From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72C75C433DF for ; Mon, 10 Aug 2020 15:35:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5055A22BEA for ; Mon, 10 Aug 2020 15:35:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="cVt1iMuK"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="MjwJxpgT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728783AbgHJPfq (ORCPT ); Mon, 10 Aug 2020 11:35:46 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:55864 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728752AbgHJPfn (ORCPT ); Mon, 10 Aug 2020 11:35:43 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id E27C78EE1DD; Mon, 10 Aug 2020 08:35:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1597073741; bh=H6RkvIzpfXOLSmHTbzR8XGbmPVN5aMmAbFV+0MS/vCw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=cVt1iMuKWH4Bg+bLnyRSpUB/wXbG1V4IcQrDFdM+He/KopgifO7HNehQkYRafWpR7 B7RZHTNO5ffSnIB2urr4t5jxmwSfl4SQgYlbRQkBhgcHt8qoHLUYBwA7Q6vT3o6/tt pW81Sr83Alr3AG3vWPtlKAQ4u+snVOqOmdggu00Q= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaS3pjwBelNS; Mon, 10 Aug 2020 08:35:40 -0700 (PDT) Received: from [153.66.254.174] (c-73-35-198-56.hsd1.wa.comcast.net [73.35.198.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 490FA8EE12E; Mon, 10 Aug 2020 08:35:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1597073740; bh=H6RkvIzpfXOLSmHTbzR8XGbmPVN5aMmAbFV+0MS/vCw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=MjwJxpgTQz4M0HQgOVHVrw7HDPZ5iwScXAZ3T0CV5ey1CM8n8Q+96pCZP7NtESu7J Aa755rKZNaN6eMUTRHzcTFugAubBvvES0Y0Tz+SDho/oQczzL4HdAtuVcZFPuzBhG3 6CMTxxSQ5umiDNicSAXPubohnY0HnMFKrU59s060= Message-ID: <1597073737.3966.12.camel@HansenPartnership.com> Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) From: James Bottomley To: Mimi Zohar , Chuck Lever , James Morris Cc: Deven Bowers , Pavel Machek , Sasha Levin , snitzer@redhat.com, dm-devel@redhat.com, tyhicks@linux.microsoft.com, agk@redhat.com, Paul Moore , Jonathan Corbet , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , eparis@redhat.com, linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linux.microsoft.com Date: Mon, 10 Aug 2020 08:35:37 -0700 In-Reply-To: References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org On Sun, 2020-08-09 at 13:16 -0400, Mimi Zohar wrote: > On Sat, 2020-08-08 at 13:47 -0400, Chuck Lever wrote: > > > On Aug 5, 2020, at 2:15 PM, Mimi Zohar > > > wrote: > > > > > > If block layer integrity was enough, there wouldn't have been a > > > need for fs-verity. Even fs-verity is limited to read only > > > filesystems, which makes validating file integrity so much > > > easier. From the beginning, we've said that fs-verity signatures > > > should be included in the measurement list. (I thought someone > > > signed on to add that support to IMA, but have not yet seen > > > anything.) > > > > Mimi, when you and I discussed this during LSS NA 2019, I didn't > > fully understand that you expected me to implement signed Merkle > > trees for all filesystems. At the time, it sounded to me like you > > wanted signed Merkle trees only for NFS files. Is that still the > > case? > > I definitely do not expect you to support signed Merkle trees for all > filesystems. My interested is from an IMA perspective of measuring > and verifying the fs-verity Merkle tree root (and header info) > signature. This is independent of which filesystems support it. > > > > > The first priority (for me, anyway) therefore is getting the > > ability to move IMA metadata between NFS clients and servers > > shoveled into the NFS protocol, but that's been blocked for various > > legal reasons. > > Up to now, verifying remote filesystem file integrity has been out of > scope for IMA. With fs-verity file signatures I can at least grasp > how remote file integrity could possibly work. I don't understand > how remote file integrity with existing IMA formats could be > supported. You might want to consider writing a whitepaper, which > could later be used as the basis for a patch set cover letter. I think, before this, we can help with the basics (and perhaps we should sort them out before we start documenting what we'll do). The first basic is that a merkle tree allows unit at a time verification. First of all we should agree on the unit. Since we always fault a page at a time, I think our merkle tree unit should be a page not a block. Next, we should agree where the check gates for the per page accesses should be ... definitely somewhere in readpage, I suspect and finally we should agree how the merkle tree is presented at the gate. I think there are three ways: 1. Ahead of time transfer: The merkle tree is transferred and verified at some time before the accesses begin, so we already have a verified copy and can compare against the lower leaf. 2. Async transfer: We provide an async mechanism to transfer the necessary components, so when presented with a unit, we check the log n components required to get to the root 3. The protocol actually provides the capability of 2 (like the SCSI DIF/DIX), so to IMA all the pieces get presented instead of IMA having to manage the tree There are also a load of minor things like how we get the head hash, which must be presented and verified ahead of time for each of the above 3. James From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40B38C433DF for ; Mon, 10 Aug 2020 15:42:31 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DA8C02080C for ; Mon, 10 Aug 2020 15:42:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DA8C02080C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=hansenpartnership.