as they wouldn't result in an HMAC being recalculated. This patch set extends the decision logic and adds the necessary exceptions to use portable signatures without turning off metadata verification and deprecates the EVM_ALLOW_METADATA_WRITES flag. Link: https://lore.kernel.org/linux-integrity/20210514152753.982958-1-roberto.sassu@huawei.com/ --- 5a25d8ceb8611c06797b74e22d04af2b9fefd130