From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
Jiandi An <anjiandi@codeaurora.org>,
Jason Gunthorpe <jgg@ziepe.ca>
Cc: dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
linux-integrity@vger.kernel.org,
linux-ima-devel@lists.sourceforge.net,
linux-ima-user@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
David Safford <david.safford@ge.com>
Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
Date: Mon, 12 Mar 2018 19:30:00 -0400 [thread overview]
Message-ID: <1520897400.3547.253.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1520893847.4522.62.camel@HansenPartnership.com>
On Mon, 2018-03-12 at 15:30 -0700, James Bottomley wrote:
> On Mon, 2018-03-12 at 17:53 -0400, Mimi Zohar wrote:
[...]
> > - This use case, when the TPM is not builtin and unavailable before
> > IMA is initialized.
> >
> > I would classify this use case as an IMA testing/debugging
> > environment, when it cannot, for whatever reason, be builtin the
> > kernel or initialized before IMA.
> >
> > From Dave Safford:
> > For the TCG chain of trust to have any meaning, all files have to
> > be measured and extended into the TPM before they are accessed.
> > If
> > the TPM driver is loaded after any unmeasured file, the chain is
> > broken, and IMA is useless for any use case or any threat model.
>
> I don't think this is quite the correct characterisation. In principle
> the kernel could also touch the files before IMA is loaded. However,
> we know from the way the kernel operates that it doesn't. We basically
> trust that the kernel measurement tells us this. The same thing can be
> made to apply to the initrd.
With the builtin "tcb" policy, IMA-measurement is enabled from the
very beginning. Afterwards, the system can transition to a custom
policy based on finer grain LSM labels, which aren't available on
boot.
> The key question is not whether the component could theoretically
> access the files but whether it actually does so.
As much as you might think you know what is included in the initramfs,
IMA-measurement is your safety net, including everything accessed in
the TCB.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
Date: Mon, 12 Mar 2018 19:30:00 -0400 [thread overview]
Message-ID: <1520897400.3547.253.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1520893847.4522.62.camel@HansenPartnership.com>
On Mon, 2018-03-12 at 15:30 -0700, James Bottomley wrote:
> On Mon, 2018-03-12 at 17:53 -0400, Mimi Zohar wrote:
[...]
> > - This use case, when the TPM is not builtin and unavailable before
> > IMA is initialized.
> >
> > I would classify this use case as an IMA testing/debugging
> > environment, when it cannot, for whatever reason, be builtin the
> > kernel or initialized before IMA.
> >
> > From Dave Safford:
> > ????For the TCG chain of trust to have any meaning, all files have to
> > ????be measured and extended into the TPM before they are accessed.
> > If
> > ????the TPM driver is loaded after any unmeasured file, the chain is
> > ????broken, and IMA is useless for any use case or any threat model.
>
> I don't think this is quite the correct characterisation. ?In principle
> the kernel could also touch the files before IMA is loaded. ?However,
> we know from the way the kernel operates that it doesn't. ?We basically
> trust that the kernel measurement tells us this. ?The same thing can be
> made to apply to the initrd.
With the builtin "tcb" policy, IMA-measurement is enabled from the
very beginning. ?Afterwards, the system can transition to a custom
policy based on finer grain LSM labels, which aren't available on
boot.
> The key question is not whether the component could theoretically
> access the files but whether it actually does so.
As much as you might think you know what is included in the initramfs,
IMA-measurement is your safety net, including everything accessed in
the TCB.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
Jiandi An <anjiandi@codeaurora.org>,
Jason Gunthorpe <jgg@ziepe.ca>
Cc: dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
linux-integrity@vger.kernel.org,
linux-ima-devel@lists.sourceforge.net,
linux-ima-user@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
David Safford <david.safford@ge.com>
Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
Date: Mon, 12 Mar 2018 19:30:00 -0400 [thread overview]
Message-ID: <1520897400.3547.253.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1520893847.4522.62.camel@HansenPartnership.com>
On Mon, 2018-03-12 at 15:30 -0700, James Bottomley wrote:
> On Mon, 2018-03-12 at 17:53 -0400, Mimi Zohar wrote:
[...]
> > - This use case, when the TPM is not builtin and unavailable before
> > IMA is initialized.
> >
> > I would classify this use case as an IMA testing/debugging
> > environment, when it cannot, for whatever reason, be builtin the
> > kernel or initialized before IMA.
> >
> > From Dave Safford:
> > For the TCG chain of trust to have any meaning, all files have to
> > be measured and extended into the TPM before they are accessed.
> > If
> > the TPM driver is loaded after any unmeasured file, the chain is
> > broken, and IMA is useless for any use case or any threat model.
>
> I don't think this is quite the correct characterisation. In principle
> the kernel could also touch the files before IMA is loaded. However,
> we know from the way the kernel operates that it doesn't. We basically
> trust that the kernel measurement tells us this. The same thing can be
> made to apply to the initrd.
With the builtin "tcb" policy, IMA-measurement is enabled from the
very beginning. Afterwards, the system can transition to a custom
policy based on finer grain LSM labels, which aren't available on
boot.
