Re: [PATCH 0/5] evm: Support signatures on stacked filesystem

From: Stefan Berger
Date: Wed Jan 31 2024 - 10:02:25 EST




On 1/31/24 08:18, Amir Goldstein wrote:
On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote:

EVM has recently been completely disabled on unsupported (e.g.,
overlayfs). This series now enables copy-up of "portable and immutable"
signatures on those filesystems and enables the enforcement of
"portable and immutable" as well as the "original" signatures on
previously unsupported filesystem when EVM is enabled with EVM_INIT_X509.
HMAC verification and generation remains disabled on those filesystems.


I am missing a high level description of what is in those "portable
and immutable"
signatures and how those signatures remain valid across copy up.


From 2/5:
"Portable and immutable EVM signatures can be copied up by stacked file-
system since the metadata their signature covers does not include file-
system-specific data such as a file's inode number, generation, and UUID."

Instead, the signatures cover file metadata such as file mode bits, uid, and gid as well as xattrs, which can all be preserved unchanged across a copy-up.

Reference: https://elixir.bootlin.com/linux/v6.7.2/source/security/integrity/evm/evm_crypto.c#L169


Thanks,
Amir.