linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Janne Karhunen <janne.karhunen@gmail.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: david.safford@gmail.com, linux-integrity@vger.kernel.org,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Ken Goldman <kgold@linux.ibm.com>,
	"Wiseman, Monty (GE Global Research, US)" <monty.wiseman@ge.com>,
	Amir Goldstein <amir73il@gmail.com>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH v2] ima: export the measurement list when needed
Date: Tue, 11 Feb 2020 10:06:38 +0200	[thread overview]
Message-ID: <CAE=Ncra+BSUQbCH=VP-P3dNx8S=9n7094qr_tTAQ=kHiJJbwsg@mail.gmail.com> (raw)
In-Reply-To: <1581366258.5585.891.camel@linux.ibm.com>

On Mon, Feb 10, 2020 at 10:25 PM Mimi Zohar <zohar@linux.ibm.com> wrote:

> A third aspect, which I'm concerned about, is removing records from
> the measurement list.  This changes the existing userspace
> expectations of returning the entire measurement list.  Now userspace
> will need some out of band method of knowing where to look for the
> measurements.

Well, the original patch has a mechanism with one bit flip. You can
read the list name given that you are in the right namespace and/or
mount.


> > > The kernel already exports the IMA measurement list to userspace via a
> > > securityfs file.  From a userspace perspective, missing is the ability
> > > of removing N number of records.  In this scenario, userspace would be
> > > responsible for safely storing the measurements (e.g. blockchain).
> > >  The kernel would only be responsible for limiting permission, perhaps
> > > based on a capability, before removing records from the measurement
> > > list.
> >
> > I don't think we want to export 'N' records, as this would
> > be really hard to understand and coordinate with userspace.
> > Exporting all or none seems simpler.
>
> Userspace already has the ability of exporting the measurement list.
>  However, beetween saving the measurement list to a file and telling
> the kernel to delete the records from the kernel, additional
> measurement could have been added.

This is not an issue as long as there is no 'ALL' alias. We can't
agree on what 'ALL' is, but we can agree on 'N'.


> > Tampering is prevented with the TPM_QUOTE. Accidental deletion is
> > protected with CAP_SYS_ADMIN. If CAP_SYS_ADMIN is untrusted, you
> > have bigger problems, and even then it will be detected.
>
> Agreed, attestation will detect any tampering, but up to now we didn't
> have to rely on DAC/MAC to prevent tampering of the measurement list.

True. How about storing a hmac of the file in a securityfs entry?


--
Janne

  reply	other threads:[~2020-02-11  8:06 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-08 11:17 [PATCH v2] ima: export the measurement list when needed Janne Karhunen
2020-01-10  8:48 ` Janne Karhunen
2020-01-22 15:56   ` Mimi Zohar
2020-01-23  8:41     ` Janne Karhunen
2020-01-26 17:01       ` Mimi Zohar
2020-01-27  9:03         ` Janne Karhunen
2020-02-06 14:13   ` Mimi Zohar
2020-02-10  8:04     ` Janne Karhunen
2020-02-10 15:26       ` Mimi Zohar
2020-02-10 18:18     ` david.safford
2020-02-10 20:24       ` Mimi Zohar
2020-02-11  8:06         ` Janne Karhunen [this message]
2020-02-11 16:10         ` david.safford
2020-02-11 23:10           ` Mimi Zohar
2020-02-12 21:08             ` david.safford
2020-02-13  1:03               ` Mimi Zohar
2020-02-13  6:41                 ` Janne Karhunen
2020-02-18 15:36                   ` Mimi Zohar
2020-02-13 20:11           ` Ken Goldman
2020-02-18 14:50             ` david.safford
2020-01-24 14:46 ` david.safford
2020-01-27  8:48   ` Janne Karhunen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAE=Ncra+BSUQbCH=VP-P3dNx8S=9n7094qr_tTAQ=kHiJJbwsg@mail.gmail.com' \
    --to=janne.karhunen@gmail.com \
    --cc=amir73il@gmail.com \
    --cc=david.safford@gmail.com \
    --cc=kgold@linux.ibm.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=monty.wiseman@ge.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).