18c2ecf20Sopenharmony_ciWhat: security/evm 28c2ecf20Sopenharmony_ciDate: March 2011 38c2ecf20Sopenharmony_ciContact: Mimi Zohar <zohar@us.ibm.com> 48c2ecf20Sopenharmony_ciDescription: 58c2ecf20Sopenharmony_ci EVM protects a file's security extended attributes(xattrs) 68c2ecf20Sopenharmony_ci against integrity attacks. The initial method maintains an 78c2ecf20Sopenharmony_ci HMAC-sha1 value across the extended attributes, storing the 88c2ecf20Sopenharmony_ci value as the extended attribute 'security.evm'. 98c2ecf20Sopenharmony_ci 108c2ecf20Sopenharmony_ci EVM supports two classes of security.evm. The first is 118c2ecf20Sopenharmony_ci an HMAC-sha1 generated locally with a 128c2ecf20Sopenharmony_ci trusted/encrypted key stored in the Kernel Key 138c2ecf20Sopenharmony_ci Retention System. The second is a digital signature 148c2ecf20Sopenharmony_ci generated either locally or remotely using an 158c2ecf20Sopenharmony_ci asymmetric key. These keys are loaded onto root's 168c2ecf20Sopenharmony_ci keyring using keyctl, and EVM is then enabled by 178c2ecf20Sopenharmony_ci echoing a value to <securityfs>/evm made up of the 188c2ecf20Sopenharmony_ci following bits: 198c2ecf20Sopenharmony_ci 208c2ecf20Sopenharmony_ci === ================================================== 218c2ecf20Sopenharmony_ci Bit Effect 228c2ecf20Sopenharmony_ci === ================================================== 238c2ecf20Sopenharmony_ci 0 Enable HMAC validation and creation 248c2ecf20Sopenharmony_ci 1 Enable digital signature validation 258c2ecf20Sopenharmony_ci 2 Permit modification of EVM-protected metadata at 268c2ecf20Sopenharmony_ci runtime. Not supported if HMAC validation and 278c2ecf20Sopenharmony_ci creation is enabled. 288c2ecf20Sopenharmony_ci 31 Disable further runtime modification of EVM policy 298c2ecf20Sopenharmony_ci === ================================================== 308c2ecf20Sopenharmony_ci 318c2ecf20Sopenharmony_ci For example:: 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ci echo 1 ><securityfs>/evm 348c2ecf20Sopenharmony_ci 358c2ecf20Sopenharmony_ci will enable HMAC validation and creation 368c2ecf20Sopenharmony_ci 378c2ecf20Sopenharmony_ci :: 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ci echo 0x80000003 ><securityfs>/evm 408c2ecf20Sopenharmony_ci 418c2ecf20Sopenharmony_ci will enable HMAC and digital signature validation and 428c2ecf20Sopenharmony_ci HMAC creation and disable all further modification of policy. 438c2ecf20Sopenharmony_ci 448c2ecf20Sopenharmony_ci :: 458c2ecf20Sopenharmony_ci 468c2ecf20Sopenharmony_ci echo 0x80000006 ><securityfs>/evm 478c2ecf20Sopenharmony_ci 488c2ecf20Sopenharmony_ci will enable digital signature validation, permit 498c2ecf20Sopenharmony_ci modification of EVM-protected metadata and 508c2ecf20Sopenharmony_ci disable all further modification of policy 518c2ecf20Sopenharmony_ci 528c2ecf20Sopenharmony_ci Echoing a value is additive, the new value is added to the 538c2ecf20Sopenharmony_ci existing initialization flags. 548c2ecf20Sopenharmony_ci 558c2ecf20Sopenharmony_ci For example, after:: 568c2ecf20Sopenharmony_ci 578c2ecf20Sopenharmony_ci echo 2 ><securityfs>/evm 588c2ecf20Sopenharmony_ci 598c2ecf20Sopenharmony_ci another echo can be performed:: 608c2ecf20Sopenharmony_ci 618c2ecf20Sopenharmony_ci echo 1 ><securityfs>/evm 628c2ecf20Sopenharmony_ci 638c2ecf20Sopenharmony_ci and the resulting value will be 3. 648c2ecf20Sopenharmony_ci 658c2ecf20Sopenharmony_ci Note that once an HMAC key has been loaded, it will no longer 668c2ecf20Sopenharmony_ci be possible to enable metadata modification. Signaling that an 678c2ecf20Sopenharmony_ci HMAC key has been loaded will clear the corresponding flag. 688c2ecf20Sopenharmony_ci For example, if the current value is 6 (2 and 4 set):: 698c2ecf20Sopenharmony_ci 708c2ecf20Sopenharmony_ci echo 1 ><securityfs>/evm 718c2ecf20Sopenharmony_ci 728c2ecf20Sopenharmony_ci will set the new value to 3 (4 cleared). 738c2ecf20Sopenharmony_ci 748c2ecf20Sopenharmony_ci Loading an HMAC key is the only way to disable metadata 758c2ecf20Sopenharmony_ci modification. 768c2ecf20Sopenharmony_ci 778c2ecf20Sopenharmony_ci Until key loading has been signaled EVM can not create 788c2ecf20Sopenharmony_ci or validate the 'security.evm' xattr, but returns 798c2ecf20Sopenharmony_ci INTEGRITY_UNKNOWN. Loading keys and signaling EVM 808c2ecf20Sopenharmony_ci should be done as early as possible. Normally this is 818c2ecf20Sopenharmony_ci done in the initramfs, which has already been measured 828c2ecf20Sopenharmony_ci as part of the trusted boot. For more information on 838c2ecf20Sopenharmony_ci creating and loading existing trusted/encrypted keys, 848c2ecf20Sopenharmony_ci refer to: 858c2ecf20Sopenharmony_ci Documentation/security/keys/trusted-encrypted.rst. Both 868c2ecf20Sopenharmony_ci dracut (via 97masterkey and 98integrity) and systemd (via 878c2ecf20Sopenharmony_ci core/ima-setup) have support for loading keys at boot 888c2ecf20Sopenharmony_ci time. 898c2ecf20Sopenharmony_ci 908c2ecf20Sopenharmony_ciWhat: security/integrity/evm/evm_xattrs 918c2ecf20Sopenharmony_ciDate: April 2018 928c2ecf20Sopenharmony_ciContact: Matthew Garrett <mjg59@google.com> 938c2ecf20Sopenharmony_ciDescription: 948c2ecf20Sopenharmony_ci Shows the set of extended attributes used to calculate or 958c2ecf20Sopenharmony_ci validate the EVM signature, and allows additional attributes 968c2ecf20Sopenharmony_ci to be added at runtime. Any signatures generated after 978c2ecf20Sopenharmony_ci additional attributes are added (and on files possessing those 988c2ecf20Sopenharmony_ci additional attributes) will only be valid if the same 998c2ecf20Sopenharmony_ci additional attributes are configured on system boot. Writing 1008c2ecf20Sopenharmony_ci a single period (.) will lock the xattr list from any further 1018c2ecf20Sopenharmony_ci modification. 102