Re: [PATCH 07/11] evm: Set IMA_CHANGE_XATTR/ATTR bit if EVM_ALLOW_METADATA_WRITES is set

From: Mimi Zohar
Date: Tue Sep 01 2020 - 08:57:13 EST

Next message: yulei . kernel: "[RFC V2 7/9] Add migration support when using direct build EPT"
Previous message: Camel Guo: "[PATCH v2] ASoC: tlv320adcx140: Fix accessing uninitialized adcx140->dev"
In reply to: Roberto Sassu: "RE: [PATCH 07/11] evm: Set IMA_CHANGE_XATTR/ATTR bit if EVM_ALLOW_METADATA_WRITES is set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > > I think it is better to set a flag, maybe a new one, directly in EVM, to notify
> > > the integrity subsystem that iint->evm_status is no longer valid.
> > >
> > > If the EVM flag is set, IMA would reset the appraisal flags, as it uses
> > > iint->evm_status for appraisal. We can consider to reset also the measure
> > > flags when we have a template that includes file metadata.
> >
> > When would IMA read the EVM flag? Who would reset the flag? At what
> > point would it be reset? Just as EVM shouldn't be resetting the IMA
> > flag, IMA shouldn't be resetting the EVM flag.
>
> IMA would read the flag in process_measurement() and behave similarly
> to when it processes IMA_CHANGE_ATTR. The flag would be reset by
> evm_verify_hmac().

Sounds good.

Mimi

Next message: yulei . kernel: "[RFC V2 7/9] Add migration support when using direct build EPT"
Previous message: Camel Guo: "[PATCH v2] ASoC: tlv320adcx140: Fix accessing uninitialized adcx140->dev"
In reply to: Roberto Sassu: "RE: [PATCH 07/11] evm: Set IMA_CHANGE_XATTR/ATTR bit if EVM_ALLOW_METADATA_WRITES is set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]