From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Eric Biggers <ebiggers@kernel.org>,
linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 0/6] ima: support fs-verity digests and signatures
Date: Sun, 9 Jan 2022 13:55:11 -0500 [thread overview]
Message-ID: <20220109185517.312280-1-zohar@linux.ibm.com> (raw)
Support for including fs-verity file digests and signatures in the IMA
measurement list as well as verifying the fs-verity file digest based
signatures, all based on IMA policy rules, was discussed from the
beginning, prior to fs-verity being upstreamed[1,2].
Support including fs-verity file digests in the 'd-ng' template field
based on a new policy rule option named 'digest_type=hash|verity'.
Also support verifying fs-verity file digest based signatures based on
policy.
A new template field named 'd-type' as well as a new template named
'ima-ngv2' are defined to differentiate betweeen file hashes and fs-verity
file digests, when file signatures are not included in the IMA measurement
list.
[1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf
[2] Documentation/filesystems/fsverity.rst
Changelog v2:
- Addressed Eric Bigger's comments: sign the hash of fsverity's digest
and the digest's metadata, use match_string, use preferred function
name fsverity_get_digest(), support including unsigned fs-verity's
digests in the IMA measurement list.
- Remove signatures requirement for including fs-verity's file digests in
the 'd-ng' field of the measurement list.
Changelog v1:
- Updated both fsverity and IMA documentation.
- Addressed both Eric Bigger's and Lakshmi's comments.
Mimi Zohar (6):
ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS
fs-verity: define a function to return the integrity protected file
digest
ima: define a new template field 'd-type' and a new template
'ima-ngv2'
ima: include fsverity's file digests in the IMA measurement list
ima: support fs-verity file digest based signatures
fsverity: update the documentation
Documentation/ABI/testing/ima_policy | 17 +++++
Documentation/filesystems/fsverity.rst | 22 +++---
Documentation/security/IMA-templates.rst | 10 ++-
fs/verity/Kconfig | 1 +
fs/verity/fsverity_private.h | 7 --
fs/verity/measure.c | 40 +++++++++++
include/linux/fsverity.h | 18 +++++
include/uapi/linux/ima.h | 26 ++++++++
security/integrity/ima/ima_api.c | 29 +++++++-
security/integrity/ima/ima_appraise.c | 81 +++++++++++++++++++++++
security/integrity/ima/ima_main.c | 2 +-
security/integrity/ima/ima_policy.c | 40 ++++++++++-
security/integrity/ima/ima_template.c | 3 +
security/integrity/ima/ima_template_lib.c | 23 ++++++-
security/integrity/ima/ima_template_lib.h | 2 +
security/integrity/integrity.h | 7 +-
16 files changed, 302 insertions(+), 26 deletions(-)
create mode 100644 include/uapi/linux/ima.h
--
2.27.0
next reply other threads:[~2022-01-09 18:55 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-09 18:55 Mimi Zohar [this message]
2022-01-09 18:55 ` [PATCH v2 1/6] ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS Mimi Zohar
2022-01-09 18:55 ` [PATCH v2 2/6] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-01-10 0:47 ` Vitaly Chikunov
2022-01-10 12:13 ` Mimi Zohar
2022-01-10 22:15 ` Eric Biggers
2022-01-09 18:55 ` [PATCH v2 3/6] ima: define a new template field 'd-type' and a new template 'ima-ngv2' Mimi Zohar
2022-01-09 18:55 ` [PATCH v2 4/6] ima: include fsverity's file digests in the IMA measurement list Mimi Zohar
2022-01-09 18:55 ` [PATCH v2 5/6] ima: support fs-verity file digest based signatures Mimi Zohar
2022-01-10 1:24 ` Vitaly Chikunov
2022-01-10 12:12 ` Mimi Zohar
2022-01-10 22:45 ` Eric Biggers
2022-01-11 3:26 ` Stefan Berger
2022-01-11 4:48 ` Eric Biggers
2022-01-09 18:55 ` [PATCH v2 6/6] fsverity: update the documentation Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220109185517.312280-1-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.