From: Eric Biggers <ebiggers@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
Stefan Berger <stefanb@linux.ibm.com>,
linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 7/8] ima: support fs-verity file digest based version 3 signatures
Date: Wed, 23 Feb 2022 17:24:12 -0800 [thread overview]
Message-ID: <YhbePM/BiRCzL3bn@sol.localdomain> (raw)
In-Reply-To: <20220211214310.119257-8-zohar@linux.ibm.com>
On Fri, Feb 11, 2022 at 04:43:09PM -0500, Mimi Zohar wrote:
> Instead of calculating a regular file hash and verifying the signature
> stored in the 'security.ima' xattr against the calculated file hash, get
> fs-verity's file digest and verify the signature (version 3) stored in
> 'security.ima' against the digest.
>
> The policy rule 'appraise_type=' option is extended to support 'sigv3',
> which is initiality limited to fs-verity.
>
> The fs-verity 'appraise' rules are identified by the 'digest-type=verity'
> option and require the 'appraise_type=sigv3' option. The following
> 'appraise' policy rule requires fsverity file digests. (The rule may be
> constrained, for example based on a fsuuid or LSM label.)
>
> Basic fs-verity policy rule example:
> appraise func=BPRM_CHECK digest_type=verity appraise_type=sigv3
>
> Lastly, for IMA to differentiate between the original IMA signature
> from an fs-verity signature a new 'xattr_type' named IMA_VERITY_DIGSIG
> is defined.
I'm having a hard time understanding this patch. Can you please describe the
motivation for doing things, not just the things themselves, and make sure the
explanation is understandable to someone who isn't an IMA expert?
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index ff3c906738cb..508053b8dd0a 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -47,7 +47,7 @@ Description:
> fgroup:= decimal value
> lsm: are LSM specific
> option:
> - appraise_type:= [imasig] [imasig|modsig]
> + appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
> appraise_flag:= [check_blacklist]
> Currently, blacklist check is only for files signed with appended
> signature.
> @@ -153,9 +153,27 @@ Description:
>
> appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
>
> - Example of 'measure' rule requiring fs-verity's digests on a
> - particular filesystem with indication of type of digest in
> - the measurement list.
> + Example of a 'measure' rule requiring fs-verity's digests
> + with indication of type of digest in the measurement list.
>
> measure func=FILE_CHECK digest_type=verity \
> - fsuuid=... template=ima-ngv2
> + template=ima-ngv2
> +
> + Example of 'measure' and 'appraise' rules requiring fs-verity
> + signatures (version 3) stored in security.ima xattr.
> +
> + The 'measure' rule specifies the 'ima-sig' template option,
> + which includes the file signature in the measurement list.
> +
> + measure func=BPRM_CHECK digest_type=verity \
> + template=ima-sig
> +
> + The 'appraise' rule specifies the type and signature version
> + (sigv3) required.
> +
> + appraise func=BPRM_CHECK digest_type=verity \
> + appraise_type=sigv3
> +
> + All of these policy rules could, for example, be constrained
> + either based on a filesystem's UUID (fsuuid) or based on LSM
> + labels.
Is there documentation for what the appraise_type argument means, or does it
just need to be reverse engineered from the above example?
> + - 'sig': the file signature, based on either the file's/fsverity's digest[1],
> + or the EVM portable signature if the file signature is not found;
This sentence doesn't make sense. How can it be the file signature if the
"file signature is not found"?
> @@ -303,6 +321,12 @@ static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
> case EVM_IMA_XATTR_DIGSIG:
> set_bit(IMA_DIGSIG, &iint->atomic_flags);
>
> + if (iint->flags & (IMA_DIGSIG_REQUIRED | IMA_VERITY_REQUIRED)) {
> + *cause = "verity-signature-required";
> + *status = INTEGRITY_FAIL;
> + break;
> + }
Shouldn't this check whether *both* of these flags are set?
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 28aca1f9633b..d3006cc22ab1 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1311,6 +1311,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
> !(entry->flags & IMA_MODSIG_ALLOWED))
> return false;
>
> + /* Ensure APPRAISE verity file implies a v3 signature */
> + if (entry->action == APPRAISE &&
> + (entry->flags & IMA_VERITY_REQUIRED) &&
> + !(entry->flags & IMA_DIGSIG_REQUIRED))
> + return false;
This comment doesn't seem to match the code.
> diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
> index d370fca04de4..ecbe61c53d40 100644
> --- a/security/integrity/ima/ima_template_lib.c
> +++ b/security/integrity/ima/ima_template_lib.c
> @@ -495,7 +495,8 @@ int ima_eventsig_init(struct ima_event_data *event_data,
> {
> struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
>
> - if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
> + if (!xattr_value ||
> + !(xattr_value->type & (EVM_IMA_XATTR_DIGSIG | IMA_VERITY_DIGSIG)))
> return ima_eventevmsig_init(event_data, field_data);
This is OR-ing together values that aren't bit flags.
- Eric
next prev parent reply other threads:[~2022-02-24 1:31 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 21:43 [PATCH v5 0/8] ima: support fs-verity digests and signatures Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 1/8] ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS Mimi Zohar
2022-02-14 20:03 ` Stefan Berger
2022-02-15 18:11 ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 2/8] ima: define ima_max_digest_data struct without a flexible array variable Mimi Zohar
2022-02-14 20:13 ` Stefan Berger
2022-02-11 21:43 ` [PATCH v5 3/8] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-02-23 23:59 ` Eric Biggers
2022-02-24 1:21 ` Mimi Zohar
2022-02-24 1:26 ` Eric Biggers
2022-02-24 1:27 ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 4/8] ima: define a new template field 'd-type' and a new template 'ima-ngv2' Mimi Zohar
2022-02-14 20:38 ` Stefan Berger
2022-02-24 0:32 ` Eric Biggers
2022-02-24 16:16 ` Mimi Zohar
2022-02-24 18:46 ` Eric Biggers
2022-02-25 20:01 ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 5/8] ima: permit fsverity's file digests in the IMA measurement list Mimi Zohar
2022-02-24 0:40 ` Eric Biggers
2022-03-17 15:58 ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 6/8] ima: define signature version 3 Mimi Zohar
2022-02-24 0:50 ` Eric Biggers
2022-02-11 21:43 ` [PATCH v5 7/8] ima: support fs-verity file digest based version 3 signatures Mimi Zohar
2022-02-24 1:24 ` Eric Biggers [this message]
2022-03-17 15:46 ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 8/8] fsverity: update the documentation Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YhbePM/BiRCzL3bn@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).