From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com
Cc: linux-integrity@vger.kernel.org, nramas@linux.microsoft.com
Subject: Re: [PATCH 7/7] dm: add documentation for IMA measurement support
Date: Mon, 26 Jul 2021 11:28:51 -0700 [thread overview]
Message-ID: <74451a59-d029-239c-4519-da10c7957c22@linux.microsoft.com> (raw)
In-Reply-To: <8cea95cdc1349ae60c690c45ddabcd676c5774d2.camel@linux.ibm.com>
Hi Mimi,
On 7/26/21 9:33 AM, Mimi Zohar wrote:
> Hi Tushar,
>
> On Sat, 2021-07-24 at 00:25 -0700, Tushar Sugandhi wrote:
>> Hi Mimi,
>>
>>
>>> Missing from the document is a way of validating the template data.
>>> For example, in the original case of file measurements, the template
>>> data contains the file hash, which can be recalculated or verified
>>> against an allow list.
>>>
>>> Other than re-calculating the template data digest based on the
>>> template data, and verifying it against the template data digest in the
>>> measurement list, would an attestation server be able to verify the
>>> template data itself?
>>>
>> Yes.
>> In the context of device-mapper, EVENT_DATA for 'table_load' would
>> contain the key-value pairs for various targets in the table
>> (crypt, verity, integrity etc.) which the attestation servers
>> should be able to verify against the allowed/expected
>> key-value pairs specified in the attestation policy.
>>
>> To avoid bloating the IMA log with same data from table_load again,
>> we only measure hash of the loaded table in the EVENT_DATA -
>> when there is a state change for DM device.
>> e.g. when EVENT_NAME is 'device_resume', 'table_clear',
>> 'device_remove' etc.
>>
>> Since the table clear-text is already present in the EVENT_DATA
>> buffer for 'table_load', and is available to attestation servers,
>> verifying the corresponding hash values in the
>> EVENT_DATA in the subsequent DM events should be possible for
>> the attestation servers.
>>
>> Please let us know if you need further info.
>
> For regular files with signatures, the file signature is verified
> against the file hash, both contained within the template data. For
> the SELinux "critical-data",
> commit 2554a48f4437 ("selinux: measure state and policy capabilities")
> contains that information. Missing from this patch set is information
> on how the attestation server could verify the DM critical data.
>
> Does the DM record contain everything needed for the attestion server
> to verify the template record? Are things like the hash algorithm hard
> coded?
>
Thanks for the feedback.
I think you have a point (on documenting hash algo and version in the
IMA record).
For the individual targets (crypt/linear etc.) the target version
is already recorded during table_load [1].
So for new attribute add/update/delete to those targets in future,
they should be accompanied by bumping the relevant target version.
So that the attestation servers would know what attributes to expect,
based on the target's version number.
So individual targets are already taken care of.
But for overall DM records I think some versioning would be useful
to the attestation servers, to determine what to expect for the
attributes that are at device level (i.e. not part of any individual
targets e.g. "minor_count", "num_targets" etc.).
Further, for the DM records that are not "table_load" - what hashing
algo is used to hash active/inactive table is the implementation detail
specific to DM, as Mike called out; and it is orthogonal to IMA's hash
algo.
But I think it would be useful to record the active/inactive table's
hash algo as part of the overall DM record template, so that attestation
servers would know to how to interpret the relevant data.
(i.e. "active_table_hash", "inactive_table_hash" in [2]).
Both the changes are simple enough.
I will prototype and propose them as incremental patches along with
other changes (pointed to dm-5.15 branch as per Mike's suggestion.)
Thanks for your suggestions again.
Regards,
Tushar
[1]
+10 a8c5ff755561c7a28146389d1514c318592af49a ima-buf
sha256:4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72
+table_load
+name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=1;
+target_index=0,target_begin=0,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512;
+table_load
+name=test-crypt,uuid=,major=253,minor=0,minor_count=1,num_targets=1;
+target_index=0,target_begin=0,target_len=1953125,target_name=crypt,target_version=1.23.0,
[2]
+device_remove
+device_active_metadata=name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=4;
+device_inactive_metadata=name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=2;
+active_table_hash=4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72,
+inactive_table_hash=5596cc857b0e887fd0c5d58dc6382513284596b07f09fd37efae2da224bd521d,remove_all=n;
+current_device_capacity=8;
> thanks,
>
> Mimi
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
dm-devel@redhat.com, agk@redhat.com, snitzer@redhat.com
Cc: nramas@linux.microsoft.com, linux-integrity@vger.kernel.org
Subject: Re: [dm-devel] [PATCH 7/7] dm: add documentation for IMA measurement support
Date: Mon, 26 Jul 2021 11:28:51 -0700 [thread overview]
Message-ID: <74451a59-d029-239c-4519-da10c7957c22@linux.microsoft.com> (raw)
In-Reply-To: <8cea95cdc1349ae60c690c45ddabcd676c5774d2.camel@linux.ibm.com>
Hi Mimi,
On 7/26/21 9:33 AM, Mimi Zohar wrote:
> Hi Tushar,
>
> On Sat, 2021-07-24 at 00:25 -0700, Tushar Sugandhi wrote:
>> Hi Mimi,
>>
>>
>>> Missing from the document is a way of validating the template data.
