aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>2012-09-10 03:37:20 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-02-06 10:40:28 -0500
commit74de66842473bdafa798010e58f1999ec70a8983 (patch)
tree83bb9c589051fd7269a9cd2bf1d7be9a955eccbd /security
parent6e38bfaad6c83bdd07eb659f9bfd50f8d71a5a46 (diff)
evm: add file system uuid to EVM hmac
EVM uses the same key for all file systems to calculate the HMAC, making it possible to paste inodes from one file system on to another one, without EVM being able to detect it. To prevent such an attack, it is necessary to make the EVM HMAC file system specific. This patch uses the file system UUID, a file system unique identifier, to bind the EVM HMAC to the file system. The value inode->i_sb->s_uuid is used for the HMAC hash calculation, instead of using it for deriving the file system specific key. Initializing the key for every inode HMAC calculation is a bit more expensive operation than adding the uuid to the HMAC hash. Changing the HMAC calculation method or adding additional info to the calculation, requires existing EVM labeled file systems to be relabeled. This patch adds a Kconfig HMAC version option for backwards compatability. Changelog v1: - squash "hmac version setting" Changelog v0: - add missing Kconfig depends (Mimi) Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/evm/Kconfig13
-rw-r--r--security/integrity/evm/evm.h1
-rw-r--r--security/integrity/evm/evm_crypto.c3
-rw-r--r--security/integrity/evm/evm_main.c1
4 files changed, 18 insertions, 0 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index afbb59dd262d..fea9749c3756 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -11,3 +11,16 @@ config EVM
11 integrity attacks. 11 integrity attacks.
12 12
13 If you are unsure how to answer this question, answer N. 13 If you are unsure how to answer this question, answer N.
14
15config EVM_HMAC_VERSION
16 int "EVM HMAC version"
17 depends on EVM
18 default 2
19 help
20 This options adds EVM HMAC version support.
21 1 - original version
22 2 - add per filesystem unique identifier (UUID) (default)
23
24 WARNING: changing the HMAC calculation method or adding
25 additional info to the calculation, requires existing EVM
26 labeled file systems to be relabeled.
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 3eb30c6db419..30bd1ec0232e 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,6 +24,7 @@
24extern int evm_initialized; 24extern int evm_initialized;
25extern char *evm_hmac; 25extern char *evm_hmac;
26extern char *evm_hash; 26extern char *evm_hash;
27extern int evm_hmac_version;
27 28
28extern struct crypto_shash *hmac_tfm; 29extern struct crypto_shash *hmac_tfm;
29extern struct crypto_shash *hash_tfm; 30extern struct crypto_shash *hash_tfm;
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index dfb26918699c..ff8e2abf8f21 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -110,6 +110,9 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
110 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); 110 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
111 hmac_misc.mode = inode->i_mode; 111 hmac_misc.mode = inode->i_mode;
112 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc); 112 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc);
113 if (evm_hmac_version > 1)
114 crypto_shash_update(desc, inode->i_sb->s_uuid,
115 sizeof(inode->i_sb->s_uuid));
113 crypto_shash_final(desc, digest); 116 crypto_shash_final(desc, digest);
114} 117}
115 118
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index a78a5e21ef70..cdbde1762189 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -26,6 +26,7 @@ int evm_initialized;
26 26
27char *evm_hmac = "hmac(sha1)"; 27char *evm_hmac = "hmac(sha1)";
28char *evm_hash = "sha1"; 28char *evm_hash = "sha1";
29int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
29 30
30char *evm_config_xattrnames[] = { 31char *evm_config_xattrnames[] = {
31#ifdef CONFIG_SECURITY_SELINUX 32#ifdef CONFIG_SECURITY_SELINUX