linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <gregkh@linuxfoundation.org>,
	<mchehab+huawei@kernel.org>
Cc: <linux-integrity@vger.kernel.org>,
	<linux-security-module@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: [RFC][PATCH 0/7] ima: Measure and appraise files with DIGLIM
Date: Thu, 30 Sep 2021 13:55:26 +0200	[thread overview]
Message-ID: <20210930115533.878169-1-roberto.sassu@huawei.com> (raw)

I'm posting this patch set, although the dependencies are not yet accepted,
to provide a more complete picture about DIGLIM and how it can be
concretely used.

This patch set depends on:
- new execution policies in IMA
  (https://lore.kernel.org/linux-integrity/20210409114313.4073-1-roberto.sassu@huawei.com/)
- support for the euid policy keyword for critical data
  (https://lore.kernel.org/linux-integrity/20210705115650.3373599-1-roberto.sassu@huawei.com/)
- DIGLIM basic features
  (https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@huawei.com/)
- DIGLIM advanced features
  (https://lore.kernel.org/linux-integrity/20210915163145.1046505-1-roberto.sassu@huawei.com/)

The patch sets 'integrity: Introduce DIGLIM' and 'integrity: Introduce
DIGLIM advanced features' introduced the possibility to build a repository
of reference values for files shipped with Linux distributions.

Currently those reference values can be loaded from a file in the compact
format, supported by the kernel, or from RPM headers. With future patch
sets, which will add support for PGP appended signatures, it will also be
possible to appraise untouched RPM headers with IMA.

The objective of this patch set is to introduce an alternative method for
performing measurements and appraisal with IMA, that overcome some
important limitations of the currently supported methods. For example,
for measurement, it is very hard to obtain a stable PCR that can be use
for sealing of TPM keys or data. For appraisal, Linux distributions vendors
have to change their building systems to include file signatures in the
packages.

The alternative method introduced with this patch set consists in skipping
the measurement and/or in granting access, when appraisal is in enforcing
mode, if the file or metadata digest has been found in the DIGLIM hash
table. A discussion about this approach can be found in the Benefits
section at:

https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@huawei.com/

The structure of this patch set is as follows.

Patches 1-3 introduce the 'use_diglim' keyword to select the alternative
method for measurement and appraisal and two new hardcoded policies to
measure and appraise DIGLIM-related files, and to enable usage of DIGLIM
for the other selected policy rules.

Patches 4-5 query respectively the file and metadata digest in DIGLIM.
DIGLIM returns whether the digest lists containing the passed digest have
been measured and appraised (requirement to select the alternative method),
and whether the file or metadata are immutable. In a future extension, a
new modifier will be introduced to tell IMA that the digest belongs to a
deny list instead of an allow list, so that IMA can act accordingly.

Patches 5-6 introduce the alternative method for measurement and appraisal.
If at least one digest list containing the calculated file or metadata
digest have been measured, IMA behaves as it performed a measurement. If at
least one digest list containing the calculated metadata digest has been
appraised, metadata verification is successful (required only when EVM is
enabled). If the same condition is verified for the calculated file or
metadata digest, file content verification is successful and the file is
marked as immutable if the digest lists have the corresponding modifier set
in the header.

It is important to remark that unless 'use_diglim' is set in the IMA
policy, DIGLIM is completely ignored and IMA behaves as before. In
addition, even if DIGLIM usage is enabled, other appraisal verification
methods with the xattr or the appended signature take precedence.

Roberto Sassu (7):
  integrity: Change type of IMA rule-related flags to u64
  ima: Introduce new policy keyword use_diglim
  ima: Introduce diglim and appraise_diglim policies
  ima: Query file digest and retrieve info from its digest lists
  ima: Query metadata digest and retrieve info from its digest lists
  ima: Skip measurement of files found in DIGLIM hash table
  ima: Add support for appraisal with digest lists

 Documentation/ABI/testing/ima_policy          |   4 +-
 .../admin-guide/kernel-parameters.txt         |  19 ++-
 include/linux/evm.h                           |  14 ++
 security/integrity/evm/evm_main.c             |  40 +++++
 security/integrity/ima/ima.h                  |   9 +-
 security/integrity/ima/ima_api.c              |   2 +-
 security/integrity/ima/ima_appraise.c         |  37 ++++-
 security/integrity/ima/ima_main.c             |  84 +++++++++-
 security/integrity/ima/ima_policy.c           | 144 +++++++++++++++++-
 security/integrity/integrity.h                |  62 ++++----
 10 files changed, 365 insertions(+), 50 deletions(-)

-- 
2.32.0


             reply	other threads:[~2021-09-30 11:55 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-30 11:55 Roberto Sassu [this message]
2021-09-30 11:55 ` [RFC][PATCH 1/7] integrity: Change type of IMA rule-related flags to u64 Roberto Sassu
2021-09-30 11:55 ` [RFC][PATCH 2/7] ima: Introduce new policy keyword use_diglim Roberto Sassu
2021-09-30 11:55 ` [RFC][PATCH 3/7] ima: Introduce diglim and appraise_diglim policies Roberto Sassu
2021-09-30 11:55 ` [RFC][PATCH 4/7] ima: Query file digest and retrieve info from its digest lists Roberto Sassu
2021-09-30 11:55 ` [RFC][PATCH 5/7] ima: Query metadata " Roberto Sassu
2021-09-30 11:55 ` [RFC][PATCH 6/7] ima: Skip measurement of files found in DIGLIM hash table Roberto Sassu
2021-09-30 11:55 ` [RFC][PATCH 7/7] ima: Add support for appraisal with digest lists Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210930115533.878169-1-roberto.sassu@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mchehab+huawei@kernel.org \
    --cc=zohar@linux.ibm.com \
    --subject='Re: [RFC][PATCH 0/7] ima: Measure and appraise files with DIGLIM' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).