>>> For example, in the original case of file measurements, the template
>>> data contains the file hash, which can be recalculated or verified
>>> against an allow list.
>>>
>>> Other than re-calculating the template data digest based on the
>>> template data, and verifying it against the template data digest in the
>>> measurement list, would an attestation server be able to verify the
>>> template data itself?
>>>
>> Yes.
>> In the context of device-mapper, EVENT_DATA for 'table_load' would
>> contain the key-value pairs for various targets in the table
>> (crypt, verity, integrity etc.) which the attestation servers
>> should be able to verify against the allowed/expected
>> key-value pairs specified in the attestation policy.
>>
>> To avoid bloating the IMA log with same data from table_load again,
>> we only measure hash of the loaded table in the EVENT_DATA -
>> when there is a state change for DM device.
>> e.g. when EVENT_NAME is 'device_resume', 'table_clear',
>> 'device_remove' etc.
>>
>> Since the table clear-text is already present in the EVENT_DATA
>> buffer for 'table_load', and is available to attestation servers,
>> verifying the corresponding hash values in the
>> EVENT_DATA in the subsequent DM events should be possible for
>> the attestation servers.
>>
>> Please let us know if you need further info.
>
> For regular files with signatures, the file signature is verified
> against the file hash, both contained within the template data. For
> the SELinux "critical-data",
> commit 2554a48f4437 ("selinux: measure state and policy capabilities")
> contains that information. Missing from this patch set is information
> on how the attestation server could verify the DM critical data.
>
> Does the DM record contain everything needed for the attestion server
> to verify the template record? Are things like the hash algorithm hard
> coded?
>
Thanks for the feedback.
I think you have a point (on documenting hash algo and version in the
IMA record).
For the individual targets (crypt/linear etc.) the target version
is already recorded during table_load [1].
So for new attribute add/update/delete to those targets in future,
they should be accompanied by bumping the relevant target version.
So that the attestation servers would know what attributes to expect,
based on the target's version number.
So individual targets are already taken care of.
But for overall DM records I think some versioning would be useful
to the attestation servers, to determine what to expect for the
attributes that are at device level (i.e. not part of any individual
targets e.g. "minor_count", "num_targets" etc.).
Further, for the DM records that are not "table_load" - what hashing
algo is used to hash active/inactive table is the implementation detail
specific to DM, as Mike called out; and it is orthogonal to IMA's hash
algo.
But I think it would be useful to record the active/inactive table's
hash algo as part of the overall DM record template, so that attestation
servers would know to how to interpret the relevant data.
(i.e. "active_table_hash", "inactive_table_hash" in [2]).
Both the changes are simple enough.
I will prototype and propose them as incremental patches along with
other changes (pointed to dm-5.15 branch as per Mike's suggestion.)
Thanks for your suggestions again.
