Re: [Patch 3/7] integrity: EVM as an integrity service provider

From: David Safford
Date: Tue Mar 27 2007 - 13:33:10 EST

Next message: Prarit Bhargava: "Re: [PATCH]: Fix bogus softlockup warning with sysrq-t"
Previous message: Christoph Hellwig: "Re: [-mm patch] fix arch/i386/kernel/marker.c compilation"
In reply to: Pavel Machek: "Re: [Patch 3/7] integrity: EVM as an integrity service provider"
Next in thread: Mimi Zohar: "Re: [Patch 3/7] integrity: EVM as an integrity service provider"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2007-03-22 at 23:19 +0000, Pavel Machek wrote:
> > There are some papers and related userspace code at
> > http://www.research.ibm.com/gsal/tcpa
> > which describe the architecture in more detail, but basically this
> > integrity provider is designed to complement mandatory access control
> > systems like selinux and slim. Such systems can protect a running system
> > against on-line attacks, but do not protect against off-line attacks
> > (booting Knoppix and changing executables or their selinux labels), or
> > against attacks which find weaknesses in the kernel or the LSM module
> > itself.
>
> Thanks. Can this go to Doc*/ somewhere?

yes, we will add that.
>
> ...but... If I can attack your system using knoppix, I can get at your
> data, already, right? So you'll need to encrypt your data, anyway?

no reason to encrypt system files, which are public, and encryption
by itself does not provide the desired integrity - you still end
up having to verify the integrity.

>
> > Using a TPM or passphrase, EVM can verify the integrity of all files
> > (including the kernel and initrd) and their labels before they are
>
> How does passphrase work here?

ah, misstated that - the passphrase can be used to HMAC all other files,
but not the kernel and initrd. Only the TPM/BIOS/Loader can do that.

>
> ...so you have your data encrypted, and you have bootloader that
> verifies kernel/initrd (you need that, anyway). Because you data are
> encrypted, knoppix attack will not work... assuming crypto does some
> integrity checks, but IIRC crypto needs to do that.

most encryption is slower than hmac, and does not provide integrity.
There are some crypto modes (e.g. IAPM) which do both encryption and
integrity, but they are patented, and have overhead above the cost of
just encryption or integrity checking by themselves.
>
> Pavel,

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Prarit Bhargava: "Re: [PATCH]: Fix bogus softlockup warning with sysrq-t"
Previous message: Christoph Hellwig: "Re: [-mm patch] fix arch/i386/kernel/marker.c compilation"
In reply to: Pavel Machek: "Re: [Patch 3/7] integrity: EVM as an integrity service provider"
Next in thread: Mimi Zohar: "Re: [Patch 3/7] integrity: EVM as an integrity service provider"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]