From: Mimi Zohar <zohar@linux.ibm.com>
To: James Morris <jmorris@namei.org>,
James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Deven Bowers <deven.desai@linux.microsoft.com>,
Pavel Machek <pavel@ucw.cz>, Sasha Levin <sashal@kernel.org>,
snitzer@redhat.com, dm-devel@redhat.com,
tyhicks@linux.microsoft.com, agk@redhat.com, paul@paul-moore.com,
corbet@lwn.net, nramas@linux.microsoft.com, serge@hallyn.com,
pasha.tatashin@soleen.com, jannh@google.com,
linux-block@vger.kernel.org, viro@zeniv.linux.org.uk,
axboe@kernel.dk, mdsakib@microsoft.com,
linux-kernel@vger.kernel.org, eparis@redhat.com,
linux-security-module@vger.kernel.org, linux-audit@redhat.com,
linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
jaskarankhurana@linux.microsoft.com
Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
Date: Wed, 05 Aug 2020 14:15:13 -0400 [thread overview]
Message-ID: <b08ae82102f35936427bf138085484f75532cff1.camel@linux.ibm.com> (raw)
In-Reply-To: <alpine.LRH.2.21.2008050934060.28225@namei.org>
On Wed, 2020-08-05 at 09:59 -0700, James Morris wrote:
> On Wed, 5 Aug 2020, James Bottomley wrote:
>
> > I'll leave Mimi to answer, but really this is exactly the question that
> > should have been asked before writing IPE. However, since we have the
> > cart before the horse, let me break the above down into two specific
> > questions.
>
> The question is valid and it was asked. We decided to first prototype what
> we needed and then evaluate if it should be integrated with IMA. We
> discussed this plan in person with Mimi (at LSS-NA in 2019), and presented
> a more mature version of IPE to LSS-NA in 2020, with the expectation that
> such a discussion may come up (it did not).
When we first spoke the concepts weren't fully formulated, at least to
me.
>
> These patches are still part of this process and 'RFC' status.
>
> > 1. Could we implement IPE in IMA (as in would extensions to IMA cover
> > everything). I think the answers above indicate this is a "yes".
>
> It could be done, if needed.
>
> > 2. Should we extend IMA to implement it? This is really whether from a
> > usability standpoint two seperate LSMs would make sense to cover the
> > different use cases.
>
> One issue here is that IMA is fundamentally a measurement & appraisal
> scheme which has been extended to include integrity enforcement. IPE was
> designed from scratch to only perform integrity enforcement. As such, it
> is a cleaner design -- "do one thing and do it well" is a good design
> pattern.
>
> In our use-case, we utilize _both_ IMA and IPE, for attestation and code
> integrity respectively. It is useful to be able to separate these
> concepts. They really are different:
>
> - Code integrity enforcement ensures that code running locally is of known
> provenance and has not been modified prior to execution.
>
> - Attestation is about measuring the health of a system and having that
> measurement validated by a remote system. (Local attestation is useless).
>
> I'm not sure there is value in continuing to shoe-horn both of these into
> IMA.
True, IMA was originally limited to measurement and attestation, but
most of the original EVM concepts were subsequently included in IMA.
(Remember, Reiner Sailer wrote the original IMA, which I inherited. I
was originially working on EVM code integrity.) From a naming
perspective including EVM code integrity in IMA was a mistake. My
thinking at the time was that as IMA was already calculating the file
hash, instead of re-calculating the file hash for integrity, calculate
the file hash once and re-use it for multiple things - measurement,
integrity, and audit. At the same time define a single system wide
policy.
When we first started working on IMA, EVM, trusted, and encrypted keys,
the general kernel community didn't see a need for any of it. Thus, a
lot of what was accomplished has been accomplished without the backing
of the real core filesystem people.
If block layer integrity was enough, there wouldn't have been a need
for fs-verity. Even fs-verity is limited to read only filesystems,
which makes validating file integrity so much easier. From the
beginning, we've said that fs-verity signatures should be included in
the measurement list. (I thought someone signed on to add that support
to IMA, but have not yet seen anything.)
Going forward I see a lot of what we've accomplished being incorporated
into the filesystems. When IMA will be limited to defining a system
wide policy, I'll have completed my job.
