From: Mimi Zohar <zohar@linux.ibm.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-integrity@vger.kernel.org, linux-fscrypt@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/4] ima: define a new signature type named IMA_VERITY_DIGSIG
Date: Thu, 02 Dec 2021 11:25:05 -0500 [thread overview]
Message-ID: <a1b808d664603bfd4bd2f747b59c3e0c51646922.camel@linux.ibm.com> (raw)
In-Reply-To: <6931ed7b1c7d5906bb595447fc24cd8a9b3e3d62.camel@linux.ibm.com>
Hi Eric,
On Tue, 2021-11-30 at 13:14 -0500, Mimi Zohar wrote:
> On Mon, 2021-11-29 at 18:33 -0800, Eric Biggers wrote:
> > On Mon, Nov 29, 2021 at 12:00:55PM -0500, Mimi Zohar wrote:
> > > To differentiate between a regular file hash and an fs-verity file digest
> > > based signature stored as security.ima xattr, define a new signature type
> > > named IMA_VERITY_DIGSIG.
> > >
> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> >
> > For this new signature type, what bytes are actually signed? It looks like it's
> > just the raw digest, which isn't sufficient since it is ambiguous. It needs to
> > include information that makes it clear what the signer is actually signing,
> > such as "this is an fs-verity SHA-256 file digest". See
> > 'struct fsverity_formatted_digest' for an example of this (but it isn't
> > necessary to use that exact structure).
> >
> > I think the existing IMA signatures have the same problem (but it is hard for me
> > to understand the code). However, a new signature type doesn't have
> > backwards-compatibility concerns, so it could be done right.
>
> As this change should probably be applicable to all signature types,
> the signature version in the signature_v2_hdr should be bumped. The
> existing signature version could co-exist with the new signature
> version.
By signing the file hash, the sig field in the IMA measurement list can
be directly verified against the digest field. For appended
signatures, we defined a new template named ima-modsig which contains
two file hashes, with and without the appended signature.
Similarly, by signing a digest containing other metadata and fs-
verity's file digest, the measurement list should include both digests.
Otherwise the consumer of the measurement list would first need to
calculate the signed digest before verifying the signature.
Options:
- Include just fs-verity's file digest and the signature in the
measurement list. Leave it to the consumer of the measurement list to
deal with.
- Define a new template format to include both digests, add a new field
in the iint for the signed digest. (Much more work.)
- As originally posted, directly sign fs-verity's file digest.
thanks,
Mimi
next prev parent reply other threads:[~2021-12-02 16:25 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-29 17:00 [PATCH 0/4] ima: support fs-verity signatures stored as Mimi Zohar
2021-11-29 17:00 ` [PATCH 1/4] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2021-11-29 23:16 ` kernel test robot
2021-11-29 23:16 ` kernel test robot
2021-11-29 23:36 ` kernel test robot
2021-11-29 23:36 ` kernel test robot
2021-11-30 2:19 ` Eric Biggers
2021-11-30 5:33 ` Lakshmi Ramasubramanian
2021-11-30 6:30 ` Eric Biggers
2021-11-29 17:00 ` [PATCH 2/4] ima: define a new signature type named IMA_VERITY_DIGSIG Mimi Zohar
2021-11-30 2:33 ` Eric Biggers
2021-11-30 18:14 ` Mimi Zohar
2021-12-02 16:25 ` Mimi Zohar [this message]
2021-12-02 21:17 ` Eric Biggers
2021-12-02 21:56 ` Mimi Zohar
2021-11-29 17:00 ` [PATCH 3/4] ima: limit including fs-verity's file digest in measurement list Mimi Zohar
2021-11-30 2:35 ` Eric Biggers
2021-11-30 13:15 ` Mimi Zohar
2021-11-30 5:46 ` Lakshmi Ramasubramanian
2021-11-29 17:00 ` [PATCH 4/4] ima: support fs-verity file digest based signatures Mimi Zohar
2021-11-30 5:56 ` Lakshmi Ramasubramanian
2021-11-30 13:36 ` Mimi Zohar
2021-11-30 2:36 ` [PATCH 0/4] ima: support fs-verity signatures stored as Eric Biggers
2021-11-30 12:56 ` Mimi Zohar
2021-11-30 22:49 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a1b808d664603bfd4bd2f747b59c3e0c51646922.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.