From: Eric Biggers <ebiggers@kernel.org>
To: Deven Bowers <deven.desai@linux.microsoft.com>
Cc: corbet@lwn.net, axboe@kernel.dk, agk@redhat.com,
snitzer@redhat.com, tytso@mit.edu, paul@paul-moore.com,
eparis@redhat.com, jmorris@namei.org, serge@hallyn.com,
jannh@google.com, dm-devel@redhat.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-audit@redhat.com,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v7 12/16] fsverity|security: add security hooks to fsverity digest and signature
Date: Wed, 27 Oct 2021 20:48:23 -0700 [thread overview]
Message-ID: <YXodhzYto5BRxqYO@sol.localdomain> (raw)
In-Reply-To: <f027e3fa-2f70-0cdb-ac7b-255cee68edbb@linux.microsoft.com>
On Tue, Oct 26, 2021 at 12:03:53PM -0700, Deven Bowers wrote:
> > > The proposed LSM (IPE) of this series will be the only one to need
> > > this information at the moment. IPE’s goal is to have provide
> > > trust-based access control. Trust and Integrity are tied together,
> > > as you cannot prove trust without proving integrity.
> > I think you mean authenticity, not integrity?
> I’ve heard a lot of people use these terms in overloaded ways.
>
> If we’re working with the definition of authenticity being
> “the property that a resource was _actually_ sent/created by a
> party”, and integrity being “the property that a resource was not
> modified from a point of time”, then yes. Though the statement isn’t
> false, though, because you’d need to prove integrity in the process of
> proving authenticity.
>
> If not, could you clarify what you mean by authenticity and integrity,
> so that we can use consistent definitions?
In cryptography, integrity normally means knowing whether data has been
non-maliciously changed, while authenticity means knowing whether data is from a
particular source, which implies knowing whether it has been changed at all
(whether maliciously or not). Consider that there are "Message Authentication
Codes" (MACs) and "Authenticated Encryption", not "Message Integrity Codes" and
"Intact Encryption".
Unfortunately lots of people do overload "integrity" to mean authenticity, so
you're not alone. But it's confusing, so if you're going to do that then please
make sure to clearly explain what you mean.
> > Also how does this differ from IMA? I know that IMA doesn't support fs-verity
> > file hashes, but that could be changed. Why not extend IMA to cover your use
> > case(s)?
> We looked at extending IMA to cover our requirements extensively the past
> year
> based on feedback the last time I posted these patches. We implemented a
> prototype that had half of our requirements, but found it resulted in a
> large change list that would result in a large amount of pain in respect
> to maintenance, in addition to other more architectural concerns about the
> implementation. We weren’t convinced it was the correct direction, for our
> needs.
>
> There was a presentation done at LSS 2021 around this prototype done by my
> colleague, Fan, who authored this patch and implemented the aforementioned
> prototype.
>
> In general, IMA provides a whole suite of amazing functionality when it
> comes to everything integrity, as the fs-verity documentation states
> itself:
>
> IMA specifies a system-wide policy that specifies which
> files are hashed and what to do with those hashes, such
> as log them, authenticate them, or add them to a
> measurement list.
>
> Instead, IPE provides a fine-tuned way to _only_ enforce an access control
> policy to these files based on the defined trust requirements in the policy,
> under various contexts, (you might have different requirements for what
> executes in a general purpose, versus loadable kernel modules, for example).
> It will never provide bother to log, measure, or revalidate these hashes
> because
> that’s not its purpose. This is why it belongs at the LSM layer instead of
> the
> integrity subsystem layer, as it is providing access control based on a
> policy,
> versus providing deep integrations with the actual integrity claim.
>
> IPE is trying to be agnostic to how precisely “trust” is provided, as
> opposed to be deeply integrated into the mechanism that provides
> “trust”.
IMA doesn't require logging or "measuring" hashes, though. Those are just some
of its supported features. And I thought the IMA developers were planning to
add support for fs-verity hashes, and that it wouldn't require an entirely new
architecture to do so.
