From: Eric Biggers <ebiggers@kernel.org>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org, linux-fscrypt@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 4/5] ima: support fs-verity file digest based signatures
Date: Sun, 9 Jan 2022 13:07:18 -0800 [thread overview]
Message-ID: <YdtOhsv/A5dqlApY@sol.localdomain> (raw)
In-Reply-To: <20220109204537.oueokvvkrkyy3ipq@altlinux.org>
On Sun, Jan 09, 2022 at 11:45:37PM +0300, Vitaly Chikunov wrote:
> Eric,
>
> On Wed, Jan 05, 2022 at 03:37:39PM -0800, Eric Biggers wrote:
> > On Fri, Dec 31, 2021 at 10:35:00AM -0500, Mimi Zohar wrote:
> > > On Thu, 2021-12-02 at 14:07 -0800, Eric Biggers wrote:
> > > > On Thu, Dec 02, 2021 at 04:55:06PM -0500, Mimi Zohar wrote:
> > > > > case IMA_VERITY_DIGSIG:
> > > > > - fallthrough;
> > > > > + set_bit(IMA_DIGSIG, &iint->atomic_flags);
> > > > > +
> > > > > + /*
> > > > > + * The IMA signature is based on a hash of IMA_VERITY_DIGSIG
> > > > > + * and the fs-verity file digest, not directly on the
> > > > > + * fs-verity file digest. Both digests should probably be
> > > > > + * included in the IMA measurement list, but for now this
> > > > > + * digest is only used for verifying the IMA signature.
> > > > > + */
> > > > > + verity_digest[0] = IMA_VERITY_DIGSIG;
> > > > > + memcpy(verity_digest + 1, iint->ima_hash->digest,
> > > > > + iint->ima_hash->length);
> > > > > +
> > > > > + hash.hdr.algo = iint->ima_hash->algo;
> > > > > + hash.hdr.length = iint->ima_hash->length;
> > > >
> > > > This is still wrong because the bytes being signed don't include the hash
> > > > algorithm. Unless you mean for it to be implicitly always SHA-256? fs-verity
> > > > supports SHA-512 too, and it may support other hash algorithms in the future.
> > >
> > > IMA assumes that the file hash algorithm and the signature algorithm
> > > are the same. If they're not the same, for whatever reason, the
> > > signature verification would simply fail.
> > >
> > > Based on the v2 signature header 'type' field, IMA can differentiate
> > > between regular IMA file hash based signatures and fs-verity file
> > > digest based signatures. The digest field (d-ng) in the IMA
> > > meausrement list prefixes the digest with the hash algorithm. I'm
> > > missing the reason for needing to hash fs-verity's file digest with
> > > other metadata, and sign that hash rather than fs-verity's file digest
> > > directly.
> >
> > Because if someone signs a raw hash, then they also implicitly sign the same
> > hash value for all supported hash algorithms that produce the same length hash.
>
> Unless there is broken hash algorithm allowing for preimage attacks this
> is irrelevant. If there is two broken algorithms allowing for collisions,
> colliding hashes could be prepared even if algo id is hashed too.
>
Only one algorithm needs to be broken. For example, SM3 has the same hash
length as SHA-256. If SM3 support were to be added to fs-verity, and if someone
were to find a way to find an input that has a specific SM3 digest, then they
could also make it match a specific SHA-256 digest. Someone might intend to
sign a SHA-256 digest, but if they are only signing the raw 32 bytes of the
digest, then they would also be signing the corresponding SM3 digest. That's
why the digest that is signed *must* also include the algorithm used in the
digest (not the algorithm(s) used in the signature, which is different).
- Eric
next prev parent reply other threads:[~2022-01-09 21:07 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-02 21:55 [PATCH v1 0/5] ima: support fs-verity signatures stored as Mimi Zohar
2021-12-02 21:55 ` [PATCH v1 1/5] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2021-12-02 22:15 ` Eric Biggers
2021-12-02 21:55 ` [PATCH v1 2/5] ima: define a new signature type named IMA_VERITY_DIGSIG Mimi Zohar
2021-12-02 21:55 ` [PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list Mimi Zohar
2021-12-02 22:22 ` Eric Biggers
2021-12-02 22:55 ` Mimi Zohar
2021-12-02 21:55 ` [PATCH v1 4/5] ima: support fs-verity file digest based signatures Mimi Zohar
2021-12-02 22:07 ` Eric Biggers
2021-12-02 22:13 ` Mimi Zohar
2021-12-02 22:18 ` Eric Biggers
2021-12-31 15:35 ` Mimi Zohar
2022-01-05 23:37 ` Eric Biggers
2022-01-09 20:45 ` Vitaly Chikunov
2022-01-09 21:07 ` Eric Biggers [this message]
2022-01-15 5:31 ` Vitaly Chikunov
2022-01-15 6:21 ` Eric Biggers
2022-01-16 3:31 ` Stefan Berger
2022-01-16 5:24 ` Stefan Berger
2022-01-19 0:49 ` Eric Biggers
2022-01-19 15:41 ` Stefan Berger
2022-01-16 17:01 ` Mimi Zohar
2022-01-19 0:39 ` Eric Biggers
2022-01-20 16:39 ` Mimi Zohar
2022-01-20 21:05 ` Eric Biggers
2021-12-02 21:55 ` [PATCH v1 5/5] fsverity: update the documentation Mimi Zohar
2021-12-02 22:09 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YdtOhsv/A5dqlApY@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).