From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
stephen.smalley.work@gmail.com, casey@schaufler-ca.com,
agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com
Cc: sashal@kernel.org, dm-devel@redhat.com, selinux@vger.kernel.org,
jmorris@namei.org, linux-kernel@vger.kernel.org,
nramas@linux.microsoft.com,
linux-security-module@vger.kernel.org,
tyhicks@linux.microsoft.com, linux-integrity@vger.kernel.org
Subject: Re: [dm-devel] [PATCH v4 4/6] IMA: add policy to measure critical data from kernel components
Date: Fri, 23 Oct 2020 15:50:52 -0700 [thread overview]
Message-ID: <87499f4e-d1d1-916c-24d2-0228bcacad26@linux.microsoft.com> (raw)
In-Reply-To: <37aa4e6f5db6c53f4021f829ec09388d55d28208.camel@linux.ibm.com>
On 2020-10-22 2:15 p.m., Mimi Zohar wrote:
> Hi Tushar,
>
> The above Subject line should be truncated to "IMA: add policy to
> measure critical data".
>
> On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote:
>> There would be several candidate kernel components suitable for IMA
>> measurement. Not all of them would have support for IMA measurement.
>
> This intro is besides the point. The patch description should describe
> what is meant by "critical data".
>
Thanks. I will fix the description to address this.
>> Also, system administrators may not want to measure data for all of
>> them, even when they support IMA measurement.
>> An IMA policy option
>> specific to various kernel components is needed to measure their
>> respective critical data.
>>
>> This policy option needs to be constrained to measure data for
>> specific kernel components that are specified as input values to the
>> policy option.
>>
>> Add a new IMA policy option - "data_sources:=" to allow measuring
>> various critical kernel components. This policy option would enable the
>> system administrators to limit the measurement to the components
>> listed in "data_sources:=", if the components support IMA measurement.
>>
>> The new policy option "data_sources:=" is different from the existing
>> policy option "keyrings:=".
>>
>> In case of "keyrings:=", a policy may measure all keyrings (when
>> "keyrings:=" option is not provided for func KEY_CHECK), or may
>> constrain which keyrings need to be measured (when "keyrings:=" option
>> is provided for func KEY_CHECK).
>>
>> But unlike "keyrings:=", the entries in "data_sources:=" would have
>> different data format. Further, the components listed in
>> "data_sources:=" need to be modified to call IMA to measure their
>> data. Therefore, unlike "keyrings:=", IMA shouldn't measure all of the
>> components by default, when "data_sources:=" is not specified. Because
>> measuring non-vetted components just by specifying them as a policy
>> option value may impact the overall reliability of the system.
>>
>> To address this, "data_sources:=" should be a mandatory policy option
>> for func=CRITICAL_DATA. This func is introduced in the 5th patch in this
>> series). And the compile-time vetting functionality described above is
>> introduced in the 6th patch in this series.
>>
>> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
>
> I don't understand what you mean by "non-vetted" components, nor how
> measuring critical data may impact the overall reliability of the
> system.
>
Tushar: Before we introduced the mechanism to check supported
data-sources at compile time (patch 6/6 of this series), there was a
back-and-forth on whether “data_sources:=” should be a mandatory policy
option, or optional like “keyrings:=”. And we decided to make the
“data_sources:=” mandatory. But now that we have the compile time check
(patch 6/6 of this series), we can switch to make “data_sources:=”
optional (with the default to allow measuring all critical data – just
like what you suggested below). I will make the code and description
changes accordingly.
> The system owner or adminstrator defines what they want to measure,
> including "critical data", based on the policy rules. They might
> decide that they want to constrain which "critical data" is measured by
> specifying "data_sources:=", but that decision is their perogative.
> The default should allow measuring all critical data.
>
Makes sense.
To summarize, we will make the decision which sources to measure- based
on the sources defined in the allow list (in patch 6) and the sources
defined in “data_sources:=”. If “data_sources:=” is not present, we will
measure all sources defined in the allow list.
Hope my this understanding is correct based on your feedback.
> A simple example of "critical data" could be some in memory structure,
> along the lines of __ro_after_init, or hash of the memory structure.
> Once the data structure is initialized, the "critical data" measurement
> shouldn't change. From the attestation server perspective, the IMA
> measurement list would contain a single record unless the critical data
> changes. The attestation server doesn't need to know anything about
> the initial value, just that it has changed in order to trigger some
> sort alert.
Yes agreed. After the updates (based on your feedback) I stated above,
the behavior should remain consistent with what you described here.
>
> thanks,
>
> Mimi
>
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2020-10-26 7:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-23 19:20 [PATCH v4 0/6] IMA: Infrastructure for measurement of critical kernel data Tushar Sugandhi
2020-09-23 19:20 ` [PATCH v4 1/6] IMA: generalize keyring specific measurement constructs Tushar Sugandhi
2020-10-22 19:39 ` [dm-devel] " Mimi Zohar
2020-10-23 22:38 ` Tushar Sugandhi
2020-09-23 19:20 ` [PATCH v4 2/6] IMA: conditionally allow empty rule data Tushar Sugandhi
2020-10-22 20:38 ` [dm-devel] " Mimi Zohar
2020-10-23 22:39 ` Tushar Sugandhi
2020-09-23 19:20 ` [PATCH v4 3/6] IMA: update process_buffer_measurement to measure buffer hash Tushar Sugandhi
2020-09-23 19:20 ` [PATCH v4 4/6] IMA: add policy to measure critical data from kernel components Tushar Sugandhi
2020-10-22 21:15 ` [dm-devel] " Mimi Zohar
2020-10-23 22:50 ` Tushar Sugandhi [this message]
2020-09-23 19:20 ` [PATCH v4 5/6] IMA: add hook " Tushar Sugandhi
2020-10-22 22:35 ` [dm-devel] " Mimi Zohar
2020-10-23 22:54 ` Tushar Sugandhi
2020-09-23 19:20 ` [PATCH v4 6/6] IMA: validate supported kernel data sources before measurement Tushar Sugandhi
2020-10-25 3:35 ` [dm-devel] [PATCH v4 0/6] IMA: Infrastructure for measurement of critical kernel data Mimi Zohar
2020-10-27 17:30 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87499f4e-d1d1-916c-24d2-0228bcacad26@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=snitzer@redhat.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tyhicks@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).