From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7AFD5C433E9 for ; Fri, 15 Jan 2021 17:27:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 48A4723A9D for ; Fri, 15 Jan 2021 17:27:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728310AbhAOR1k (ORCPT ); Fri, 15 Jan 2021 12:27:40 -0500 Received: from linux.microsoft.com ([13.77.154.182]:55854 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725818AbhAOR1k (ORCPT ); Fri, 15 Jan 2021 12:27:40 -0500 Received: from [192.168.86.31] (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id C7DDE20B7192; Fri, 15 Jan 2021 09:26:58 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com C7DDE20B7192 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1610731619; bh=+VJnsF4kFMO6bAfGl4TRzpeiil80GFM1LYOrc/fFgg4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=GcDkztX85xILiONq+dpyAyykK0sFFW73ywn6s2xpmwl+hgv6cCI5ts1pRJpXdOIUf WJ8NdCyON6431Nmj0nJTdrsP53FIjNu/ynst/WTe54A0goPkQX95QdQJZKN3f1ulUi djxo3L4EWQJu9LE92YwHmOGZg1RKdfNDumLiUWvc= Subject: Re: [PATCH v10 0/8] IMA: support for measuring kernel integrity critical data To: Mimi Zohar , stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com, paul@paul-moore.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com References: <20210108040708.8389-1-tusharsu@linux.microsoft.com> <5189c15054885863b1b5cb86a43bec09725d8650.camel@linux.ibm.com> From: Tushar Sugandhi Message-ID: Date: Fri, 15 Jan 2021 09:26:58 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <5189c15054885863b1b5cb86a43bec09725d8650.camel@linux.ibm.com> Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On 2021-01-15 4:54 a.m., Mimi Zohar wrote: > On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote: >> IMA measures files and buffer data such as keys, command-line arguments >> passed to the kernel on kexec system call, etc. While these measurements >> are necessary for monitoring and validating the integrity of the system, >> they are not sufficient. Various data structures, policies, and states >> stored in kernel memory also impact the integrity of the system. >> Several kernel subsystems contain such integrity critical data - >> e.g. LSMs like SELinux, AppArmor etc. or device-mapper targets like >> dm-crypt, dm-verity, dm-integrity etc. These kernel subsystems help >> protect the integrity of a system. Their integrity critical data is not >> expected to change frequently during run-time. Some of these structures >> cannot be defined as __ro_after_init, because they are initialized later. >> >> For a given system, various external services/infrastructure tools >> (including the attestation service) interact with it - both during the >> setup and during rest of the system run-time. They share sensitive data >> and/or execute critical workload on that system. The external services >> may want to verify the current run-time state of the relevant kernel >> subsystems before fully trusting the system with business critical >> data/workload. For instance, verifying that SELinux is in "enforce" mode >> along with the expected policy, disks are encrypted with a certain >> configuration, secure boot is enabled etc. >> >> This series provides the necessary IMA functionality for kernel >> subsystems to ensure their configuration can be measured: >> - by kernel subsystems themselves, >> - in a tamper resistant way, >> - and re-measured - triggered on state/configuration change. >> >> This patch set: >> - defines a new IMA hook ima_measure_critical_data() to measure >> integrity critical data, >> - limits the critical data being measured based on a label, >> - defines a builtin critical data measurement policy, >> - and includes an SELinux consumer of the new IMA critical data hook. > > Thanks Tushar, Lakshmi. This patch set is queued in the next- > integrity-testing branch. > > Mimi > Hello Mimi, Paul, Stephen, Tyler, Thanks a lot for reviewing this series and providing all the valuable feedback over the last few months. We really really appreciate it. Thanks, Tushar