[PATCH 0/4] integrity

[PATCH 0/4] integrity

[Mimi Zohar]

-- 
I've brought the LIM/IMA patchset up to date, resolving the latest
merge issues resulting from the removal of the nameidata parameter to
inode_permission(), and built the patches on top of James's
security-testing 'devel' tree as per his request.

This patchset contains 4 patches:
        Patch 1/4 integrity: TPM internal kernel interface
        Patch 2/4 integrity: special fs magic
        Patch 3/4 integrity: Linux Integrity Module(LIM)
        Patch 4/4 integrity: IMA as an integrity service provider

[PATCH 0/4] integrity

[Mimi Zohar]

This patchset addresses a couple of concerns raised on the 
mailing list:

- Christoph Hellwig's questioned what is protecting the TPM 
  internal kernel interface from the driver being removed,
  when it is not builtin. The TPM device should be builtin
  in order to start collecting measurements at the earliest 
  possible time. When the TPM is not builtin, the internal
  TPM kernel interface now protects itself from the driver 
  being removed by incrementing the module reference count.

  The integrity-TPM-internal-kernel-interface.patch prereqs:
        TPM-update-char-dev-BKL-pushdown.patch
        TPM-num_opens-to-is_open-variable-change.patch
        TPM-rcu-locking.patch
        TPM-addition-of-pnp-remove.patch
        TPM-Fixed-tpm_release-timing.patch

- Discussion on the mailing list questioned the use of special
  magic values in userspace, concluding these values are already
  exported to userspace via statfs and their correct/incorrect
  usage is left up to the userspace application.

- Concern was raised on the lkml mailing list, about adding i_integrity
  to the inode structure.  This patch adds a comment clarifying that
  i_integrity is only included in the inode if INTEGRITY is configured.

Mimi Zohar (4):
  integrity: TPM internel kernel interface
  integrity: special fs magic
  integrity: Linux Integrity Module(LIM)
  integrity: IMA as an integrity service provider

Re: [PATCH 0/4] integrity

[James Morris]

On Tue, 7 Oct 2008, Mimi Zohar wrote:

>   The integrity-TPM-internal-kernel-interface.patch prereqs:
>         TPM-update-char-dev-BKL-pushdown.patch
>         TPM-num_opens-to-is_open-variable-change.patch
>         TPM-rcu-locking.patch
>         TPM-addition-of-pnp-remove.patch
>         TPM-Fixed-tpm_release-timing.patch

Where are these patches?

i.e. are they in a tree?  If so, which one?  If not, they need to be 
posted in this series.



- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 0/4] integrity

[Mimi Zohar]

On Wed, 2008-10-08 at 15:56 +1100, James Morris wrote:
> On Tue, 7 Oct 2008, Mimi Zohar wrote:
> 
> >   The integrity-TPM-internal-kernel-interface.patch prereqs:
> >         TPM-update-char-dev-BKL-pushdown.patch
> >         TPM-num_opens-to-is_open-variable-change.patch
> >         TPM-rcu-locking.patch
> >         TPM-addition-of-pnp-remove.patch
> >         TPM-Fixed-tpm_release-timing.patch
> 
> Where are these patches?
> 
> i.e. are they in a tree?  If so, which one?  If not, they need to be 
> posted in this series.
> 
> 
> 
> - James

The TPM patches have not, as yet, been picked up.

These TPM patches are base TPM changes, not really related to the
integrity patches and certainly not dependent them.  However the reverse
is not true.  The integrity-tpm-internal-kernel-interface patch is
dependent on, at least, the TPM-rcu-locking patch.

Mimi

Re: [PATCH 0/4] integrity

[James Morris]

On Wed, 8 Oct 2008, Mimi Zohar wrote:

> On Wed, 2008-10-08 at 15:56 +1100, James Morris wrote:
> > On Tue, 7 Oct 2008, Mimi Zohar wrote:
> > 
> > >   The integrity-TPM-internal-kernel-interface.patch prereqs:
> > >         TPM-update-char-dev-BKL-pushdown.patch
> > >         TPM-num_opens-to-is_open-variable-change.patch
> > >         TPM-rcu-locking.patch
> > >         TPM-addition-of-pnp-remove.patch
> > >         TPM-Fixed-tpm_release-timing.patch
> > 
> > Where are these patches?
> > 
> > i.e. are they in a tree?  If so, which one?  If not, they need to be 
> > posted in this series.
> > 
> > 
> > 
> > - James
> 
> The TPM patches have not, as yet, been picked up.
> 
> These TPM patches are base TPM changes, not really related to the
> integrity patches and certainly not dependent them.  However the reverse
> is not true.  The integrity-tpm-internal-kernel-interface patch is
> dependent on, at least, the TPM-rcu-locking patch.

