Re: [PATCH V2 3/4] IMA: Optionally make use of filesystem-provided hashes

From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-fsdevel@vger.kernel.org, miklos@szeredi.hu
Subject: Re: [PATCH V2 3/4] IMA: Optionally make use of filesystem-provided hashes
Date: Wed, 06 Mar 2019 17:38:57 -0500	[thread overview]
Message-ID: <1551911937.31706.217.camel@linux.ibm.com> (raw)
In-Reply-To: <CACdnJuvRuagNTidkq3d4g_OwfzqcALtd=g1-5LDzr2aBA1zV6w@mail.gmail.com>

On Wed, 2019-03-06 at 10:31 -0800, Matthew Garrett wrote:
> On Wed, Mar 6, 2019 at 4:30 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Tue, 2019-03-05 at 12:27 -0800, Matthew Garrett wrote:
> > > But what's the threat? If an attacker is in a position to inject
> > > additional IMA policy then in general they're already in a position to
> > > violate other security assumptions. Admins who have a threat model
> > > that includes an attacker being able to do this are already requiring
> > > signed policy. What's the threat that requiring signed policy for this
> > > specific option mitigates?
> >
> > That might be true, but this "feature" isn't a minor change.  It
> > totally changes the IMA measurement list meaning, without any
> > indication of the change in meaning.
> 
> Ok. Would annotating the audit message to indicate that the hash was
> provided directly by the filesystem be sufficient? 

The audit log doesn't have the same security properties as the TPM
quote and IMA measurement list.  Nor does the attestation server
necessarily have access to it.

> I'm not clear on
> why an admin would set this flag without having read the documentation
> for it - like many security features, enabling an inappropriate
> combination of them may result in bad things happening.  I'm not keen
> on tying it to signing because:
> 
> a) There are multiple configurations where requiring signed policy
> doesn't give a security benefit - if the IMA policy is part of a
> verified or measured initramfs, we already have integrity guarantees
> and adding an additional layer of signing doesn't win us anything (eg,
> in this configuration the IMA key may be loaded from the initramfs as
> well, so an attacker able to modify policy could add an additional
> signing key).

Agreed, as long as there is no possibility of additional files being
installed/downloaded to the rootfs or files on other filesystems being
accessed before the IMA keyring is locked or a custom policy is
installed, a verified or measured initramfs might be enough.

This implies that both the custom policy and the keys loaded onto the
IMA keyring are included in the initramfs, which isn't what is
currently being done today.  My preference would be to remove the
original method of loading unsigned IMA policies, but that could/would
break existing systems.

> b) Users who are already using signed policy won't get the additional
> hint that you think is necessary.

But they would have to knowingly add "get_hash" to the IMA policy and
have signed it.

> I'm happy to add this if there's a real threat model around it, but
> requiring signing for something other than security reasons seems like
> it's conflating unrelated issues.

A colleague said, relying on the filesystem to provide the file hash
extends the TCB to include filesystems.

Mimi