From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-ima-devel@lists.sourceforge.net>
Cc: <linux-security-module@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, <linux-doc@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH 12/12] ima: added Documentation/security/IMA-digest-lists.txt
Date: Tue, 25 Jul 2017 17:44:23 +0200 [thread overview]
Message-ID: <20170725154423.24845-13-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20170725154423.24845-1-roberto.sassu@huawei.com>
This patch adds the documentation of the new IMA feature, to load
and measure file digest lists.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
Documentation/security/IMA-digest-lists.txt | 150 ++++++++++++++++++++++++++++
1 file changed, 150 insertions(+)
create mode 100644 Documentation/security/IMA-digest-lists.txt
diff --git a/Documentation/security/IMA-digest-lists.txt b/Documentation/security/IMA-digest-lists.txt
new file mode 100644
index 0000000..f9eed21
--- /dev/null
+++ b/Documentation/security/IMA-digest-lists.txt
@@ -0,0 +1,150 @@
+ File Digest Lists
+
+==== INTRODUCTION ====
+
+IMA, for each file matching policy rules, calculates a digest, creates
+a new entry in the measurement list and extends a TPM PCR with the digest
+of entry data. The last step causes a noticeable performance reduction.
+
+Since systems likely access the same files, repeating the above tasks at
+every boot can be avoided by replacing individual measurements of likely
+accessed files with only one measurement of their digests: the advantage
+is that the system performance significantly improves due to less PCR
+extend operations; on the other hand, the information about which files
+have exactly been accessed and in which sequence is lost.
+
+If this new measurement reports only good digests (e.g. those of
+files included in a Linux distribution), and if verifiers only check
+that a system executed good software and didn't access malicious data,
+the disadvantages reported earlier would be acceptable.
+
+The Trusted Computing paradigm measure & load is still respected by IMA
+with the proposed optimization. If a file being accessed is not in a
+measured digest list, a measurement will be recorded as before. If it is,
+the list has already been measured, and the verifier must assume that
+files with digest in the list have been accessed.
+
+Measuring digest lists gives the following benefits:
+
+- boot time reduction
+ For a minimal Linux installation with 1400 measurements, the boot time
+ decreases from 1 minute 30 seconds to 15 seconds, after loading to IMA
+ the digest of all files packaged by the distribution (32000). The new
+ list contains 92 entries. Without IMA, the boot time is 8.5 seconds.
+
+- lower network and CPU requirements for remote attestation
+ With the IMA optimization, both the measurement and digest lists
+ must be verified for a complete evaluation. However, since the lists
+ are fixed, they could be sent to and checked by the verifier only once.
+ Then, during a remote attestation, the only remaining task is to verify
+ the short measurement list.
+
+- signature-based remote attestation
+ Digest list signature can be used as a proof of the provenance for the
+ files whose digest is in the list. Then, if verifiers trust the signer
+ and only check provenance, remote attestation verification would simply
+ consist on checking digest lists signatures and that the measurement
+ list only contain list metadata digests (reference measurement databases
+ would be no longer required). An example of a signed digest list,
+ that can be parsed with this patch set, is the RPM package header.
+
+Digest lists are loaded in two stages by IMA through the new securityfs
+interface called 'digest_lists'. Users supply metadata, for the digest
+lists they want to load: path, format, digest, signature and algorithm
+of the digest.
+
+Then, after the metadata digest is added to the measurement list, IMA
+reads the digest lists at the path specified and loads the digests in
+a hash table (digest lists are not measured, since their digest is already
+included in the metadata). With metadata measurement instead of digest list
+measurement, it is possible to avoid a performance reduction that would
+occur by measuring many digest lists (e.g. RPM headers) individually.
+If, alternatively, digest lists are loaded together, their signature
+cannot be verified.
+
+Lastly, when a file is accessed, IMA searches the calculated digest in
+the hash table. Only if the digest is not found a new entry is added
+to the measurement list.
+
+
+
+==== FORMAT ====
+
+The format of digest list metadata is:
+
+algo[2] digest_len[4] digest[digest_len]
+ signature_len[4] signature[signature_len]
+ path_len[4] path[path_len]
+ ref_id_len[4] ref_id[ref_id_len]
+ list_type_len[4] list_type[list_type_len]
+
+algo, list_type and _len are little endian.
+
+
+algo values are defined in include/uapi/linux/hash_info.h. The algorithms
+in the list metadata must be the same of ima_hash_algo (algorithm used
+by IMA to calculate the file digest).
+
+list type values:
+
+0: compact digest list
+1: RPM package header
+
+
+The format of the compact digest list is:
+
+entry_id[2] count[4] data_len[4]
+data[data_len]
+[...]
+entry_id[2] count[4] data_len[4]
+data[data_len]
+
+entry_id, count and data_len are little endian.
+
+At the moment, entry_id can have value 0, which means that 'data' contains
+'count' digests concatenated together. For example, a compact digest list
+with 10 SHA256 digests will look like:
+
+0 10 320
+digest1..digest10
+
+
+
+==== MEASUREMENT LIST ====
+
+systemd has been modified to load the path of files containing digest list
+metadata to the new securityfs interface. Paths must be stored in
+/etc/ima/digest-lists. If digest lists, metadata and systemd configuration
+file are included in the initial ram disk, a typical measurement list
+will look like:
+
+10 <template digest> ima-ng sha1:<digest> boot_aggregate
+10 <template digest> ima-ng sha256:<digest> /usr/lib/systemd/systemd
+10 <template digest> ima-ng sha256:<digest> /usr/lib64/ld-2.17.so
+[...]
+10 <template digest> ima-ng sha256:<digest> /etc/ima/digest-lists
+10 <template digest> ima-ng sha256:<digest> /digests/headers
+[...]
+
+systemd executable and libraries still appear in the measurement list,
+even if they are in a digest list, because digests lists have not been
+loaded yet.
+
+Then, the next measurement should be for /etc/ima/digest-lists.
+At verification time, the file digest can be verified by calculating
+the digest of the path of list metadata (/digests/headers). If multiple
+metadata files are specified in /etc/ima/digest-lists, it is task of the
+system administrator to use appropriate names, so that a verifier can
+recognize them from the measurement list.
+
+The last measurement to verify is of /digests/headers. During remote
+attestation, the content of this file should be sent to the verifier,
+together with the digest lists (unless a reference ID is provided,
+so that lists can be fetched from a repository).
+
+A verifier should check if:
+
+1) the digest of received metadata matches that in the measurement list
+2) the digest of digest lists matches the digests in the list metadata
+3a) each file digest in the digest list is acceptable
+3b) the signature of the digest list is valid and the signer is trusted
--
2.9.3
WARNING: multiple messages have this Message-ID (diff)
From: roberto.sassu@huawei.com (Roberto Sassu)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 12/12] ima: added Documentation/security/IMA-digest-lists.txt
Date: Tue, 25 Jul 2017 17:44:23 +0200 [thread overview]
Message-ID: <20170725154423.24845-13-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20170725154423.24845-1-roberto.sassu@huawei.com>
This patch adds the documentation of the new IMA feature, to load
and measure file digest lists.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
Documentation/security/IMA-digest-lists.txt | 150 ++++++++++++++++++++++++++++
1 file changed, 150 insertions(+)
create mode 100644 Documentation/security/IMA-digest-lists.txt
diff --git a/Documentation/security/IMA-digest-lists.txt b/Documentation/security/IMA-digest-lists.txt
new file mode 100644
index 0000000..f9eed21
--- /dev/null
+++ b/Documentation/security/IMA-digest-lists.txt
@@ -0,0 +1,150 @@
+ File Digest Lists
+
+==== INTRODUCTION ====
+
+IMA, for each file matching policy rules, calculates a digest, creates
+a new entry in the measurement list and extends a TPM PCR with the digest
+of entry data. The last step causes a noticeable performance reduction.
+
+Since systems likely access the same files, repeating the above tasks at
+every boot can be avoided by replacing individual measurements of likely
+accessed files with only one measurement of their digests: the advantage
+is that the system performance significantly improves due to less PCR
+extend operations; on the other hand, the information about which files
+have exactly been accessed and in which sequence is lost.
+
+If this new measurement reports only good digests (e.g. those of
+files included in a Linux distribution), and if verifiers only check
+that a system executed good software and didn't access malicious data,
+the disadvantages reported earlier would be acceptable.
+
+The Trusted Computing paradigm measure & load is still respected by IMA
+with the proposed optimization. If a file being accessed is not in a
+measured digest list, a measurement will be recorded as before. If it is,
+the list has already been measured, and the verifier must assume that
+files with digest in the list have been accessed.
+
+Measuring digest lists gives the following benefits:
+
+- boot time reduction
+ For a minimal Linux installation with 1400 measurements, the boot time
+ decreases from 1 minute 30 seconds to 15 seconds, after loading to IMA
+ the digest of all files packaged by the distribution (32000). The new
+ list contains 92 entries. Without IMA, the boot time is 8.5 seconds.
+
+- lower network and CPU requirements for remote attestation
+ With the IMA optimization, both the measurement and digest lists
+ must be verified for a complete evaluation. However, since the lists
+ are fixed, they could be sent to and checked by the verifier only once.
+ Then, during a remote attestation, the only remaining task is to verify
+ the short measurement list.
+
+- signature-based remote attestation
+ Digest list signature can be used as a proof of the provenance for the
+ files whose digest is in the list. Then, if verifiers trust the signer
+ and only check provenance, remote attestation verification would simply
+ consist on checking digest lists signatures and that the measurement
+ list only contain list metadata digests (reference measurement databases
+ would be no longer required). An example of a signed digest list,
+ that can be parsed with this patch set, is the RPM package header.
+
+Digest lists are loaded in two stages by IMA through the new securityfs
+interface called 'digest_lists'. Users supply metadata, for the digest
+lists they want to load: path, format, digest, signature and algorithm
+of the digest.
+
+Then, after the metadata digest is added to the measurement list, IMA
+reads the digest lists at the path specified and loads the digests in
+a hash table (digest lists are not measured, since their digest is already
+included in the metadata). With metadata measurement instead of digest list
+measurement, it is possible to avoid a performance reduction that would
+occur by measuring many digest lists (e.g. RPM headers) individually.
+If, alternatively, digest lists are loaded together, their signature
+cannot be verified.
+
+Lastly, when a file is accessed, IMA searches the calculated digest in
+the hash table. Only if the digest is not found a new entry is added
+to the measurement list.
+
+
+
+==== FORMAT ====
+
+The format of digest list metadata is:
+
+algo[2] digest_len[4] digest[digest_len]
+ signature_len[4] signature[signature_len]
+ path_len[4] path[path_len]
+ ref_id_len[4] ref_id[ref_id_len]
+ list_type_len[4] list_type[list_type_len]
+
+algo, list_type and _len are little endian.
+
+
+algo values are defined in include/uapi/linux/hash_info.h. The algorithms
+in the list metadata must be the same of ima_hash_algo (algorithm used
+by IMA to calculate the file digest).
+
+list type values:
+
+0: compact digest list
+1: RPM package header
+
+
+The format of the compact digest list is:
+
+entry_id[2] count[4] data_len[4]
+data[data_len]
+[...]
+entry_id[2] count[4] data_len[4]
+data[data_len]
+
+entry_id, count and data_len are little endian.
+
+At the moment, entry_id can have value 0, which means that 'data' contains
+'count' digests concatenated together. For example, a compact digest list
+with 10 SHA256 digests will look like:
+
+0 10 320
+digest1..digest10
+
+
+
+==== MEASUREMENT LIST ====
+
+systemd has been modified to load the path of files containing digest list
+metadata to the new securityfs interface. Paths must be stored in
+/etc/ima/digest-lists. If digest lists, metadata and systemd configuration
+file are included in the initial ram disk, a typical measurement list
+will look like:
+
+10 <template digest> ima-ng sha1:<digest> boot_aggregate
+10 <template digest> ima-ng sha256:<digest> /usr/lib/systemd/systemd
+10 <template digest> ima-ng sha256:<digest> /usr/lib64/ld-2.17.so
+[...]
+10 <template digest> ima-ng sha256:<digest> /etc/ima/digest-lists
+10 <template digest> ima-ng sha256:<digest> /digests/headers
+[...]
+
+systemd executable and libraries still appear in the measurement list,
+even if they are in a digest list, because digests lists have not been
+loaded yet.
+
+Then, the next measurement should be for /etc/ima/digest-lists.
