From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
linux-integrity@vger.kernel.org
Subject: Re: [RFC][PATCH 0/2] ima: preserve integrity of dynamic data
Date: Mon, 23 Oct 2017 07:01:39 -0400 [thread overview]
Message-ID: <1508756499.3639.53.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171020154138.23635-1-roberto.sassu@huawei.com>
On Fri, 2017-10-20 at 17:41 +0200, Roberto Sassu wrote:
> One of the most challenging tasks for remote attestation is how to
> handle the measurement of dynamic data (mutable files). When the default
> policy is selected, IMA measures files accessed by root processes (TCB).
Agreed. The original ima_policy="appraise_tcb" (formerly known as
"ima_appraise_tcb") is a builtin policy, which can be and normally is
replaced by a custom policy. This builtin IMA policy starts
immediately and is normally replaced after the LSMs have been
initialized, allowing for a finer grain policy.
> However, if a file was previously modified by another process, the digest
> included in the new measurement list is unknown, and verifiers must assume,
> during a remote attestation, that the system was compromised, because they
> don't know if that file was written by a process in the TCB or not.
>
> The goal of this patch set is to enforce an integrity policy on appraised
> files, to avoid reporting measurements of dynamic data after they have been
> modified. Only the initial state should be reported (e.g. the file
> signature, or a digest list).
>
> In order to properly enforce an integrity policy, it is necessary to
> specify in the IMA policy process credentials rather than file attributes.
>
> For example, the rule:
>
> appraise fowner=0
>
> could be replaced with:
>
> appraise uid=0
> appraise euid=0
The difference between these two policies is the ability to know which
files must be hashed/signed apriori. In the first case, only those
files owned by root must be hashed/signed, while in the latter case
all files on the file system must be hashed/signed.
When making changes, please keep in mind the bigger picture of who is
doing what and how the integrity subsystem is currently being used.
Adding new functionality or extending the existing subsystem is all
good, but these changes cannot break existing systems or change its
meaning.
Mimi
prev parent reply other threads:[~2017-10-23 11:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-20 15:41 [RFC][PATCH 0/2] ima: preserve integrity of dynamic data Roberto Sassu
2017-10-20 15:41 ` [RFC][PATCH 1/2] ima: preserve the integrity of appraised files Roberto Sassu
2017-10-23 11:46 ` Mimi Zohar
2017-10-23 11:46 ` Mimi Zohar
2017-10-23 13:41 ` Roberto Sassu
2017-10-23 13:41 ` Roberto Sassu
2017-10-23 20:30 ` Mimi Zohar
2017-10-23 20:30 ` Mimi Zohar
2017-10-24 10:07 ` Roberto Sassu
2017-10-24 10:07 ` Roberto Sassu
2017-10-20 15:41 ` [RFC][PATCH 2/2] ima: don't measure files in the TCB if Biba strict policy is enforced Roberto Sassu
2017-10-23 20:40 ` Mimi Zohar
2017-10-24 12:38 ` Roberto Sassu
2017-10-23 11:01 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1508756499.3639.53.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.