All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Mikhail Kurinnoi <viewizard@viewizard.com>
Cc: Matthew Garrett <mjg59@google.com>,
	linux-integrity@vger.kernel.org,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: RFC: Make it practical to ship EVM signatures
Date: Mon, 09 Oct 2017 17:40:53 -0400	[thread overview]
Message-ID: <1507585253.3748.57.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171010003326.6409ae23@totoro>

[Cc'ing Dmitry Kasatkin]

On Tue, 2017-10-10 at 00:33 +0300, Mikhail Kurinnoi wrote:
> ? Mon, 09 Oct 2017 17:10:49 -0400
> Mimi Zohar <zohar@linux.vnet.ibm.com> ?????:
> 
> > On Mon, 2017-10-09 at 23:23 +0300, Mikhail Kurinnoi wrote:
> > > ? Mon, 09 Oct 2017 14:40:41 -0400
> > > Mimi Zohar <zohar@linux.vnet.ibm.com> ?????:
> > >   
> > > > On Mon, 2017-10-09 at 11:18 -0700, Matthew Garrett wrote:  
> > > > > On Mon, Oct 9, 2017 at 11:15 AM, Mimi Zohar
> > > > > <zohar@linux.vnet.ibm.com> wrote:    
> > > > > > On Mon, 2017-10-09 at 10:59 -0700, Matthew Garrett wrote:    
> > > > > >> Ok, that makes sense. But for cases where we do have
> > > > > >> security.ima, the inode doesn't seem to provide additional
> > > > > >> security but does make deployment more difficult. Does
> > > > > >> supporting this use case seem reasonable?    
> > > > > >
> > > > > > Yes!    
> > > > > 
> > > > > Excellent. This means defining a new signature type - the two
> > > > > options seem to be Mikhail's portable format, or the approach I
> > > > > took of having the signature define which metadata is included.
> > > > > Do you have a preference?    
> > > > 
> > > > We now understand that as long as the EVM signature includes
> > > > security.ima, it is safe not to include the i_ino/uuid.  This new
> > > > format can be written to disk.  
> > > 
> > > But, isn't this mean we could have this scenario of offline
> > > manipulations:
> > > 1) store old file with xattrs;
> > > 2) wait;
> > > 3) replace new file with fixed exploits on old one.
> > > 
> > > Since we don't have directory tree protection yet and we don't use
> > > i_ino, someone could reuse old files more easy during offline
> > > manipulations. Right?  
> > 
> > As long as the new EVM signature format requires the existence of a
> > security.ima xattr, I don't see how.  The new EVM signature format
> > would not be replaced with an HMAC.
> 
> 
> I understood the idea.
> 
> Looks like portable EVM format support proposed by Matthew, could be
> easy realized. Probably, will be good idea add only this one, test it,
> and later add immutable EVM format and portable EVM format that
> converted into HMAC (that I proposed in patch set)?
> 
> If no one ask for portable EVM format that converted into HMAC, do we
> really need push all in one bunch?

It looks like Dmitry already defined a new "immutable" EVM  signature
format in ima-evm-utils and posted the corresponding patch to linux-
ima-devel a long time ago.

The new "immutable" EVM signature doesn't include the i_ino or
generation.

Mimi

  parent reply	other threads:[~2017-10-09 21:41 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-27 22:16 RFC: Make it practical to ship EVM signatures Matthew Garrett
2017-09-27 22:16 ` [PATCH 1/6] IMA: Allow EVM validation on appraisal even without a symmetric key Matthew Garrett
2017-10-01  2:08   ` Mimi Zohar
2017-10-02 17:02     ` Matthew Garrett
2017-10-02 19:41       ` Mimi Zohar
2017-09-27 22:16 ` [PATCH 2/6] EVM: Add infrastructure for making EVM fields optional Matthew Garrett
2017-09-27 22:16 ` [PATCH 3/6] EVM: Allow userland to override the default EVM attributes Matthew Garrett
2017-09-27 22:16 ` [PATCH 4/6] EVM: Add an hmac_ng xattr format Matthew Garrett
2017-09-27 22:16 ` [PATCH 5/6] EVM: Write out HMAC xattrs in the new format Matthew Garrett
2017-09-27 22:16 ` [PATCH 6/6] EVM: Add a new digital signature format Matthew Garrett
2017-09-28 20:12 ` RFC: Make it practical to ship EVM signatures Mimi Zohar
2017-09-28 21:13   ` Matthew Garrett
2017-09-29  0:53     ` Mimi Zohar
2017-09-29 18:09       ` Matthew Garrett
2017-09-29 19:02         ` Mimi Zohar
2017-09-29 19:17           ` Matthew Garrett
2017-09-29 20:01             ` Mimi Zohar
2017-09-29 20:09               ` Matthew Garrett
2017-10-01  2:36                 ` Mimi Zohar
2017-10-02 17:09                   ` Matthew Garrett
2017-10-02 19:54                     ` Mimi Zohar
     [not found]                       ` <CACdnJutYw7Pgh-EwWuwp9Wz+5KzoreZVr+c6UV30zC__8FZSVA@mail.gmail.com>
     [not found]                         ` <1506974574.5691.304.camel@linux.vnet.ibm.com>
2017-10-02 20:07                           ` Matthew Garrett
2017-10-09 17:51                 ` Mimi Zohar
2017-10-09 17:59                   ` Matthew Garrett
2017-10-09 18:15                     ` Mimi Zohar
2017-10-09 18:18                       ` Matthew Garrett
2017-10-09 18:40                         ` Mimi Zohar
     [not found]                           ` <20171009232314.545de76a@totoro>
     [not found]                             ` <1507583449.3748.46.camel@linux.vnet.ibm.com>
     [not found]                               ` <20171010003326.6409ae23@totoro>
2017-10-09 21:40                                 ` Mimi Zohar [this message]
2017-10-09 23:10                                   ` Mikhail Kurinnoi
2017-10-10 19:07                                     ` Mimi Zohar
2017-10-12 23:09                                       ` Dmitry Kasatkin
2017-10-18 19:48                                         ` Dmitry Kasatkin
2017-10-18 20:30                                           ` Mimi Zohar
2017-10-18 20:37                                             ` Dmitry Kasatkin
2017-10-18 21:02                                               ` Mikhail Kurinnoi
2017-10-18 21:07                                               ` Mimi Zohar
2017-10-19 10:14                                                 ` Dmitry Kasatkin
2017-10-19 11:43                                                   ` Mimi Zohar
2017-10-19 17:08                                                   ` Matthew Garrett
2017-10-19 18:38                                                     ` Dmitry Kasatkin
2017-10-19 10:36                                                 ` Dmitry Kasatkin
2017-10-19 11:45                                                   ` Mimi Zohar
2017-10-02 14:53           ` Roberto Sassu
2017-10-02  8:55       ` Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1507585253.3748.57.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=viewizard@viewizard.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.