Please repost the TPM patches, then.

-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 0/4] integrity

[Mimi Zohar]

On Thu, 2008-10-09 at 09:06 +1100, James Morris wrote:
> On Wed, 8 Oct 2008, Mimi Zohar wrote:
> 
> > On Wed, 2008-10-08 at 15:56 +1100, James Morris wrote:
> > > On Tue, 7 Oct 2008, Mimi Zohar wrote:
> > > 
> > > >   The integrity-TPM-internal-kernel-interface.patch prereqs:
> > > >         TPM-update-char-dev-BKL-pushdown.patch
> > > >         TPM-num_opens-to-is_open-variable-change.patch
> > > >         TPM-rcu-locking.patch
> > > >         TPM-addition-of-pnp-remove.patch
> > > >         TPM-Fixed-tpm_release-timing.patch
> > > 
> > > Where are these patches?
> > > 
> > > i.e. are they in a tree?  If so, which one?  If not, they need to be 
> > > posted in this series.
> > > 
> > > 
> > > 
> > > - James
> > 
> > The TPM patches have not, as yet, been picked up.
> > 
> > These TPM patches are base TPM changes, not really related to the
> > integrity patches and certainly not dependent them.  However the reverse
> > is not true.  The integrity-tpm-internal-kernel-interface patch is
> > dependent on, at least, the TPM-rcu-locking patch.
> 
> Please repost the TPM patches, then.

The TPM patches were just added to the -mm tree (10/8 18:45 EDT),
available from http://userweb.kernel.org/~akpm/mmotm/.

Mimi

Re: [PATCH 0/4] integrity

[James Morris]

On Fri, 10 Oct 2008, Mimi Zohar wrote:

> > > These TPM patches are base TPM changes, not really related to the
> > > integrity patches and certainly not dependent them.  However the reverse
> > > is not true.  The integrity-tpm-internal-kernel-interface patch is
> > > dependent on, at least, the TPM-rcu-locking patch.
> > 
> > Please repost the TPM patches, then.
> 
> The TPM patches were just added to the -mm tree (10/8 18:45 EDT),
> available from http://userweb.kernel.org/~akpm/mmotm/.

I've added the prereq patches to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

Please test it, and base your next version of the integrity patches on 
that branch.  Generally, if your patches depend on some other patches, you 
need to coordinate to ensure the prerequisite patches are either in the 
tree you're aiming for, or post them as part of the patchset.

Note that there are some interesting sparse warnings for the TPM code 
(not arising from the above):

drivers/char/tpm/tpm.c:493:10: error: bad constant expression
drivers/char/tpm/tpm.c:500:32: error: cannot size expression
drivers/char/tpm/tpm.c:507:10: error: bad constant expression
drivers/char/tpm/tpm.c:515:32: error: cannot size expression
drivers/char/tpm/tpm.c:547:32: error: cannot size expression
  CHECK   drivers/char/tpm/tpm_atmel.c
  CHECK   drivers/char/tpm/tpm_infineon.c
drivers/char/tpm/tpm_bios.c:412:7: warning: incorrect type in assignment (different address spaces)
drivers/char/tpm/tpm_bios.c:412:7:    expected struct acpi_table_header *virt
drivers/char/tpm/tpm_bios.c:412:7:    got void [noderef] <asn:2>*
drivers/char/tpm/tpm_bios.c:416:23: warning: incorrect type in argument 1 (different address spaces)
drivers/char/tpm/tpm_bios.c:416:23:    expected void [noderef] <asn:2>*logical_address
drivers/char/tpm/tpm_bios.c:416:23:    got struct acpi_table_header *virt


-- 
James Morris
<jmorris@namei.org>

[PATCH 0/4] integrity

[Mimi Zohar]

The Linux Integrity Module (LIM) Framework provides hooks
for modules to perform collection, appraisal, and storage
of system integrity measurements. One such module, IMA,
collects measurements of file data, maintains this list
in the kernel, and if available, stores (extends) the
measurements into a hardware TPM. These measurements are
collected, appraised, and stored before any access
(read or execute) to the data, so that malicious code or
data cannot remove or cover up its own measurement, to avoid
detection. If the measurements are anchored in a TPM, the
TPM can sign the measurements, for proof of integrity
to a third party, such as in enterprise client management.