Mimi
>
> > I've got to say the least attractive thing
> > about separation is the fact that you now both have a policy parser.
> > You've tried to differentiate yours by making it more Kconfig
> > based, but policy has a way of becoming user space supplied because
> > the distros hate config options, so I think you're going to end up
> > with a policy parser very like IMAs.
next prev parent reply other threads:[~2020-08-05 18:16 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-28 21:36 [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 01/11] scripts: add ipe tooling to generate boot policy Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 02/11] security: add ipe lsm evaluation loop and audit system Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 03/11] security: add ipe lsm policy parser and policy loading Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 04/11] ipe: add property for trust of boot volume Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 05/11] fs: add security blob and hooks for block_device Deven Bowers
2020-07-28 22:22 ` Casey Schaufler
2020-07-28 22:40 ` Al Viro
2020-07-28 23:55 ` Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 06/11] dm-verity: move signature check after tree validation Deven Bowers
2020-07-28 21:50 ` Eric Biggers
2020-07-28 23:55 ` Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 07/11] dm-verity: add bdev_setsecurity hook for dm-verity signature Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 08/11] ipe: add property for signed dmverity volumes Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 09/11] dm-verity: add bdev_setsecurity hook for root-hash Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 10/11] documentation: add ipe documentation Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 10/12] ipe: add property for dmverity roothash Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 11/11] cleanup: uapi/linux/audit.h Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 11/12] documentation: add ipe documentation Deven Bowers
2020-07-28 21:36 ` [RFC PATCH v5 12/12] cleanup: uapi/linux/audit.h Deven Bowers
2020-08-02 11:55 ` [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) Pavel Machek
2020-08-02 14:03 ` Sasha Levin
2020-08-02 14:31 ` Pavel Machek
2020-08-02 16:43 ` [dm-devel] " James Bottomley
2020-08-04 16:07 ` Deven Bowers
2020-08-05 15:01 ` James Bottomley
2020-08-05 16:59 ` James Morris
2020-08-05 18:15 ` Mimi Zohar [this message]
2020-08-05 23:51 ` James Morris
2020-08-06 14:33 ` Mimi Zohar
2020-08-07 16:41 ` James Morris
2020-08-07 17:31 ` Mimi Zohar
2020-08-07 18:40 ` Mimi Zohar
2020-08-10 20:29 ` James Morris
2020-08-08 17:47 ` Chuck Lever
2020-08-09 17:16 ` Mimi Zohar
2020-08-10 15:35 ` James Bottomley
2020-08-10 16:35 ` Mimi Zohar
2020-08-10 17:13 ` James Bottomley
2020-08-10 17:57 ` Mimi Zohar
2020-08-10 23:36 ` Chuck Lever
2020-08-11 5:43 ` James Bottomley
2020-08-11 14:48 ` Chuck Lever
2020-08-11 15:32 ` James Bottomley
2020-08-11 19:30 ` Pavel Machek
2020-08-12 14:45 ` Chuck Lever
2020-08-11 15:53 ` James Bottomley
2020-08-12 14:15 ` Chuck Lever
2020-08-12 15:51 ` James Bottomley
2020-08-13 14:42 ` Chuck Lever
2020-08-13 15:10 ` James Bottomley
2020-08-14 14:21 ` Chuck Lever
2020-08-11 18:28 ` James Bottomley
2020-08-12 13:56 ` Chuck Lever
2020-08-12 15:42 ` James Bottomley
2020-08-13 14:21 ` Chuck Lever
2020-08-13 14:42 ` James Bottomley
2020-08-13 14:56 ` Chuck Lever
2020-08-11 21:03 ` James Morris
2020-08-12 14:18 ` Chuck Lever
2020-08-12 17:07 ` Deven Bowers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b08ae82102f35936427bf138085484f75532cff1.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=eparis@redhat.com \
--cc=jannh@google.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdsakib@microsoft.com \
--cc=nramas@linux.microsoft.com \
--cc=pasha.tatashin@soleen.com \
--cc=paul@paul-moore.com \
--cc=pavel@ucw.cz \
--cc=sashal@kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@redhat.com \
--cc=tyhicks@linux.microsoft.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).