From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Theodore Ts'o <tytso@mit.edu>, Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Andreas Dilger <adilger@dilger.ca>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection
Date: Wed, 31 Jan 2018 09:12:48 -0800 [thread overview]
Message-ID: <1517418768.3937.59.camel@HansenPartnership.com> (raw)
In-Reply-To: <20180131160510.GA18615@thunk.org>
On Wed, 2018-01-31 at 11:05 -0500, Theodore Ts'o wrote:
> On Tue, Jan 30, 2018 at 06:25:02PM -0500, Mimi Zohar wrote:
> >
> > On Mon, 2018-01-29 at 18:02 -0500, Theodore Ts'o wrote:
> > >
> > > On Mon, Jan 29, 2018 at 07:09:01AM -0500, Mimi Zohar wrote:
> > > >
> > > >
> > > > The LSM security_file_open hook is where fs-verity and IMA
> > > > meet. The fs-verity Merkle tree hash signature would be
> > > > another IMA-appraisal integrity verification method.
> > >
> > > I wasn't planning on using the file open hook for fs-verity at
> > > all, since the merkle hash signature is going to be cached in the
> > > per-file system inode --- e.g., for ext4, it would be stored in
> > > EXT4_I(inode), aka "struct ext4_inode_info".
> >
> > Ok, so if not at open, at what point do you plan on validating the
> > merkle hash signature?
>
> I said we would not using the LSM file_open hook. Instead it will be
> done in ext4_file_open() or f2fs_file_open(). That's because the
> place where the key is cached is in the file system specific portion
> of the inode. This is what I meant by EXT4_I(inode) aka struct
> ext4_inode_info. So it does happen at file open time; it just
> doesn't use the LSM file_open hook. One of the features of fs-verity
> is that it does *not* require the use of the LSM infrastructure.
This is all sounding appallingly ext4/f2fs specific. What about other
filesystems that might want this feature, how would they play?
I assume also that a write of the magic file updates the key and
signature in the inode metadata? I suppose this also avoids the
original IMA locking problem by sorting it out below the VFS, but it
also means you have to invent mechanisms to query the key (user space
might want to know for audit purposes) and to update the key (in case
the original is compromised).
Also when you say "key" presumably you mean pointer to x509 public
certificate in a keyring somewhere, say by DN and Version or SKID?
I really think some time needs to be spent figuring out how it should
be supported in a fs generic way (at least for the user visible API)
otherwise every fs will grow its own version and we'll have a user
tooling nightmare on our hands.
James
next prev parent reply other threads:[~2018-01-31 17:12 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 19:11 [LSF/MM TOPIC] fs-verity: file system-level integrity protection Theodore Ts'o
2018-01-25 21:49 ` Chuck Lever
2018-01-25 23:39 ` Theodore Ts'o
2018-01-26 0:47 ` James Bottomley
2018-01-26 2:30 ` Theodore Ts'o
2018-01-26 4:50 ` James Bottomley
2018-01-26 14:58 ` Theodore Ts'o
2018-01-26 16:44 ` [Lsf-pc] " James Bottomley
2018-01-26 21:55 ` Theodore Ts'o
2018-01-27 7:58 ` Andreas Dilger
2018-01-27 16:19 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-28 2:46 ` Theodore Ts'o
2018-01-28 17:19 ` James Bottomley
2018-01-28 18:03 ` James Bottomley
2018-01-28 18:19 ` Chuck Lever
2018-01-29 6:39 ` James Bottomley
2018-01-29 15:22 ` Chuck Lever
2018-01-30 6:47 ` James Bottomley
2018-01-28 21:49 ` Theodore Ts'o
2018-01-28 22:49 ` Theodore Ts'o
2018-01-28 23:04 ` Mimi Zohar
2018-01-29 0:38 ` Theodore Ts'o
2018-01-29 1:53 ` Mimi Zohar
2018-01-29 2:38 ` Theodore Ts'o
2018-01-29 3:39 ` Mimi Zohar
2018-01-29 4:40 ` Theodore Ts'o
2018-01-29 4:50 ` Theodore Ts'o
2018-01-29 12:09 ` Mimi Zohar
2018-01-29 13:58 ` Mimi Zohar
2018-01-29 23:02 ` Theodore Ts'o
2018-01-30 23:25 ` Mimi Zohar
2018-01-31 16:05 ` Theodore Ts'o
2018-01-31 17:12 ` James Bottomley [this message]
2018-01-31 18:46 ` Theodore Ts'o
2018-01-31 20:41 ` James Bottomley
2018-02-01 0:03 ` Theodore Ts'o
2018-02-01 23:04 ` Dave Chinner
2018-02-01 23:43 ` Andreas Dilger
2018-02-02 0:13 ` Dave Chinner
2018-02-02 5:34 ` James Bottomley
2018-02-02 2:40 ` Theodore Ts'o
2018-02-02 9:05 ` Dave Chinner
2018-01-31 20:40 ` Mimi Zohar
2018-01-31 22:00 ` Theodore Ts'o
2018-02-01 15:17 ` Mimi Zohar
2018-01-29 0:21 ` James Bottomley
2018-01-29 1:03 ` Theodore Ts'o
2018-01-29 21:21 ` Andreas Dilger
2018-01-26 18:13 ` Mimi Zohar
2018-01-26 18:13 ` Mimi Zohar
2018-01-29 18:54 ` Michael Halcrow
2018-01-26 7:58 ` Colin Walters
2018-01-26 15:29 ` Theodore Ts'o
2018-01-26 16:40 ` Colin Walters
2018-01-26 16:49 ` [Lsf-pc] " James Bottomley
2018-01-26 17:05 ` Colin Walters
2018-01-26 17:54 ` Mimi Zohar
2018-01-26 17:54 ` Mimi Zohar
2018-02-02 0:02 ` Steve French
2018-02-07 13:04 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517418768.3937.59.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=adilger@dilger.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.