linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Chuck Lever <chuck.lever@oracle.com>,
	linux-integrity@vger.kernel.org,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>
Cc: Michael Halcrow <mhalcrow@google.com>,
	"Theodore Y. Ts'o" <tytso@google.com>,
	Matthew Garrett <mjg59@google.com>,
	Eric Biggers <ebiggers@google.com>
Subject: Re: IMA on remote file systems
Date: Sun, 15 Sep 2019 17:42:10 -0400	[thread overview]
Message-ID: <1568583730.5055.36.camel@linux.ibm.com> (raw)
In-Reply-To: <FA4C0F15-EE0A-4231-8415-A035C1CF3E32@oracle.com>

On Fri, 2019-09-13 at 10:50 -0400, Chuck Lever wrote:
> Resending ...
> 
> > On Aug 28, 2019, at 1:36 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
> > 
> > Last week I presented at the Linux Security Summit on a proposal
> > for handling IMA metadata on NFS files. My proposal enables storage
> > of per-file IMA metadata via the NFSv4 protocol. I have a prototype
> > and an IETF nfsv4 Working Group document that specifies a small
> > protocol extension.
> > 
> > After the presentation, Mimi Zohar pointed out that although the
> > proposal extends protection from an NFS file server to time-of-
> > measurement on an NFS client, there is still a protection gap between
> > time-of-measurement and time-of-use on that client.
> > 
> > I would like to find a way to extend IMA protection all the way
> > to time-of-use on NFS clients. The consensus is that a per-file
> > Merkle tree would be the most desirable approach, as that is the
> > same mechanism used for fs-verity protection.
> > 
> > For a few important reasons, it will be challenging to plumb
> > support for durable Merkle trees into NFS, although that is an
> > eventual goal.
> > 
> > My thought was to use an ephemeral Merkle tree for NFS (and
> > possibly other remote filesystems, like FUSE, until these
> > filesystems support durable per-file Merkle trees). A tree would
> > be constructed when the client measures a file, but it would not
> > saved to the filesystem. Instead of a hash of the file's contents,
> > the tree's root signature is stored as the IMA metadata.
> > 
> > Once a Merkle tree is available, it can be used in exactly the
> > same way that a durable Merkle tree would, to verify the integrity
> > of individual pages as they are used, evicted, and then read back
> > from the server.
> > 
> > If the client needs to evict part or all of an ephemeral tree, it
> > can subsequently be reconstructed by measuring the file again and
> > verifying its root signature against the stored IMA metadata.
> > 
> > So the only difference here is that the latency-to-first-byte
> > benefit of a durable Merkle tree would be absent.
> > 
> > I'm interested in any thoughts or opinions about this approach.

I like the idea, but there are a couple of things that need to happen
first.  Both fs-verity and IMA appended signatures need to be
upstreamed.  The IMA appended signature support simplifies
ima_appraise_measurement(), paving the way for adding IMA support for
other types of signature verification.  How IMA will support fs-verity 
signatures still needs to be defined.  That discussion will hopefully
include NFS support.

Mimi


  reply	other threads:[~2019-09-15 21:42 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-28 17:36 IMA on remote file systems Chuck Lever
2019-09-13 14:50 ` Chuck Lever
2019-09-15 21:42   ` Mimi Zohar [this message]
2019-09-16 16:10     ` Theodore Y. Ts'o
2019-09-16 18:16       ` Chuck Lever
2019-09-16 13:16 ` Janne Karhunen
2019-09-16 14:47   ` Chuck Lever
2019-09-17  6:30     ` Janne Karhunen
2019-09-17 12:45       ` Theodore Y. Ts'o
2019-09-17 14:18         ` Mimi Zohar
2019-09-17 14:56         ` James Bottomley
2019-09-18  5:27           ` Janne Karhunen
2019-09-18 12:50             ` Theodore Y. Ts'o
2019-09-18 15:52             ` James Bottomley
2019-09-19  6:47               ` Janne Karhunen
2019-09-18 12:37           ` Theodore Y. Ts'o
2019-09-18 14:40             ` Mimi Zohar
2019-09-18 15:49             ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1568583730.5055.36.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=chuck.lever@oracle.com \
    --cc=ebiggers@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=mhalcrow@google.com \
    --cc=mjg59@google.com \
    --cc=tytso@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).