Regards,
Tushar
[1]
+10 a8c5ff755561c7a28146389d1514c318592af49a ima-buf
sha256:4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72
+table_load
+name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=1;
+target_index=0,target_begin=0,target_len=2,target_name=linear,target_version=1.4.0,device_name=7:0,start=512;
+table_load
+name=test-crypt,uuid=,major=253,minor=0,minor_count=1,num_targets=1;
+target_index=0,target_begin=0,target_len=1953125,target_name=crypt,target_version=1.23.0,
[2]
+device_remove
+device_active_metadata=name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=4;
+device_inactive_metadata=name=linear1,uuid=,major=253,minor=0,minor_count=1,num_targets=2;
+active_table_hash=4d73481ecce5eadba8ab084640d85bb9ca899af4d0a122989252a76efadc5b72,
+inactive_table_hash=5596cc857b0e887fd0c5d58dc6382513284596b07f09fd37efae2da224bd521d,remove_all=n;
+current_device_capacity=8;
> thanks,
>
> Mimi
>
>
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-07-26 18:28 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-13 0:48 [PATCH 0/7] device mapper target measurements using IMA Tushar Sugandhi
2021-07-13 0:48 ` [dm-devel] " Tushar Sugandhi
2021-07-13 0:48 ` [PATCH 1/7] dm: measure data on table load Tushar Sugandhi
2021-07-13 0:48 ` [dm-devel] " Tushar Sugandhi
2021-07-21 2:12 ` Mimi Zohar
2021-07-21 2:12 ` [dm-devel] " Mimi Zohar
2021-07-21 15:42 ` Mike Snitzer
2021-07-21 15:42 ` [dm-devel] " Mike Snitzer
2021-07-21 16:07 ` Mimi Zohar
2021-07-21 16:07 ` [dm-devel] " Mimi Zohar
2021-07-21 21:17 ` Mimi Zohar
2021-07-21 21:17 ` [dm-devel] " Mimi Zohar
2021-07-29 19:58 ` Tushar Sugandhi
2021-07-29 19:58 ` [dm-devel] " Tushar Sugandhi
2021-07-13 0:48 ` [PATCH 2/7] dm: measure data on device resume Tushar Sugandhi
2021-07-13 0:48 ` [dm-devel] " Tushar Sugandhi
2021-07-13 0:49 ` [PATCH 3/7] dm: measure data on device remove Tushar Sugandhi
2021-07-13 0:49 ` [dm-devel] " Tushar Sugandhi
2021-07-13 0:49 ` [PATCH 4/7] dm: measure data on table clear Tushar Sugandhi
2021-07-13 0:49 ` [dm-devel] " Tushar Sugandhi
2021-07-13 0:49 ` [PATCH 5/7] dm: measure data on device rename Tushar Sugandhi
2021-07-13 0:49 ` [dm-devel] " Tushar Sugandhi
2021-07-13 0:49 ` [PATCH 6/7] dm: update target specific status functions to measure data Tushar Sugandhi
2021-07-13 0:49 ` [dm-devel] " Tushar Sugandhi
2021-07-13 1:06 ` Alasdair G Kergon
2021-07-13 1:06 ` [dm-devel] " Alasdair G Kergon
2021-07-14 20:23 ` Tushar Sugandhi
2021-07-14 20:23 ` [dm-devel] " Tushar Sugandhi
2021-07-13 0:49 ` [PATCH 7/7] dm: add documentation for IMA measurement support Tushar Sugandhi
2021-07-13 0:49 ` [dm-devel] " Tushar Sugandhi
2021-07-21 2:33 ` Mimi Zohar
2021-07-21 2:33 ` [dm-devel] " Mimi Zohar
2021-07-24 7:25 ` Tushar Sugandhi
2021-07-24 7:25 ` [dm-devel] " Tushar Sugandhi
2021-07-26 16:33 ` Mimi Zohar
2021-07-26 16:33 ` [dm-devel] " Mimi Zohar
2021-07-26 18:28 ` Tushar Sugandhi [this message]
2021-07-26 18:28 ` Tushar Sugandhi
2021-07-14 11:32 ` [dm-devel] [PATCH 0/7] device mapper target measurements using IMA Thore Sommer
2021-07-14 11:32 ` Thore Sommer
2021-07-14 20:20 ` Tushar Sugandhi
2021-07-14 20:20 ` Tushar Sugandhi
2021-07-27 10:18 ` Thore Sommer
2021-07-27 10:18 ` Thore Sommer
2021-07-27 20:33 ` Alasdair G Kergon
2021-07-27 20:33 ` Alasdair G Kergon
2021-07-28 3:10 ` Tushar Sugandhi
2021-07-28 3:10 ` Tushar Sugandhi
2021-07-28 17:14 ` Thore Sommer
2021-07-28 17:14 ` Thore Sommer
2021-07-29 17:32 ` Tushar Sugandhi
2021-07-29 17:32 ` Tushar Sugandhi
2021-07-28 17:34 ` Thore Sommer
2021-07-28 17:34 ` Thore Sommer
2021-07-28 21:33 ` Alasdair G Kergon
2021-07-28 21:33 ` Alasdair G Kergon
2021-08-02 10:45 ` Thore Sommer
2021-08-02 10:45 ` Thore Sommer
2021-07-29 19:24 ` Tushar Sugandhi
2021-07-29 19:24 ` Tushar Sugandhi
2021-08-02 10:38 ` Thore Sommer
2021-08-02 10:38 ` Thore Sommer
2021-07-20 21:27 ` Mike Snitzer
2021-07-20 21:27 ` [dm-devel] " Mike Snitzer
2021-07-24 6:57 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74451a59-d029-239c-4519-da10c7957c22@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=snitzer@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.