Anyway, while it does sound to me like you're duplicating IMA, I don't really
have a horse in this race, and I defer to the IMA developers on this. I trust
that you've been engaging with them? This patchset isn't even Cc'ed to
linux-integrity, so it's unclear that's been happening.
- Eric
next prev parent reply other threads:[~2021-10-28 3:48 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 19:06 [RFC PATCH v7 00/16] Integrity Policy Enforcement (IPE) deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 01/16] security: add ipe lsm & initial context creation deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 02/16] ipe: add policy parser deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 03/16] ipe: add evaluation loop deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 04/16] ipe: add userspace interface deven.desai
2021-11-03 9:42 ` Roberto Sassu
2021-11-04 16:50 ` Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 05/16] ipe: add LSM hooks on execution and kernel read deven.desai
2021-10-13 20:04 ` Casey Schaufler
2021-10-15 19:25 ` Deven Bowers
2021-10-25 12:22 ` Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-27 8:56 ` Roberto Sassu
2021-10-13 19:06 ` [RFC PATCH v7 06/16] uapi|audit: add trust audit message definitions deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 07/16] ipe: add auditing support deven.desai
2021-10-13 20:02 ` Steve Grubb
2021-10-15 19:25 ` Deven Bowers
2021-11-02 19:44 ` Steve Grubb
2021-11-04 16:59 ` Deven Bowers
2021-10-13 22:54 ` Randy Dunlap
2021-10-15 19:25 ` Deven Bowers
2021-10-15 19:50 ` Randy Dunlap
2021-10-26 19:03 ` Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 08/16] ipe: add permissive toggle deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 09/16] ipe: introduce 'boot_verified' as a trust provider deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 10/16] fs|dm-verity: add block_dev LSM blob and submit dm-verity data deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 11/16] ipe: add support for dm-verity as a trust provider deven.desai
2021-11-25 9:37 ` Roberto Sassu
2021-11-30 18:55 ` Deven Bowers
2021-12-01 16:37 ` [RFC][PATCH] device mapper: Add builtin function dm_get_status() Roberto Sassu
2021-12-01 16:43 ` Roberto Sassu
2021-12-02 7:20 ` Christoph Hellwig
2021-12-02 7:59 ` Roberto Sassu
2021-12-02 8:44 ` Christoph Hellwig
2021-12-02 9:29 ` Roberto Sassu
2021-12-03 6:52 ` Christoph Hellwig
2021-12-03 10:20 ` Roberto Sassu
2021-12-06 10:57 ` Roberto Sassu
2021-10-13 19:06 ` [RFC PATCH v7 12/16] fsverity|security: add security hooks to fsverity digest and signature deven.desai
2021-10-13 19:24 ` Eric Biggers
2021-10-15 19:25 ` Deven Bowers
2021-10-15 20:11 ` Eric Biggers
2021-10-20 15:08 ` Roberto Sassu
2021-10-22 16:31 ` Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-27 8:41 ` Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-27 9:34 ` Roberto Sassu
2021-10-28 3:48 ` Eric Biggers [this message]
2021-10-28 18:11 ` Deven Bowers
2021-11-03 12:28 ` Roberto Sassu
2021-11-04 17:12 ` Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 13/16] ipe: enable support for fs-verity as a trust provider deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 14/16] scripts: add boot policy generation program deven.desai
2021-11-03 16:43 ` Roberto Sassu
2021-11-03 16:53 ` Roberto Sassu
2021-11-04 16:52 ` Deven Bowers
2021-10-13 19:06 ` [RFC PATCH v7 15/16] ipe: kunit tests deven.desai
2021-10-13 19:06 ` [RFC PATCH v7 16/16] documentation: add ipe documentation deven.desai
2021-10-25 11:30 ` [RFC PATCH v7 00/16] Integrity Policy Enforcement (IPE) Roberto Sassu
2021-10-26 19:03 ` Deven Bowers
2021-10-27 8:26 ` Roberto Sassu
2021-10-28 20:36 ` Deven Bowers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YXodhzYto5BRxqYO@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=eparis@redhat.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=snitzer@redhat.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).