From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
Andreas Dilger <adilger@dilger.ca>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection
Date: Sun, 28 Jan 2018 20:53:41 -0500 [thread overview]
Message-ID: <1517190821.29187.415.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180129003842.GA29839@thunk.org>
On Sun, 2018-01-28 at 19:38 -0500, Theodore Ts'o wrote:
> On Sun, Jan 28, 2018 at 06:04:52PM -0500, Mimi Zohar wrote:
> >
> > Sigh, there seems to be some confusion. Initially, when the Integrity
> > Measurement Architecture (IMA) was first upstreamed, it only extended
> > the trusted boot concept of measuring files before use up to the OS,
> > but that was a long time ago. Since then, IMA-appraisal was
> > upstreamed, which extends the secure boot concept of verifying
> > signatures up to the running OS.
>
> Part of the problem is the documentation doesn't make any of this at
> all clear.
Agreed the documentation is dated and needs to be updated, especially
the wiki.
> Indeed, I'll note that Documentation/ABI/testing/ima_policy
> still talks about using file system magic numbers to determine whether
> or not files should be measured, and I've been given to understand you're using
> a per-filesystem flag now.
Defining policies based on magic file system numbers has been there
for a really long time. Removing it would cause existing policies to
fail to load. So I can't just remove it.
> The documentation seems to strongly imply that in order to be secure,
> you can't use IMA by itself, you have to use EVM as well. Exactly
> which components can be used independently is not clear, and
> apparently I made the wrong guesses when trying to read through the
> Linux-IMA wiki pages as well as the Gentoo pages on IMA and EVM.
> Maybe it's just the documentation is badly written, but it leaves the
> impression of *extreme* complexity.
The basic difference between EVM and IMA is that EVM protects the file
meta-data, while IMA protects the file data. If all you want to
verify is the file data signature, then just use IMA-appraisal.
>
> I did try to play with it, but ima-evm-utils aren't packaged for
> Debian, and when I tried building from source, they apparently don't
> even build on Debian Testing. (Sorry, I don't use RHEL for my
> development systems.)
I'm about to release version 1.1. Please try the next branch
of git://git.code.sf.net/p/linux-ima/ima-evm-utils.
> And I'll note the Gentoo pages warn, "don't use
> on production systems". All of which do not make for a good first
> look for IMA.
We need to differentiate between IMA-measurement and IMA-appraisal
here. Measurement isn't a problem. The problem is signature
verification. Until distros include file signatures in software
packages, it is difficult. This is the main reason that IMA/EVM is
being used in the embedded environment, and not on desktops.
We've extended RPM to include file signatures. There have been
multiple attempts to add support for including file signatures in deb
packages. Matthew would be able to tell you if his version, the last
attempt, was upstreamed.
Stefan Berger and Mehmet Kayaalp set up distro mirrors, which include
the file signatures in the software packages, as a proof of concept.
The file signatures are then installed with the file data.
>
> > Enabling IMA doesn't automatically require SELinux or any other LSM
> > labels. The rule granularity is up to you.
>
> Yes, but if I only want to have a dozen or so files to be data
> integrity protect, it appears that it's not simple to do, *without*
> using SELinux. And anytime SELinux and "simple" go in the same
> sentence, I weep a little. Every few years I try configuring SELinux
> on Debian development laptop. And I conclude that I'm too stupid for
> to configure SELinux.
A lot of people have requested being able to identify files based on
pathnames. I don't need to tell you this isn't safe from a security
perspective. So how would you identify these few files? I doubt you
are planning on hard coding them. If you have a generic solution, I
would really be interested in hearing it.
There are a few files which can be identified based on the LSM hook.
For example, the kernel_read_file_from_path/fd calls the pre and post
security_kernel_read_file() LSM hooks, which can be used to verify the
kexec kernel image, kexec initramfs, kernel modules and firmware.
Mimi
next prev parent reply other threads:[~2018-01-29 1:53 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 19:11 [LSF/MM TOPIC] fs-verity: file system-level integrity protection Theodore Ts'o
2018-01-25 21:49 ` Chuck Lever
2018-01-25 23:39 ` Theodore Ts'o
2018-01-26 0:47 ` James Bottomley
2018-01-26 2:30 ` Theodore Ts'o
2018-01-26 4:50 ` James Bottomley
2018-01-26 14:58 ` Theodore Ts'o
2018-01-26 16:44 ` [Lsf-pc] " James Bottomley
2018-01-26 21:55 ` Theodore Ts'o
2018-01-27 7:58 ` Andreas Dilger
2018-01-27 16:19 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-28 2:46 ` Theodore Ts'o
2018-01-28 17:19 ` James Bottomley
2018-01-28 18:03 ` James Bottomley
2018-01-28 18:19 ` Chuck Lever
2018-01-29 6:39 ` James Bottomley
2018-01-29 15:22 ` Chuck Lever
2018-01-30 6:47 ` James Bottomley
2018-01-28 21:49 ` Theodore Ts'o
2018-01-28 22:49 ` Theodore Ts'o
2018-01-28 23:04 ` Mimi Zohar
2018-01-29 0:38 ` Theodore Ts'o
2018-01-29 1:53 ` Mimi Zohar [this message]
2018-01-29 2:38 ` Theodore Ts'o
2018-01-29 3:39 ` Mimi Zohar
2018-01-29 4:40 ` Theodore Ts'o
2018-01-29 4:50 ` Theodore Ts'o
2018-01-29 12:09 ` Mimi Zohar
2018-01-29 13:58 ` Mimi Zohar
2018-01-29 23:02 ` Theodore Ts'o
2018-01-30 23:25 ` Mimi Zohar
2018-01-31 16:05 ` Theodore Ts'o
2018-01-31 17:12 ` James Bottomley
2018-01-31 18:46 ` Theodore Ts'o
2018-01-31 20:41 ` James Bottomley
2018-02-01 0:03 ` Theodore Ts'o
2018-02-01 23:04 ` Dave Chinner
2018-02-01 23:43 ` Andreas Dilger
2018-02-02 0:13 ` Dave Chinner
2018-02-02 5:34 ` James Bottomley
2018-02-02 2:40 ` Theodore Ts'o
2018-02-02 9:05 ` Dave Chinner
2018-01-31 20:40 ` Mimi Zohar
2018-01-31 22:00 ` Theodore Ts'o
2018-02-01 15:17 ` Mimi Zohar
2018-01-29 0:21 ` James Bottomley
2018-01-29 1:03 ` Theodore Ts'o
2018-01-29 21:21 ` Andreas Dilger
2018-01-26 18:13 ` Mimi Zohar
2018-01-26 18:13 ` Mimi Zohar
2018-01-29 18:54 ` Michael Halcrow
2018-01-26 7:58 ` Colin Walters
2018-01-26 15:29 ` Theodore Ts'o
2018-01-26 16:40 ` Colin Walters
2018-01-26 16:49 ` [Lsf-pc] " James Bottomley
2018-01-26 17:05 ` Colin Walters
2018-01-26 17:54 ` Mimi Zohar
2018-01-26 17:54 ` Mimi Zohar
2018-02-02 0:02 ` Steve French
2018-02-07 13:04 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517190821.29187.415.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=adilger@dilger.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.