From: Denis Semakin <denis.semakin@huawei.com>
To: <linux-integrity@vger.kernel.org>
Cc: <artem.kuzin@huawei.com>, <konstantin.meskhidze@huawei.com>,
<yusongping@huawei.com>, <hukeping@huawei.com>,
<roberto.sassu@huawei.com>, <krzysztof.struczynski@huawei.com>,
<stefanb@linux.ibm.com>, <denis.semakin@huawei-partners.com>
Subject: [RFC PATCH v2 0/4] Virtualize PCR for Container-IMA
Date: Mon, 31 Oct 2022 10:55:07 +0800 [thread overview]
Message-ID: <20221031025507.298323-1-denis.semakin@huawei.com> (raw)
The main goal of this series is to provide the opportunity
for retrieving integrity information from containters (namespaces)
in case of remote attestation requests and requests from another servers
querying the state of integrity for any given container.
The detailed description and architecture can be found here:
https://www.usenix.org/system/files/raid2019-luo.pdf,
this paper shows the basics for how it works in general
but did not solve the some practical issues related to memoy allocation,
TPM interaction etc.
Summary:
Let Ih is host integrity, and Ic1, Ic2, Icn the integrity
of the first, second and etc container.
Then the whole integrity of system would be:
Ih = Ic1 + Ic2 + ... + Icn;
where Ic1, Ic2 ... are integrity of corresponding
containers (namespaces)
Each container integrity consists of measurement lists
and the value of virtual PCR (container PCR). vPCR = cPCR.
Architecture scheme
.---------. .---------. .---------.
| C1 with | | C2 with | | Cn with |
| IMA-ns | | IMA-ns | | IMA-ns |
|---------| |---------| |---------|
| vPCR1 |<--->| vPCR2 |... <---> | vPCRn |
|---------| |---------| |---------|
| | | | | |
'---------' '---------' '---------'
C1, C2, Cn - containers (with IMA namespaces)
vPCRi - virtual PCR (in other words cPCR - container PCRs)
Each IMA namespace which belongs to container should
store its own PCR value (virtual vPCR or in other words
container PCR = cPCR = vPCR, virtual PCR)
and should perform a number of operation.
Measurement:
1. records the history value of a specific PCR (historyPCR)
which is not used in the current system. In our prototype
based on TPM 2.0, we choose PCR12.
2. records the digest of all cPCRs
(cPCR - container PCR or virtual PCR that is stored for namespace).
During measurement perform:
tempValue := cPCRi.value xor cPCRi.secret;
tempPCR := HASH(tempPCR || tempValue);
Where cPCRi.value - is a value of a given namespaces, cPCRi.secret -
random generated sequence of bytes for namespace,
|| - concatenation.
3. extends the physical PCR12 with the final tempPCR.
PCR12 := PCR_Extend(PCR12,tempPCR)
Attestation:
When receiving this request, the IMA (and TPM) should provide
the following data:
1. the related PCR values, in our case this is PCR12
2. sendcPCRs list where sendcPCR for each namespace is calculated as:
sendcPCRs = cPCRi.value xor cPCRi.secret
3. Measurement lists for namespace.
This work is also based on Stefan Berger's patches from:
https://github.com/stefanberger/linux-ima-namespaces
Denis Semakin (4):
ima: Introduce PCR virtualization for IMA namespace.
ima: Use tpm_chip from init IMA namespace.
ima: Create vpcr file on securityfs.
ima: Extend the real PCR12 with tempPCR value.
security/integrity/ima/ima.h | 13 +-
security/integrity/ima/ima_fs.c | 147 +++++++++++++++++++++++
security/integrity/ima/ima_init_ima_ns.c | 21 ++++
security/integrity/ima/ima_ns.c | 3 +
security/integrity/ima/ima_queue.c | 55 +++++++++
5 files changed, 238 insertions(+), 1 deletion(-)
v2: use sequential structure and methods for file on securityfs
--
2.38.GIT
next reply other threads:[~2022-10-31 2:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-31 2:55 Denis Semakin [this message]
2022-10-31 2:59 ` [RFC PATCH v2 1/4] ima: Introduce PCR virtualization for IMA namespace Denis Semakin
2022-10-31 2:59 ` [RFC PATCH v2 2/4] ima: Use tpm_chip from init " Denis Semakin
2022-10-31 3:00 ` [RFC PATCH v2 3/4] ima: Create vpcr file on securityfs Denis Semakin
2022-10-31 3:00 ` [RFC PATCH v2 4/4] ima: Extend the real PCR12 with tempPCR value Denis Semakin
2023-01-27 8:19 ` [RFC PATCH v1 0/3] ima: vPCR debug/security Ilya Hanov
2023-01-27 8:19 ` [RFC PATCH v1 1/3] ima: Add a UUID value for each vPCR Ilya Hanov
2023-01-27 8:19 ` [RFC PATCH v1 2/3] ima: ascii_vpcr pseudo-file for sysadmins Ilya Hanov
2023-01-27 8:19 ` [RFC PATCH v1 3/3] ima: Use TPM RNG for vPCR.secret if it's presented Ilya Hanov
2023-03-29 8:58 ` [RFC PATCH v1 0/1] ima: obtain child measurement list from init namespace Denis Semakin
2023-05-02 13:36 ` Stefan Berger
2023-05-02 14:00 ` Denis Semakin
2023-03-29 9:03 ` [RFC PATCH v1 1/1] " Denis Semakin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221031025507.298323-1-denis.semakin@huawei.com \
--to=denis.semakin@huawei.com \
--cc=artem.kuzin@huawei.com \
--cc=denis.semakin@huawei-partners.com \
--cc=hukeping@huawei.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=stefanb@linux.ibm.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).