From: Milan Broz <gmazyland@gmail.com>
To: Tushar Sugandhi <tusharsu@linux.microsoft.com>,
linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
dm-devel@redhat.com
Cc: jmorris@namei.org, chpebeni@linux.microsoft.com,
nramas@linux.microsoft.com, balajib@microsoft.com,
sashal@kernel.org, suredd@microsoft.com
Subject: Re: [RFC] IMA: New IMA measurements for dm-crypt and selinux
Date: Wed, 8 Apr 2020 18:28:03 +0200 [thread overview]
Message-ID: <76a9556d-b141-d26f-7b3c-3887d3a4ae16@gmail.com> (raw)
In-Reply-To: <f92bef0f-eb40-0e07-540c-321134e4b070@linux.microsoft.com>
On 08/04/2020 12:19, Tushar Sugandhi wrote:
> The goals of the kernel integrity subsystem are to detect if files have
> been accidentally or maliciously altered, both remotely and locally,
> appraise a file's measurement against a "good" value stored as an
> extended attribute, and enforce local file integrity [1].
>
> To achieve these goals, IMA subsystem measures several in-memory
> constructs and files.
>
> We propose to measure constructs in dm-crypt and selinux to further
> enhance measuring capabilities of IMA.
...
> Proposal:
> ---------
> A. Measuring dmcrypt constructs:
> We can add an IMA hook in crypt_ctr() present in
> drivers/md/dm-crypt.c, so that IMA can start measuring the status of
> various dm-crypt targets (represented by crypt_target struct - also
> defined in dm-crypt.c).
Hi,
I do not think you should just cherry-pick dm-crypt here. What about other
device-mapper targets? Apparently, dm-verity or dm-integrity are obvious
candidates too.
But device-mapper logic is based on stacking devices, so in generic case
(not just in some very special embedded configuration) you need to measure
the whole stack of devices.
(Just imagine a target stacked below dm-crypt that decrypts the device or so. :-)
Moreover, dm-crypt allows some specific actions like wiping and reloading
of the encryption key through device-mapper dm-crypt message.
If you check parameter only in crypt_ctr, this message path must be disabled,
basically crippling dm-crypt functionality (it is intended to wipe key in-memory
during hw suspend).
IMO if you want implement something like IMA measurement, I think you should
implement it in device-mapper core, and provide support for all targets.
I guess some new target specific callback is needed and some flags that
could enforce/disable stacking if a IMA measurement is in place etc.
Milan
next prev parent reply other threads:[~2020-04-08 16:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 10:19 [RFC] IMA: New IMA measurements for dm-crypt and selinux Tushar Sugandhi
2020-04-08 16:28 ` Milan Broz [this message]
2020-04-17 0:46 ` Tushar Sugandhi
2020-04-08 16:34 ` Casey Schaufler
2020-04-17 0:49 ` Tushar Sugandhi
2020-04-11 19:05 ` Stephen Smalley
2020-04-12 8:15 ` Lev R. Oshvang .
2020-04-14 1:11 ` Mimi Zohar
2020-04-14 10:06 ` Lev R. Oshvang .
2020-04-17 0:53 ` Tushar Sugandhi
2020-04-17 0:52 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=76a9556d-b141-d26f-7b3c-3887d3a4ae16@gmail.com \
--to=gmazyland@gmail.com \
--cc=balajib@microsoft.com \
--cc=chpebeni@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=suredd@microsoft.com \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).