From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <dmitry.kasatkin@huawei.com>, <mjg59@google.com>
Cc: <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, <linux-doc@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>
Subject: Re: [PATCH v4 00/14] ima: introduce IMA Digest Lists extension
Date: Mon, 17 Jun 2019 08:56:53 +0200 [thread overview]
Message-ID: <9029dd14-1077-ec89-ddc2-e677e16ad314@huawei.com> (raw)
In-Reply-To: <20190614175513.27097-1-roberto.sassu@huawei.com>
On 6/14/2019 7:54 PM, Roberto Sassu wrote:
> This patch set introduces a new IMA extension called IMA Digest Lists.
>
> At early boot, the extension preloads in kernel memory reference digest
> values, that can be compared with actual file digests when files are
> accessed in the system.
>
> The extension will open for new possibilities: PCR with predictable value,
> that can be used for sealing policies associated to data or TPM keys;
> appraisal based on reference digests already provided by Linux distribution
> vendors in the software packages.
>
> The first objective can be achieved because the PCR values does not depend
> on which and when files are measured: the extension measures digest lists
> sequentially and files whose digest is not in the digest list.
>
> The second objective can be reached because the extension is able to
> extract reference measurements from packages (with a user space tool) and
> use it as a source for appraisal verification as the reference came from
> the security.ima xattr. This approach will also reduce the overhead as only
> one signature is verified for many files (as opposed to one signature for
> each file with the current implementation).
>
> This version of the patch set provides a clear separation between current
> and new functionality. First, the new functionality must be explicitly
> enabled from the kernel command line. Second, results of operations
> performed by the extension can be distinguished from those obtained from
> the existing code: measurement entries created by the extension have a
> different PCR; mutable files appraised with the extension have a different
> security.ima type.
>
> The review of this patch set should start from patch 11 and 12, which
> modify the IMA-Measure and IMA-Appraise submodules to use digest lists.
> Patch 1 to 5 are prerequisites. Patch 6 to 10 adds support for digest
> lists. Finally, patch 13 introduces two new policies to measure/appraise
> rootfs and patch 14 adds the documentation (including a flow chart to
> show how IMA has been modified).
>
> The user space tools to configure digest lists are available at:
>
> https://github.com/euleros/digest-list-tools/releases/tag/v0.3
>
> The patch set applies on top of linux-integrity/next-queued-testing
> (73589972b987).
>
> It is necessary to apply also:
> https://patchwork.kernel.org/cover/10957495/
Another dependency is:
https://patchwork.kernel.org/cover/10979341/
Roberto
> To use appraisal, it is necessary to use a modified cpio and a modified
> dracut:
>
> https://github.com/euleros/cpio/tree/xattr-v1
> https://github.com/euleros/dracut/tree/digest-lists
>
> For now, please use it only in a testing environment.
>
>
> Changelog
>
> v3:
> - move ima_lookup_loaded_digest() and ima_add_digest_data_entry() from
> ima_queue.c to ima_digest_list.c
> - remove patch that introduces security.ima_algo
> - add version number and type modifiers to the compact list header
> - remove digest list metadata, all digest lists in the directory are
> accessed
> - move loading of signing keys to user space
> - add violation for both PCRs if they are selected
> - introduce two new appraisal modes
>
> v2:
> - add support for multiple hash algorithms
> - remove RPM parser from the kernel
> - add support for parsing digest lists in user space
>
> v1:
> - add support for immutable/mutable files
> - add support for appraisal with digest lists
>
>
> Roberto Sassu (14):
> ima: read hash algorithm from security.ima even if appraisal is not
> enabled
> ima: generalize ima_read_policy()
> ima: generalize ima_write_policy() and raise uploaded data size limit
> ima: generalize policy file operations
> ima: use ima_show_htable_value to show violations and hash table data
> ima: add parser of compact digest list
> ima: restrict upload of converted digest lists
> ima: prevent usage of digest lists that are not measured/appraised
> ima: introduce new securityfs files
> ima: load parser digests and execute the parser at boot time
> ima: add support for measurement with digest lists
> ima: add support for appraisal with digest lists
> ima: introduce new policies initrd and appraise_initrd
> ima: add Documentation/security/IMA-digest-lists.txt
>
> .../admin-guide/kernel-parameters.txt | 16 +-
> Documentation/security/IMA-digest-lists.txt | 226 +++++++++++++
> include/linux/evm.h | 6 +
> include/linux/fs.h | 1 +
> security/integrity/evm/evm_main.c | 2 +-
> security/integrity/iint.c | 1 +
> security/integrity/ima/Kconfig | 25 ++
> security/integrity/ima/Makefile | 1 +
> security/integrity/ima/ima.h | 32 +-
> security/integrity/ima/ima_api.c | 43 ++-
> security/integrity/ima/ima_appraise.c | 92 +++---
> security/integrity/ima/ima_digest_list.c | 309 ++++++++++++++++++
> security/integrity/ima/ima_digest_list.h | 69 ++++
> security/integrity/ima/ima_fs.c | 224 ++++++++-----
> security/integrity/ima/ima_init.c | 2 +-
> security/integrity/ima/ima_main.c | 81 ++++-
> security/integrity/ima/ima_policy.c | 29 +-
> security/integrity/integrity.h | 22 ++
> 18 files changed, 1018 insertions(+), 163 deletions(-)
> create mode 100644 Documentation/security/IMA-digest-lists.txt
> create mode 100644 security/integrity/ima/ima_digest_list.c
> create mode 100644 security/integrity/ima/ima_digest_list.h
>
--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI
next prev parent reply other threads:[~2019-06-17 6:56 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-14 17:54 [PATCH v4 00/14] ima: introduce IMA Digest Lists extension Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 01/14] ima: read hash algorithm from security.ima even if appraisal is not enabled Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 02/14] ima: generalize ima_read_policy() Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 03/14] ima: generalize ima_write_policy() and raise uploaded data size limit Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 04/14] ima: generalize policy file operations Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 05/14] ima: use ima_show_htable_value to show violations and hash table data Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 06/14] ima: add parser of compact digest list Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 07/14] ima: restrict upload of converted digest lists Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 08/14] ima: prevent usage of digest lists that are not measured/appraised Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 09/14] ima: introduce new securityfs files Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 10/14] ima: load parser digests and execute the parser at boot time Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 11/14] ima: add support for measurement with digest lists Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 12/14] ima: add support for appraisal " Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 13/14] ima: introduce new policies initrd and appraise_initrd Roberto Sassu
2019-06-14 17:55 ` [PATCH v4 14/14] ima: add Documentation/security/IMA-digest-lists.txt Roberto Sassu
2019-06-17 6:56 ` Roberto Sassu [this message]
2019-06-25 12:57 ` [PATCH v4 00/14] ima: introduce IMA Digest Lists extension Roberto Sassu
2019-06-25 17:35 ` Mimi Zohar
2019-06-26 11:38 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9029dd14-1077-ec89-ddc2-e677e16ad314@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=dmitry.kasatkin@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).