linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	stephen.smalley.work@gmail.com, casey@schaufler-ca.com
Cc: tyhicks@linux.microsoft.com, sashal@kernel.org,
	jmorris@namei.org, linux-integrity@vger.kernel.org,
	selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 1/4] IMA: Add func to measure LSM state and policy
Date: Tue, 04 Aug 2020 23:25:08 -0400	[thread overview]
Message-ID: <4b9d2715d3ef3c8f915ef03867cfb1a39c0abc54.camel@linux.ibm.com> (raw)
In-Reply-To: <20200805004331.20652-2-nramas@linux.microsoft.com>

Hi Lakshmi,

There's still  a number of other patch sets needing to be reviewed
before my getting to this one.  The comment below is from a high level.

On Tue, 2020-08-04 at 17:43 -0700, Lakshmi Ramasubramanian wrote:
> Critical data structures of security modules need to be measured to
> enable an attestation service to verify if the configuration and
> policies for the security modules have been setup correctly and
> that they haven't been tampered with at runtime. A new IMA policy is
> required for handling this measurement.
> 
> Define two new IMA policy func namely LSM_STATE and LSM_POLICY to
> measure the state and the policy provided by the security modules.
> Update ima_match_rules() and ima_validate_rule() to check for
> the new func and ima_parse_rule() to handle the new func.

I can understand wanting to measure the in kernel LSM memory state to
make sure it hasn't changed, but policies are stored as files.  Buffer
measurements should be limited  to those things that are not files.

Changing how data is passed to the kernel has been happening for a
while.  For example, instead of passing the kernel module or kernel
image in a buffer, the new syscalls - finit_module, kexec_file_load -
pass an open file descriptor.  Similarly, instead of loading the IMA
policy data, a pathname may be provided.

Pre and post security hooks already exist for reading files.   Instead
of adding IMA support for measuring the policy file data, update the
mechanism for loading the LSM policy.  Then not only will you be able
to measure the policy, you'll also be able to require the policy be
signed.

Mimi


  reply	other threads:[~2020-08-05  3:25 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-05  0:43 [PATCH v6 0/4] LSM: Measure security module data Lakshmi Ramasubramanian
2020-08-05  0:43 ` [PATCH v6 1/4] IMA: Add func to measure LSM state and policy Lakshmi Ramasubramanian
2020-08-05  3:25   ` Mimi Zohar [this message]
2020-08-05 12:46     ` Stephen Smalley
2020-08-05 12:56       ` Mimi Zohar
2020-08-05 13:03         ` Stephen Smalley
2020-08-05 13:19           ` Mimi Zohar
2020-08-05 14:27             ` Stephen Smalley
2020-08-05 15:07               ` Tyler Hicks
2020-08-05 15:43                 ` Stephen Smalley
2020-08-05 16:45                   ` John Johansen
2020-08-05 15:17               ` Mimi Zohar
2020-08-05  0:43 ` [PATCH v6 2/4] IMA: Define IMA hooks " Lakshmi Ramasubramanian
2020-08-05  0:43 ` [PATCH v6 3/4] LSM: Define SELinux function to measure " Lakshmi Ramasubramanian
2020-08-05  0:43 ` [PATCH v6 4/4] IMA: Handle early boot data measurement Lakshmi Ramasubramanian
2020-08-05  1:04 ` [PATCH v6 0/4] LSM: Measure security module data Casey Schaufler
2020-08-05  1:14   ` Lakshmi Ramasubramanian
2020-08-05 15:36     ` Casey Schaufler
2020-08-05 15:45       ` Tyler Hicks
2020-08-05 16:07         ` Lakshmi Ramasubramanian
2020-08-05 16:14           ` Tyler Hicks
2020-08-05 16:21             ` Lakshmi Ramasubramanian
2020-08-05 16:32               ` Tyler Hicks
2020-08-05 17:31                 ` Casey Schaufler
2020-08-05 17:03         ` Mimi Zohar
2020-08-05 17:25           ` Lakshmi Ramasubramanian
2020-08-05 17:57             ` Casey Schaufler
2020-08-05 18:08               ` Lakshmi Ramasubramanian
2020-08-05 18:25                 ` Casey Schaufler
2020-08-12 20:37                   ` Lakshmi Ramasubramanian
2020-08-05 12:37   ` Mimi Zohar
2020-08-05 12:00 ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4b9d2715d3ef3c8f915ef03867cfb1a39c0abc54.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=sashal@kernel.org \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    --cc=tyhicks@linux.microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).