All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Chuck Lever <chuck.lever@oracle.com>,
	linux-integrity@vger.kernel.org,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>
Cc: Michael Halcrow <mhalcrow@google.com>,
	"Theodore Y. Ts'o" <tytso@google.com>,
	Matthew Garrett <mjg59@google.com>,
	Eric Biggers <ebiggers@google.com>
Subject: Re: IMA on remote file systems
Date: Sun, 15 Sep 2019 17:42:10 -0400	[thread overview]
Message-ID: <1568583730.5055.36.camel@linux.ibm.com> (raw)
In-Reply-To: <FA4C0F15-EE0A-4231-8415-A035C1CF3E32@oracle.com>

On Fri, 2019-09-13 at 10:50 -0400, Chuck Lever wrote:
> Resending ...
> 
> > On Aug 28, 2019, at 1:36 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
> > 
> > Last week I presented at the Linux Security Summit on a proposal
> > for handling IMA metadata on NFS files. My proposal enables storage
> > of per-file IMA metadata via the NFSv4 protocol. I have a prototype
> > and an IETF nfsv4 Working Group document that specifies a small
> > protocol extension.
> > 
> > After the presentation, Mimi Zohar pointed out that although the
> > proposal extends protection from an NFS file server to time-of-
> > measurement on an NFS client, there is still a protection gap between
> > time-of-measurement and time-of-use on that client.
> > 
> > I would like to find a way to extend IMA protection all the way
> > to time-of-use on NFS clients. The consensus is that a per-file
> > Merkle tree would be the most desirable approach, as that is the
> > same mechanism used for fs-verity protection.
> > 
> > For a few important reasons, it will be challenging to plumb
> > support for durable Merkle trees into NFS, although that is an
> > eventual goal.
> > 
> > My thought was to use an ephemeral Merkle tree for NFS (and
> > possibly other remote filesystems, like FUSE, until these
> > filesystems support durable per-file Merkle trees). A tree would
> > be constructed when the client measures a file, but it would not
> > saved to the filesystem. Instead of a hash of the file's contents,
> > the tree's root signature is stored as the IMA metadata.
> > 
> > Once a Merkle tree is available, it can be used in exactly the
> > same way that a durable Merkle tree would, to verify the integrity
> > of individual pages as they are used, evicted, and then read back
> > from the server.
> > 
> > If the client needs to evict part or all of an ephemeral tree, it
> > can subsequently be reconstructed by measuring the file again and
> > verifying its root signature against the stored IMA metadata.
> > 
> > So the only difference here is that the latency-to-first-byte
> > benefit of a durable Merkle tree would be absent.
> > 
> > I'm interested in any thoughts or opinions about this approach.

I like the idea, but there are a couple of things that need to happen
first.  Both fs-verity and IMA appended signatures need to be
upstreamed.  The IMA appended signature support simplifies
ima_appraise_measurement(), paving the way for adding IMA support for
other types of signature verification.  How IMA will support fs-verity 
signatures still needs to be defined.  That discussion will hopefully
include NFS support.

Mimi


  reply	other threads:[~2019-09-15 21:42 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-28 17:36 IMA on remote file systems Chuck Lever
2019-09-13 14:50 ` Chuck Lever
2019-09-15 21:42   ` Mimi Zohar [this message]
2019-09-16 16:10     ` Theodore Y. Ts'o
2019-09-16 18:16       ` Chuck Lever
2019-09-16 13:16 ` Janne Karhunen
2019-09-16 14:47   ` Chuck Lever
2019-09-17  6:30     ` Janne Karhunen
2019-09-17 12:45       ` Theodore Y. Ts'o
2019-09-17 14:18         ` Mimi Zohar
2019-09-17 14:56         ` James Bottomley
2019-09-18  5:27           ` Janne Karhunen
2019-09-18 12:50             ` Theodore Y. Ts'o
2019-09-18 15:52             ` James Bottomley
2019-09-19  6:47               ` Janne Karhunen
2019-09-18 12:37           ` Theodore Y. Ts'o
2019-09-18 14:40             ` Mimi Zohar
2019-09-18 15:49             ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1568583730.5055.36.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=chuck.lever@oracle.com \
    --cc=ebiggers@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=mhalcrow@google.com \
    --cc=mjg59@google.com \
    --cc=tytso@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.