From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Eric Biggers <ebiggers@kernel.org>,
Stefan Berger <stefanb@linux.ibm.com>,
linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v9 0/7] ima: support fs-verity digests and signatures
Date: Thu, 5 May 2022 08:31:34 -0400 [thread overview]
Message-ID: <20220505123141.1599622-1-zohar@linux.ibm.com> (raw)
Support for including fs-verity file digests and signatures in the IMA
measurement list as well as verifying the fs-verity file digest based
signatures was discussed prior to fs-verity being upstreamed[1,2].
Including fs-verity file digests and signatures in the IMA measurement
list need to be based on policy and be identifiable. To address being
based on policy, a new policy rule option "digest_type=verity", applicable
to both "measure" and "appraise" policy rules, is defined. To address
being identifiable, a new template field 'd-ngv2' and two new template
formats 'ima-ngv2' and 'ima-sigv2' are defined.
d-ngv2: prefixes the digest type ("ima", "verity") to the digest
algorithm and digest.
ima-ngv2', ima-sigv2: templates with the new d-ngv2 field defined.
In addition the signatures stored in 'security.ima' xattr need to be
disambiguated. So instead of directly signing the fs-verity digest, the
fs-verity digest is indirectly signed, by signing the hash of the new
ima_file_id structure data (signature version 3) containing the fs-verity
digest and other metadata.
New policy rule option:
appraise_type=sigv3: support for new IMA signature version 3
[1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf
[2] Documentation/filesystems/fsverity.rst
Changelog v9:
- Based on Stefan Berger's review, fixed sprintf (again), updated comment
replacing NULL with NUL, adding fuller comment explanation, and
included his tags.
Changelog v8:
- Based on Eric Bigger's review, fixed the original 'd-ng' and the new
DATA_FMT_DIGEST_WITH_TYPE_ALGO comments and documentation, moved the
buffer measurement test to after fs-verity measurements, renamed
appraise_type "sigv2" to "sigv3", require the new "digest_type=verity"
policy option be specified prior to "appraise_type=sigv3", and updated
the fs-verity documentation.
Changelog v7:
- Based on Stefan Berger's review, cleaned up code by defining an enum,
removed unnecessary memcpy, fs-verity documentation suggestions.
- Add comment in ima_get_verify_digest() with explanation for always
returning the fs-verity digest.
Changelog v6:
- As suggested by Eric Bigger's, instead of defining a new field to
differentiate between IMA and fs-verity signatures, prepend the
digest type to the digest field.
- Addressed Eric Bigger's comments: updated the patch description,
corrected comment, squashed patches, fixed enumeration usage,and
added assumption to fsverity_get_digest.
- Removed the now unnecessary IMA_VERITY_DIGEST flag
- Updated kernel-parameters.txt
Changelog v5:
- Define ima_max_digest_size struct, removing the locally defined versions.
- Don't overload the 'digest_type=verity' to imply a verity signature,
but extend the 'appraise_type' policy rule option to define 'sigv3'.
Changelog v4:
- Based on Eric Bigger's signature verification concerns of replacing the
contents of a file with the ima_file_id struct hash, require per policy
rule signature versions.
- Addressed Eric Bigger's other comments.
- Added new audit messages "causes".
- Updated patch descriptions.
Changelog v3:
- Addressed Eric Bigger's comments: included Ack, incremented the
signature format version, the crypto issues are generic and will be
addressed by him separately.
- Addressed Vitaly Chikunov's comments: hard coded maximum digest size
rather than using a flexible array, removed unnecessary assignment, and
fixed comment to match variable name.
- Defined new "ima_max_digest_size" struct to avoid wrapping the
"ima_digest_data" struct inside a function local structure or
having to dynamically allocate it with enough memory for the specific
hash algo size.
Changelog v2:
- Addressed Eric Bigger's comments: sign the hash of fsverity's digest
and the digest's metadata, use match_string, use preferred function
name fsverity_get_digest(), support including unsigned fs-verity's
digests in the IMA measurement list.
- Remove signatures requirement for including fs-verity's file digests in
the 'd-ng' field of the measurement list.
Changelog v1:
- Updated both fsverity and IMA documentation.
- Addressed both Eric Bigger's and Lakshmi's comments.
Mimi Zohar (7):
ima: fix 'd-ng' comments and documentation
ima: use IMA default hash algorithm for integrity violations
fs-verity: define a function to return the integrity protected file
digest
ima: define a new template field named 'd-ngv2' and templates
ima: permit fsverity's file digests in the IMA measurement list
ima: support fs-verity file digest based version 3 signatures
fsverity: update the documentation
Documentation/ABI/testing/ima_policy | 45 ++++++-
.../admin-guide/kernel-parameters.txt | 3 +-
Documentation/filesystems/fsverity.rst | 35 ++++--
Documentation/security/IMA-templates.rst | 11 +-
fs/verity/Kconfig | 1 +
fs/verity/fsverity_private.h | 7 --
fs/verity/measure.c | 43 +++++++
include/linux/fsverity.h | 18 +++
security/integrity/digsig.c | 3 +-
security/integrity/ima/ima_api.c | 47 +++++++-
security/integrity/ima/ima_appraise.c | 114 +++++++++++++++++-
security/integrity/ima/ima_main.c | 2 +-
security/integrity/ima/ima_policy.c | 82 +++++++++++--
security/integrity/ima/ima_template.c | 4 +
security/integrity/ima/ima_template_lib.c | 97 ++++++++++++---
security/integrity/ima/ima_template_lib.h | 4 +
security/integrity/integrity.h | 27 ++++-
17 files changed, 481 insertions(+), 62 deletions(-)
--
2.27.0
next reply other threads:[~2022-05-05 12:32 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-05 12:31 Mimi Zohar [this message]
2022-05-05 12:31 ` [PATCH v9 1/7] ima: fix 'd-ng' comments and documentation Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 2/7] ima: use IMA default hash algorithm for integrity violations Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 3/7] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 4/7] ima: define a new template field named 'd-ngv2' and templates Mimi Zohar
2022-05-05 20:34 ` [PATCH v9 4/7] ima: define a new template field named 'd-ngv2' and templates (repost) Mimi Zohar
2022-05-05 20:39 ` [PATCH v9 4/7] ima: define a new template field named 'd-ngv2' and templates (repost with fix) Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 5/7] ima: permit fsverity's file digests in the IMA measurement list Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 6/7] ima: support fs-verity file digest based version 3 signatures Mimi Zohar
2022-05-05 17:12 ` Stefan Berger
2022-05-06 11:34 ` Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 7/7] fsverity: update the documentation Mimi Zohar
2022-05-12 6:19 ` Eric Biggers
2022-05-12 22:48 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220505123141.1599622-1-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.