From: Chuck Lever <chuck.lever@oracle.com>
To: linux-integrity@vger.kernel.org
Subject: IMA on remote file systems
Date: Wed, 28 Aug 2019 13:36:15 -0400 [thread overview]
Message-ID: <C867A0BA-1ACF-4600-8179-3E15A098846C@oracle.com> (raw)
Last week I presented at the Linux Security Summit on a proposal
for handling IMA metadata on NFS files. After the presentation,
Mimi Zohar pointed out that although the proposal extends protection
from an NFS file server to time-of-measurement on an NFS client,
there is still a protection gap between time-of-measurement and
time-of-use on that client.
My proposal enables storage of per-file IMA metadata via the
NFSv4 protocol. I have a prototype and an IETF nfsv4 Working
Group document that specifies a small protocol extension.
I would like to find a way to extend IMA protection all the way
to time-of-use on NFS clients. The consensus is that a per-file
Merkle tree would be the most desirable approach, as that is the
same mechanism used for fs-verity protection.
For a few important reasons, it will be challenging to plumb
support for durable Merkle trees into NFS, although that is an
eventual goal.
My thought was to use an ephemeral Merkle tree for NFS (and
possibly other remote filesystems, like FUSE, until these
filesystems support durable per-file Merkle trees). A tree would
be constructed when the client measures a file, but it would not
saved to the filesystem. Instead of a hash of the file's contents,
the tree's root signature is stored as the IMA metadata.
Once a Merkle tree is available, it can be used in exactly the
same way that a durable Merkle tree would, to verify the integrity
of individual pages as they are used, evicted, and then read back
from the server.
If the client needs to evict part or all of an ephemeral tree, it
can subsequently be reconstructed by measuring the file again and
verifying its root signature against the stored IMA metadata.
So the only difference here is that the latency-to-first-byte
benefit of a durable Merkle tree would be absent.
I'm interested in any thoughts or opinions about this approach.
--
Chuck Lever
next reply other threads:[~2019-08-28 17:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-28 17:36 Chuck Lever [this message]
2019-09-13 14:50 ` IMA on remote file systems Chuck Lever
2019-09-15 21:42 ` Mimi Zohar
2019-09-16 16:10 ` Theodore Y. Ts'o
2019-09-16 18:16 ` Chuck Lever
2019-09-16 13:16 ` Janne Karhunen
2019-09-16 14:47 ` Chuck Lever
2019-09-17 6:30 ` Janne Karhunen
2019-09-17 12:45 ` Theodore Y. Ts'o
2019-09-17 14:18 ` Mimi Zohar
2019-09-17 14:56 ` James Bottomley
2019-09-18 5:27 ` Janne Karhunen
2019-09-18 12:50 ` Theodore Y. Ts'o
2019-09-18 15:52 ` James Bottomley
2019-09-19 6:47 ` Janne Karhunen
2019-09-18 12:37 ` Theodore Y. Ts'o
2019-09-18 14:40 ` Mimi Zohar
2019-09-18 15:49 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C867A0BA-1ACF-4600-8179-3E15A098846C@oracle.com \
--to=chuck.lever@oracle.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.