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-443-gyzZ9cC4OB-PTo25jeQhCg-1; Mon, 10 Aug 2020 11:42:27 -0400 X-MC-Unique: gyzZ9cC4OB-PTo25jeQhCg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 397AA100CC86; Mon, 10 Aug 2020 15:42:24 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5D0C910013C2; Mon, 10 Aug 2020 15:42:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 366211809557; Mon, 10 Aug 2020 15:42:22 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 07AFZruS010640 for ; Mon, 10 Aug 2020 11:35:53 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6DBA51007A46; Mon, 10 Aug 2020 15:35:53 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 40EDD10087CA for ; Mon, 10 Aug 2020 15:35:50 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7ACDF18E0A76 for ; Mon, 10 Aug 2020 15:35:50 +0000 (UTC) Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [66.63.167.143]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-3-ro1_e39VNr2oc3VMJIgX2A-1; Mon, 10 Aug 2020 11:35:44 -0400 X-MC-Unique: ro1_e39VNr2oc3VMJIgX2A-1 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id E27C78EE1DD; Mon, 10 Aug 2020 08:35:40 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaS3pjwBelNS; Mon, 10 Aug 2020 08:35:40 -0700 (PDT) Received: from [153.66.254.174] (c-73-35-198-56.hsd1.wa.comcast.net [73.35.198.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 490FA8EE12E; Mon, 10 Aug 2020 08:35:39 -0700 (PDT) Message-ID: <1597073737.3966.12.camel@HansenPartnership.com> Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) From: James Bottomley To: Mimi Zohar , Chuck Lever , James Morris Date: Mon, 10 Aug 2020 08:35:37 -0700 In-Reply-To: References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> Mime-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Mon, 10 Aug 2020 11:41:02 -0400 Cc: snitzer@redhat.com, Deven Bowers , dm-devel@redhat.com, tyhicks@linux.microsoft.com, Pavel Machek , Paul, agk@redhat.com, Sasha Levin , Jonathan Corbet , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linux.microsoft.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Sun, 2020-08-09 at 13:16 -0400, Mimi Zohar wrote: > On Sat, 2020-08-08 at 13:47 -0400, Chuck Lever wrote: > > > On Aug 5, 2020, at 2:15 PM, Mimi Zohar > > > wrote: > > > > > > If block layer integrity was enough, there wouldn't have been a > > > need for fs-verity. Even fs-verity is limited to read only > > > filesystems, which makes validating file integrity so much > > > easier. From the beginning, we've said that fs-verity signatures > > > should be included in the measurement list. (I thought someone > > > signed on to add that support to IMA, but have not yet seen > > > anything.) > > > > Mimi, when you and I discussed this during LSS NA 2019, I didn't > > fully understand that you expected me to implement signed Merkle > > trees for all filesystems. At the time, it sounded to me like you > > wanted signed Merkle trees only for NFS files. Is that still the > > case? > > I definitely do not expect you to support signed Merkle trees for all > filesystems. My interested is from an IMA perspective of measuring > and verifying the fs-verity Merkle tree root (and header info) > signature. This is independent of which filesystems support it. > > > > > The first priority (for me, anyway) therefore is getting the > > ability to move IMA metadata between NFS clients and servers > > shoveled into the NFS protocol, but that's been blocked for various > > legal reasons. > > Up to now, verifying remote filesystem file integrity has been out of > scope for IMA. With fs-verity file signatures I can at least grasp > how remote file integrity could possibly work. I don't understand > how remote file integrity with existing IMA formats could be > supported. You might want to consider writing a whitepaper, which > could later be used as the basis for a patch set cover letter. I think, before this, we can help with the basics (and perhaps we should sort them out before we start documenting what we'll do). The first basic is that a merkle tree allows unit at a time verification. First of all we should agree on the unit. Since we always fault a page at a time, I think our merkle tree unit should be a page not a block. Next, we should agree where the check gates for the per page accesses should be ... definitely somewhere in readpage, I suspect and finally we should agree how the merkle tree is presented at the gate. I think there are three ways: 1. Ahead of time transfer: The merkle tree is transferred and verified at some time before the accesses begin, so we already have a verified copy and can compare against the lower leaf. 2. Async transfer: We provide an async mechanism to transfer the necessary components, so when presented with a unit, we check the log n components required to get to the root 3. The protocol actually provides the capability of 2 (like the SCSI DIF/DIX), so to IMA all the pieces get presented instead of IMA having to manage the tree There are also a load of minor things like how we get the head hash, which must be presented and verified ahead of time for each of the above 3. James -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit