Using EVM to protect security extended attributes
Mimi Zohar, IBM
Extended Verification Module(EVM) detects offline tampering of the security extended attributes (e.g. security.selinux, security.SMACK64, security.capability, security.ima), which are the basis for LSM permission decisions and the proposed IMA integrity appraisal decisions. To detect offline tampering of the extended attributes, EVM maintains an HMAC-sha1 across a set of security extended attributes, storing the HMAC as the extended attribute 'security.evm'. To support verification of the integrity of an extended attribute, EVM exports evm_verifyxattr(), which re-calculates the HMAC and compares it with the version stored in 'security.evm'.
This talk will cover configuration, use and performance of the proposed EVM and IMA appraisal extensions. It will discuss the IMA measurement policy versus the new appraisal policy, a threat analysis of EVM/IMA appraisal, and things still needed for more complete protection of the security labels.