Integrity measurement is complementary to LSM mandatory
access control, which can be used to protect the integrity
of system files. Integrity measurement policies can take
advantage of LSM labels in deciding what to measure and
to detect when the protection fails, with hardware strength.

This patch set addresses a couple of concerns raised on
the mailing list:

- Uses a radix tree to store integrity information
  associated with an inode, instead of extending the
  inode structure.
- Moves hooks out of vfs_permission and file_permission,
  which are deprecated.
- Fixes the template list locking.
- Updates and clarifies the integrity_audit kernel
  command line option.

Dave Safford
Mimi Zohar (4):
  integrity: TPM internel kernel interface
  integrity: Linux Integrity Module(LIM)
  integrity: IMA as an integrity service provider
  integrity: IMA radix tree

Re: [PATCH 0/4] integrity

[Andrew Morton]

On Wed, 12 Nov 2008 22:47:10 -0500
Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> The Linux Integrity Module (LIM) Framework provides hooks
> for modules to perform collection, appraisal, and storage
> of system integrity measurements. One such module, IMA,
> collects measurements of file data, maintains this list
> in the kernel, and if available, stores (extends) the
> measurements into a hardware TPM. These measurements are
> collected, appraised, and stored before any access
> (read or execute) to the data, so that malicious code or
> data cannot remove or cover up its own measurement, to avoid
> detection. If the measurements are anchored in a TPM, the
> TPM can sign the measurements, for proof of integrity
> to a third party, such as in enterprise client management.
> 
> Integrity measurement is complementary to LSM mandatory
> access control, which can be used to protect the integrity
> of system files. Integrity measurement policies can take
> advantage of LSM labels in deciding what to measure and
> to detect when the protection fails, with hardware strength.

This all looks quite mergeable to me, although I am far from being an
expert on security things.

One thing which I cannot say, and which is quite important: how useful
will all of this be to our users?  Are people asking for it?  Are
people likely to enable and use it?  Are they even likely to understand
it?  ;) Are any large/important customers asking for it?  Are distros
likely to enable and support it?

etc?

Re: [PATCH 0/4] integrity

[david safford]

On Fri, 2008-11-14 at 14:18 -0800, Andrew Morton wrote:
> On Wed, 12 Nov 2008 22:47:10 -0500
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > The Linux Integrity Module (LIM) Framework provides hooks
> > ...
> This all looks quite mergeable to me, although I am far from being an
> expert on security things.
> 
> One thing which I cannot say, and which is quite important: how useful
> will all of this be to our users?  Are people asking for it?  Are
> people likely to enable and use it?  Are they even likely to understand
> it?  ;) Are any large/important customers asking for it?  Are distros
> likely to enable and support it?

LIM/IMA's maintenance of a TPM hardware anchored file measurement 
list is fundamental to the Trusted Computing Group's standards 
efforts. Several projects have implemented the TNC (Trusted Network
Connect) and PTS (Platform Trust Services) standards (see below). 
There are three demo packaged distros which have integrated these
apps, two of which are government funded (EU and US), with definite
customer interest. We are working with the RHEL team to provide
a supported, patched kernel for HAP. All of these so far have used
the old LSM based IMA, and have asked for a supported, upstreamed 
implementation, with the ability to work with SELinux.

Standards
http://www.trustedcomputinggroup.org

TNC/PTS Projects:
http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page  (server)
http://sourceforge.net/projects/libtnc   (library)
http://hostap.epitest.fi/wpa_supplicant/wpa_supplicant   (client)
http://sourceforge.jp/projects/openpts   (client and server)

Test Distros:
http://unit.aist.go.jp/itri/knoppix/index-en.html   (trusted Knoppix)
http://www.nsa.gov/ia/industry/HAP/   (US)
http://www.opentc.net   (EU)

[PATCH 0/4] integrity

[Mimi Zohar]

The first three patches address concerns raised on the mailing
list.  They apply cleanly to linux-2.6.28-rc5 and with minor
offsets to security-testing-2.6/#next. The last patch is only
for the security-testing-2.6/#next tree. It addresses credential
merge issues.

- Merges the integrity radix tree patch into the existing integrity
  patches.
- Replaces integrity_nameidata_check() with integrity_path_check().
- Cleans up tget/tput callers and removed the null pointer test.
- Replaces remaining GFP_ATOMIC alloc with GFP_KERNEL.
- Replaces ima_iint_init() with RADIX_TREE macro.

Mimi Zohar (4):
  integrity: TPM internel kernel interface
  integrity: Linux Integrity Module(LIM)
  integrity: IMA as an integrity service provider
  integrity: replace task uid with cred uid

Re: [PATCH 0/4] integrity

[Dave Hansen]

My worry:

	36 files changed, 3250 insertions(+), 14 deletions(-)

Can you find any better way to split this up?  79k is still pretty huge
for one patch.  Were you just trying to get under the LKML limit? ;)

 Documentation/kernel-parameters.txt    |    5 
 b/Documentation/ABI/testing/ima_policy |   61 ++++
 b/Documentation/kernel-parameters.txt  |    6 
 b/drivers/char/tpm/tpm.c               |  140 +++++++++
 b/drivers/char/tpm/tpm.h               |    4 
 b/drivers/char/tpm/tpm_tis.c           |    3 
 b/fs/exec.c                            |    7 
 b/fs/file_table.c                      |    3 
 b/fs/inode.c                           |   22 +
 b/fs/namei.c                           |    6 
 b/include/linux/audit.h                |    5 
 b/include/linux/ima.h                  |   46 +++
 b/include/linux/integrity.h            |  166 +++++++++++
 b/include/linux/tpm.h                  |   49 +++
 b/mm/mmap.c                            |    4 
 b/security/Kconfig                     |    2 
 b/security/Makefile                    |    4 
 b/security/integrity/Kconfig           |   24 +
 b/security/integrity/Makefile          |    6 
 b/security/integrity/ima/Kconfig       |   48 +++
 b/security/integrity/ima/Makefile      |    9 
 b/security/integrity/ima/ima.h         |  198 +++++++++++++
 b/security/integrity/ima/ima_api.c     |  420 ++++++++++++++++++++++++++++
 b/security/integrity/ima/ima_crypto.c  |  149 ++++++++++
 b/security/integrity/ima/ima_fs.c      |  488 +++++++++++++++++++++++++++++++++
 b/security/integrity/ima/ima_iint.c    |   63 ++++
 b/security/integrity/ima/ima_init.c    |  105 +++++++
 b/security/integrity/ima/ima_main.c    |  331 ++++++++++++++++++++++
 b/security/integrity/ima/ima_policy.c  |  336 ++++++++++++++++++++++
 b/security/integrity/ima/ima_queue.c   |  124 ++++++++
 b/security/integrity/integrity.c       |  313 +++++++++++++++++++++
 b/security/integrity/integrity.h       |   30 ++
 b/security/integrity/integrity_audit.c |   81 +++++
 security/Kconfig                       |    3 
 security/integrity/Kconfig             |    2 
 security/integrity/Makefile            |    1 
 36 files changed, 3250 insertions(+), 14 deletions(-)

-- Dave

Re: [PATCH 0/4] integrity

[James Morris]

On Fri, 14 Nov 2008, Andrew Morton wrote:

> One thing which I cannot say, and which is quite important: how useful
> will all of this be to our users?  Are people asking for it? 

Apparently, some government users are, and there's a DoD decree which 
requires new equipment to include TPM hardware where possible:

http://iase.disa.mil/policy-guidance/dod-dar-tpm-decree07-03-07.pdf

This is to support encryption of data at rest, and for "device 
authentication" (requiring remote attestation of system integrity).

It's not clear to me yet how compelling this will be for general-case 
users.

> Are
> people likely to enable and use it?  Are they even likely to understand
> it?  ;) Are any large/important customers asking for it?  Are distros
> likely to enable and support it?

I believe that TPM is in "tech preview" in RHEL 5.2, and that there is a 
desire to integrate it more fully with the OS via TCG software such as 
Trousers:  http://trousers.sourceforge.net/



- James
-- 
James Morris
<jmorris@namei.org>