+At verification time, the file digest can be verified by calculating
+the digest of the path of list metadata (/digests/headers). If multiple
+metadata files are specified in /etc/ima/digest-lists, it is task of the
+system administrator to use appropriate names, so that a verifier can
+recognize them from the measurement list.
+
+The last measurement to verify is of /digests/headers. During remote
+attestation, the content of this file should be sent to the verifier,
+together with the digest lists (unless a reference ID is provided,
+so that lists can be fetched from a repository).
+
+A verifier should check if:
+
+1) the digest of received metadata matches that in the measurement list
+2) the digest of digest lists matches the digests in the list metadata
+3a) each file digest in the digest list is acceptable
+3b) the signature of the digest list is valid and the signer is trusted
--
2.9.3
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-25 15:53 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-25 15:44 [PATCH 00/12] ima: measure digest lists instead of individual files Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 01/12] ima: generalize ima_read_policy() Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 02/12] ima: generalize ima_write_policy() Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 03/12] ima: generalize policy file operations Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 04/12] ima: use ima_show_htable_value to show hash table data Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 05/12] ima: add functions to manage digest lists Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 06/12] ima: added parser of digest lists metadata Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-27 5:15 ` kbuild test robot
2017-07-27 5:15 ` kbuild test robot
2017-08-01 10:17 ` [PATCH, RESEND " Roberto Sassu
2017-08-01 10:17 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 07/12] ima: added parser for compact digest list Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 08/12] ima: added parser for RPM data type Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-27 5:03 ` kbuild test robot
2017-07-27 5:03 ` kbuild test robot
2017-08-01 10:20 ` [PATCH, RESEND " Roberto Sassu
2017-08-01 10:20 ` Roberto Sassu
2017-08-01 10:27 ` Christoph Hellwig
2017-08-01 10:27 ` Christoph Hellwig
2017-08-01 10:58 ` Roberto Sassu
2017-08-01 10:58 ` Roberto Sassu
2017-08-01 10:58 ` Roberto Sassu
2017-08-02 7:22 ` [Linux-ima-devel] " James Morris
2017-08-02 7:22 ` James Morris
2017-08-02 7:22 ` James Morris
2017-08-02 11:22 ` Roberto Sassu
2017-08-02 11:22 ` Roberto Sassu
2017-08-02 11:22 ` Roberto Sassu
2017-08-09 9:15 ` Roberto Sassu
2017-08-09 9:15 ` Roberto Sassu
2017-08-09 9:15 ` Roberto Sassu
2017-08-09 14:30 ` Mimi Zohar
2017-08-09 14:30 ` Mimi Zohar
2017-08-09 14:30 ` Mimi Zohar
2017-08-09 17:18 ` Roberto Sassu
2017-08-09 17:18 ` Roberto Sassu
2017-08-09 17:18 ` Roberto Sassu
2017-08-10 13:12 ` Mimi Zohar
2017-08-10 13:12 ` Mimi Zohar
2017-08-10 13:12 ` Mimi Zohar
2017-08-17 9:15 ` Roberto Sassu
2017-08-17 9:15 ` Roberto Sassu
2017-08-17 9:15 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 09/12] ima: introduce securityfs interfaces for digest lists Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-27 5:38 ` kbuild test robot
2017-07-27 5:38 ` kbuild test robot
2017-07-25 15:44 ` [PATCH 10/12] ima: disable digest lookup if digest lists are not measured Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-07-25 15:44 ` [PATCH 11/12] ima: don't report measurements if digests are included in the loaded lists Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu
2017-08-09 20:36 ` [Linux-ima-devel] " Ken Goldman
2017-08-09 20:36 ` Ken Goldman
2017-08-17 8:32 ` Roberto Sassu
2017-08-17 8:32 ` Roberto Sassu
2017-07-25 15:44 ` Roberto Sassu [this message]
2017-07-25 15:44 ` [PATCH 12/12] ima: added Documentation/security/IMA-digest-lists.txt Roberto Sassu
2017-12-05 22:28 ` [Linux-ima-devel] " Ken Goldman
2017-12-06 9:22 ` Roberto Sassu
2017-12-06 9:22 ` Roberto Sassu
2017-07-26 21:54 ` [PATCH 00/12] ima: measure digest lists instead of individual files Mimi Zohar
2017-07-26 21:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170725154423.24845-13-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.