^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) What: security/evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) Date: March 2011
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) Contact: Mimi Zohar <zohar@us.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) EVM protects a file's security extended attributes(xattrs)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) against integrity attacks. The initial method maintains an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) HMAC-sha1 value across the extended attributes, storing the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) value as the extended attribute 'security.evm'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) EVM supports two classes of security.evm. The first is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) an HMAC-sha1 generated locally with a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) trusted/encrypted key stored in the Kernel Key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) Retention System. The second is a digital signature
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) generated either locally or remotely using an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) asymmetric key. These keys are loaded onto root's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) keyring using keyctl, and EVM is then enabled by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) echoing a value to <securityfs>/evm made up of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) following bits:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) === ==================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) Bit Effect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) === ==================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 0 Enable HMAC validation and creation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 1 Enable digital signature validation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) 2 Permit modification of EVM-protected metadata at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) runtime. Not supported if HMAC validation and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) creation is enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) 31 Disable further runtime modification of EVM policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) === ==================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) For example::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) echo 1 ><securityfs>/evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) will enable HMAC validation and creation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) echo 0x80000003 ><securityfs>/evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) will enable HMAC and digital signature validation and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) HMAC creation and disable all further modification of policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) echo 0x80000006 ><securityfs>/evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) will enable digital signature validation, permit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) modification of EVM-protected metadata and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) disable all further modification of policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) Echoing a value is additive, the new value is added to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) existing initialization flags.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) For example, after::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) echo 2 ><securityfs>/evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) another echo can be performed::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) echo 1 ><securityfs>/evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) and the resulting value will be 3.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) Note that once an HMAC key has been loaded, it will no longer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) be possible to enable metadata modification. Signaling that an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) HMAC key has been loaded will clear the corresponding flag.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) For example, if the current value is 6 (2 and 4 set)::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) echo 1 ><securityfs>/evm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) will set the new value to 3 (4 cleared).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) Loading an HMAC key is the only way to disable metadata
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) modification.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) Until key loading has been signaled EVM can not create
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) or validate the 'security.evm' xattr, but returns
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) INTEGRITY_UNKNOWN. Loading keys and signaling EVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) should be done as early as possible. Normally this is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) done in the initramfs, which has already been measured
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) as part of the trusted boot. For more information on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) creating and loading existing trusted/encrypted keys,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) refer to:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) Documentation/security/keys/trusted-encrypted.rst. Both
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) dracut (via 97masterkey and 98integrity) and systemd (via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) core/ima-setup) have support for loading keys at boot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) time.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) What: security/integrity/evm/evm_xattrs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) Date: April 2018
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) Contact: Matthew Garrett <mjg59@google.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) Description:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) Shows the set of extended attributes used to calculate or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) validate the EVM signature, and allows additional attributes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) to be added at runtime. Any signatures generated after
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) additional attributes are added (and on files possessing those
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) additional attributes) will only be valid if the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) additional attributes are configured on system boot. Writing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) a single period (.) will lock the xattr list from any further
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) modification.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags