From: Patrick Ohly <patrick.ohly@intel.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
James Morris <james.l.morris@oracle.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Cc: Matthew Garrett <mjg59@google.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Silviu Vlasceanu <silviu.vlasceanu@huawei.com>
Subject: Re: IMA appraisal master plan?
Date: Mon, 20 Nov 2017 17:15:19 +0100 [thread overview]
Message-ID: <1511194519.5979.48.camel@intel.com> (raw)
In-Reply-To: <1511189976.4729.110.camel@linux.vnet.ibm.com>
On Mon, 2017-11-20 at 09:59 -0500, Mimi Zohar wrote:
> > When allowing local hashing, it's actually worse: during an offline
> > attack, the attacker might not have access to the TPM and thus
> > cannot
> > easily update the EVM HMAC. During an online attack, the kernel
> > will
> > happily update that and the IMA hash for the attacker, resulting in
> > a
> > file that passes appraisal after a reboot.
>
> The assumption is that most files in the TCB are not changing and are
> signed. Custom policies should require file signatures for these
> files.
>
> Assuming that the private keys that are used to sign these files, as
> well as the private key used for signing other keys added to the IMA
> keyring, are stored off line, new files can not be signed.
>
> The number of mutable files in the TCB should be very limited,
> probably < 20 files. Their usage can be constrained by MAC.
I'm not sure what exactly "constrained by MAC" implies, but I suspect
that these mutable files will be as important for the integrity of the
TCB as everything else (<insert my systemd configuration file example
again here>). Compromised is compromised, an installation cannot be
"half compromised". So once the policy allows mutable files, a run-time
exploit that bypasses the MAC can compromise the TCB permanently.
> That said, IMA/IMA-appraisal is work in progress. There are still
> measurement/appraisal gaps that need to be closed. One such example
> are files read by interpreters and interpreted files. There have
> been some initial proposals in this area.
That's what brings us back to my initial question: are the current set
of patches enough to make appraisal useful? Matthew seems to be
optimistic that the answer is yes and I certainly don't want to
discourage him especially as he's doing some actual work while I
couldn't do that, but I remain a bit more skeptical.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
WARNING: multiple messages have this Message-ID (diff)
From: patrick.ohly@intel.com (Patrick Ohly)
To: linux-security-module@vger.kernel.org
Subject: IMA appraisal master plan?
Date: Mon, 20 Nov 2017 17:15:19 +0100 [thread overview]
Message-ID: <1511194519.5979.48.camel@intel.com> (raw)
In-Reply-To: <1511189976.4729.110.camel@linux.vnet.ibm.com>
On Mon, 2017-11-20 at 09:59 -0500, Mimi Zohar wrote:
> > When allowing local hashing, it's actually worse: during an offline
> > attack, the attacker might not have access to the TPM and thus
> > cannot
> > easily update the EVM HMAC. During an online attack, the kernel
> > will
> > happily update that and the IMA hash for the attacker, resulting in
> > a
> > file that passes appraisal after a reboot.
>
> The assumption is that most files in the TCB are not changing and are
> signed. ?Custom policies should require file signatures for these
> files.
>
> Assuming that the private keys that are used to sign these files, as
> well as the private key used for signing other keys added to the IMA
> keyring, are stored off line, new files can not be signed.
>
> The number of mutable files in the TCB should be very limited,
> probably < 20 files. ?Their usage can be constrained by MAC.
I'm not sure what exactly "constrained by MAC" implies, but I suspect
that these mutable files will be as important for the integrity of the
TCB as everything else (<insert my systemd configuration file example
again here>). Compromised is compromised, an installation cannot be
"half compromised". So once the policy allows mutable files, a run-time
exploit that bypasses the MAC can compromise the TCB permanently.
> That said, IMA/IMA-appraisal is work in progress. ?There are still
> measurement/appraisal gaps that need to be closed. ?One such example
> are files read by interpreters and interpreted files. ?There have
> been some initial proposals in this area.
That's what brings us back to my initial question: are the current set
of patches enough to make appraisal useful? Matthew seems to be
optimistic that the answer is yes and I certainly don't want to
discourage him especially as he's doing some actual work while I
couldn't do that, but I remain a bit more skeptical.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-11-20 16:15 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 15:17 [PATCH V6] EVM: Add support for portable signature format Matthew Garrett
2017-11-08 19:37 ` Mimi Zohar
2017-11-15 17:26 ` IMA appraisal master plan? (was: Re: [PATCH V6] EVM: Add support for portable signature format) Patrick Ohly
2017-11-15 17:58 ` Matthew Garrett
2017-11-15 18:21 ` Patrick Ohly
2017-11-15 18:28 ` Matthew Garrett
2017-11-16 0:02 ` James Morris
2017-11-16 0:05 ` Matthew Garrett
2017-11-16 2:13 ` Mimi Zohar
2017-11-16 9:23 ` IMA appraisal master plan? Roberto Sassu
2017-11-16 10:20 ` Patrick Ohly
2017-11-16 13:13 ` Mimi Zohar
2017-11-16 14:18 ` Roberto Sassu
2017-11-16 13:06 ` Mimi Zohar
2017-11-17 12:20 ` Roberto Sassu
2017-11-17 12:20 ` Roberto Sassu
2017-11-17 13:42 ` Mimi Zohar
2017-11-17 13:42 ` Mimi Zohar
2017-11-17 14:32 ` Roberto Sassu
2017-11-17 14:32 ` Roberto Sassu
2017-11-17 15:58 ` Stephen Smalley
2017-11-17 17:54 ` Stephen Smalley
2017-11-17 20:09 ` Safford, David (GE Global Research, US)
2017-11-18 19:29 ` Casey Schaufler
2017-11-19 20:47 ` James Morris
2017-11-19 20:47 ` James Morris
2017-11-20 10:20 ` Patrick Ohly
2017-11-20 10:20 ` Patrick Ohly
2017-11-20 14:59 ` Mimi Zohar
2017-11-20 14:59 ` Mimi Zohar
2017-11-20 16:15 ` Patrick Ohly [this message]
2017-11-20 16:15 ` Patrick Ohly
2017-11-21 10:05 ` James Morris
2017-11-21 10:05 ` James Morris
2017-11-21 9:33 ` Roberto Sassu
2017-11-21 9:33 ` Roberto Sassu
2017-11-21 14:05 ` Mimi Zohar
2017-11-21 14:05 ` Mimi Zohar
2017-11-21 15:25 ` Roberto Sassu
2017-11-21 15:25 ` Roberto Sassu
2017-11-21 15:53 ` Mimi Zohar
2017-11-21 15:53 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1511194519.5979.48.camel@intel.com \
--to=patrick.ohly@intel.com \
--cc=james.l.morris@oracle.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=roberto.sassu@huawei.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.