linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
From: Fan Wu <wufan@linux.microsoft.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>
Cc: axboe@kernel.dk, linux-block@vger.kernel.org, tytso@mit.edu,
	dm-devel@redhat.com, corbet@lwn.net, roberto.sassu@huawei.com,
	Deven Bowers <deven.desai@linux.microsoft.com>,
	linux-doc@vger.kernel.org, snitzer@kernel.org, jmorris@namei.org,
	zohar@linux.ibm.com, linux-kernel@vger.kernel.org,
	ebiggers@kernel.org, linux-security-module@vger.kernel.org,
	linux-audit@redhat.com, eparis@redhat.com,
	linux-fscrypt@vger.kernel.org, linux-integrity@vger.kernel.org,
	agk@redhat.com, serge@hallyn.com
Subject: Re: [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook
Date: Tue, 7 Feb 2023 15:52:43 -0800	[thread overview]
Message-ID: <20230207235243.GA5107@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net> (raw)
In-Reply-To: <903062f7b2e2709ae0e4416545ffadd91c132676.camel@huaweicloud.com>

On Thu, Feb 02, 2023 at 09:21:24AM +0100, Roberto Sassu wrote:
> On Wed, 2023-02-01 at 15:26 -0800, Fan Wu wrote:
> > On Tue, Jan 31, 2023 at 02:22:01PM +0100, Roberto Sassu wrote:
> > > On Mon, 2023-01-30 at 14:57 -0800, Fan Wu wrote:
> > > > From: Deven Bowers <deven.desai@linux.microsoft.com>
> > > > 
> > > > dm-verity provides a strong guarantee of a block device's integrity. As
> > > > a generic way to check the integrity of a block device, it provides
> > > > those integrity guarantees to its higher layers, including the filesystem
> > > > level.
> > > 
> > > I think you could reuse most of is_trusted_verity_target(), in
> > > particular dm_verity_get_root_digest().
> > > 
> > > And probably, the previous patch is not necessary.
> > > 
> > > Roberto
> > > 
> > Thanks for the info. This function seems could be used to get the roothash
> > but for saving the signature we still need the hook function in the previous
> > patch.
> 
> Uhm, look at the LoadPin case. It does not need to temporarily store
> the root digest in a security blob. It evaluates it directly.
> 
> Well, ok, dm_verity_loadpin_is_bdev_trusted() looks for trusted digests
> in the dm_verity_loadpin_trusted_root_digests list. So, something
> equivalent needs to be made for IPE (or you just get the digest).
> However, I find not introducing new hooks and evaluating the
> information directly more efficient.
> 
> Roberto

Thanks for the input. I did a deeper dive into the source code and did some
experiements, my conclusion is the hook is still the preferred way for us.

For the root digest part, dm_verity_loadpin_is_bdev_trusted is able to query
the root digest is because the root digest is saved in struct dm_verity.
Specifically it will call dm_verity_get_root_digest to kmemdup the digest.
If every binary execution will trigger a kmemdup to copy a digest,
the overhead will be noticeable. 
Using a hook can let us copy the root digest exactly once when
the block device is created and free the copied digest when 
the block device is unmounted. 

For the signature, it is currently an optional parameter and it is not
saved in struct dm_verity. But even if we let struct dm_verity saves
the signature it will still have the kmemdup problem above. 
So using the hook will be the cleanest way.

-Fan

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


  reply	other threads:[~2023-02-07 23:57 UTC|newest]

Thread overview: 74+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-30 22:57 [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 01/16] security: add ipe lsm Fan Wu
2023-03-02 19:00   ` Paul Moore
2023-04-06 19:20     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 02/16] ipe: add policy parser Fan Wu
2023-01-31 10:53   ` Roberto Sassu
2023-02-01 22:38     ` Fan Wu
2023-03-02 19:02   ` Paul Moore
2023-04-06 20:00     ` Fan Wu
2023-04-11 19:13       ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider Fan Wu
2023-01-31 10:29   ` Roberto Sassu
2023-01-31 15:49   ` Roberto Sassu
2023-02-10 23:21     ` Fan Wu
2023-03-02  2:33       ` Paul Moore
2023-03-02 19:03   ` Paul Moore
2023-04-10 18:53     ` Fan Wu
2023-04-11 20:32       ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 04/16] security: add new securityfs delete function Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 05/16] ipe: add userspace interface Fan Wu
2023-01-31 10:49   ` Roberto Sassu
2023-02-01 19:46     ` Fan Wu
2023-03-02 19:04   ` Paul Moore
2023-04-10 19:10     ` Fan Wu
2023-04-11 21:45       ` Paul Moore
2023-04-12 23:36         ` Fan Wu
2023-04-13 18:45           ` Paul Moore
2023-04-17 18:06             ` Fan Wu
2023-04-17 20:16               ` Paul Moore
2023-04-17 21:18                 ` Fan Wu
2023-04-17 21:31                   ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-01-31 12:51   ` Roberto Sassu
2023-02-09 22:42     ` Fan Wu
2023-03-02 19:05   ` Paul Moore
2023-04-10 21:22     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-01-31 12:57   ` Roberto Sassu
2023-01-31 17:10   ` Steve Grubb
2023-03-02 19:05     ` Paul Moore
2023-03-16 22:53       ` Fan Wu
2023-04-11 23:07         ` Paul Moore
2023-04-11 23:21       ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 08/16] ipe: add permissive toggle Fan Wu
2023-03-02 19:06   ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 09/16] block|security: add LSM blob to block_device Fan Wu
2023-01-31  8:53   ` Christoph Hellwig
2023-01-31 23:01     ` Fan Wu
2023-03-02 19:07   ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-01-31 13:22   ` Roberto Sassu
2023-02-01 23:26     ` Fan Wu
2023-02-02  8:21       ` Roberto Sassu
2023-02-07 23:52         ` Fan Wu [this message]
2023-01-30 22:57 ` [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider Fan Wu
2023-03-02 19:08   ` Paul Moore
2023-03-16 22:10     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook Fan Wu
2023-02-09  3:30   ` Eric Biggers
2023-02-09 22:21     ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 13/16] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-01-31 14:00   ` Roberto Sassu
2023-02-01 23:50     ` Fan Wu
2023-02-02  9:51       ` Roberto Sassu
2023-02-08  0:16         ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 14/16] scripts: add boot policy generation program Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 15/16] ipe: kunit test for parser Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 16/16] documentation: add ipe documentation Fan Wu
2023-01-31  3:59   ` Bagas Sanjaya
2023-02-02  0:19     ` Fan Wu
2023-01-31 14:22 ` [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Roberto Sassu
2023-02-01  0:48   ` Fan Wu
2023-02-02 10:48     ` Roberto Sassu
2023-02-08  0:31       ` Fan Wu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230207235243.GA5107@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net \
    --to=wufan@linux.microsoft.com \
    --cc=agk@redhat.com \
    --cc=axboe@kernel.dk \
    --cc=corbet@lwn.net \
    --cc=deven.desai@linux.microsoft.com \
    --cc=dm-devel@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=eparis@redhat.com \
    --cc=jmorris@namei.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    --cc=roberto.sassu@huaweicloud.com \
    --cc=serge@hallyn.com \
    --cc=snitzer@kernel.org \
    --cc=tytso@mit.edu \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).