> The key question is not whether the component could theoretically
> access the files but whether it actually does so.
As much as you might think you know what is included in the initramfs,
IMA-measurement is your safety net, including everything accessed in
the TCB.
Mimi
next prev parent reply other threads:[~2018-03-12 23:30 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-07 5:26 [PATCH] security: Fix IMA Kconfig for dependencies on ARM64 Jiandi An
2018-03-07 5:26 ` Jiandi An
2018-03-07 18:51 ` Jason Gunthorpe
2018-03-07 18:51 ` Jason Gunthorpe
2018-03-07 18:55 ` Mimi Zohar
2018-03-07 18:55 ` Mimi Zohar
2018-03-07 18:55 ` Mimi Zohar
2018-03-07 19:08 ` James Bottomley
2018-03-07 19:08 ` James Bottomley
2018-03-07 19:08 ` James Bottomley
2018-03-07 19:21 ` Mimi Zohar
2018-03-07 19:21 ` Mimi Zohar
2018-03-07 19:21 ` Mimi Zohar
2018-03-07 19:41 ` James Bottomley
2018-03-07 19:41 ` James Bottomley
2018-03-07 19:41 ` James Bottomley
2018-03-07 21:12 ` Jiandi An
2018-03-07 21:12 ` Jiandi An
2018-03-07 21:12 ` Jiandi An
2018-03-07 21:16 ` James Bottomley
2018-03-07 21:16 ` James Bottomley
2018-03-07 21:16 ` James Bottomley
2018-03-07 22:19 ` Mimi Zohar
2018-03-07 22:19 ` Mimi Zohar
2018-03-07 22:19 ` Mimi Zohar
2018-03-08 18:42 ` Jiandi An
2018-03-08 18:42 ` Jiandi An
2018-03-08 18:42 ` Jiandi An
2018-03-08 20:06 ` Mimi Zohar
2018-03-08 20:06 ` Mimi Zohar
2018-03-08 20:06 ` Mimi Zohar
2018-03-09 17:11 ` James Bottomley
2018-03-09 17:11 ` James Bottomley
2018-03-09 17:11 ` James Bottomley
2018-03-12 21:53 ` Mimi Zohar
2018-03-12 21:53 ` Mimi Zohar
2018-03-12 21:53 ` Mimi Zohar
2018-03-12 21:59 ` Jason Gunthorpe
2018-03-12 21:59 ` Jason Gunthorpe
2018-03-12 21:59 ` Jason Gunthorpe
2018-03-12 22:58 ` Mimi Zohar
2018-03-12 22:58 ` Mimi Zohar
2018-03-12 22:58 ` Mimi Zohar
2018-03-12 23:05 ` Jason Gunthorpe
2018-03-12 23:05 ` Jason Gunthorpe
2018-03-12 23:05 ` Jason Gunthorpe
2018-03-12 23:19 ` Mimi Zohar
2018-03-12 23:19 ` Mimi Zohar
2018-03-12 23:19 ` Mimi Zohar
2018-03-12 22:30 ` James Bottomley
2018-03-12 22:30 ` James Bottomley
2018-03-12 22:30 ` James Bottomley
2018-03-12 23:30 ` Mimi Zohar [this message]
2018-03-12 23:30 ` Mimi Zohar
2018-03-12 23:30 ` Mimi Zohar
2018-03-13 0:06 ` James Bottomley
2018-03-13 0:06 ` James Bottomley
2018-03-13 0:06 ` James Bottomley
2018-03-13 12:57 ` Safford, David (GE Global Research, US)
2018-03-13 12:57 ` Safford, David (GE Global Research, US)
2018-03-13 12:57 ` Safford, David (GE Global Research, US)
2018-03-14 14:41 ` James Bottomley
2018-03-14 14:41 ` James Bottomley
2018-03-14 14:41 ` James Bottomley
2018-03-14 17:08 ` Mimi Zohar
2018-03-14 17:08 ` Mimi Zohar
2018-03-14 17:08 ` Mimi Zohar
2018-03-14 17:25 ` James Bottomley
2018-03-14 17:25 ` James Bottomley
2018-03-14 17:25 ` James Bottomley
2018-03-15 16:19 ` Mimi Zohar
2018-03-15 16:19 ` Mimi Zohar
2018-03-15 16:19 ` Mimi Zohar
2018-03-15 17:08 ` James Bottomley
2018-03-15 17:08 ` James Bottomley
2018-03-15 17:08 ` James Bottomley
2018-03-15 17:14 ` Mimi Zohar
2018-03-15 17:14 ` Mimi Zohar
2018-03-15 17:14 ` Mimi Zohar
2018-03-15 17:29 ` James Bottomley
2018-03-15 17:29 ` James Bottomley
2018-03-15 17:29 ` James Bottomley
2018-03-16 16:51 ` Mimi Zohar
2018-03-16 16:51 ` Mimi Zohar
2018-03-16 16:51 ` Mimi Zohar
2018-03-11 22:06 ` Mimi Zohar
2018-03-11 22:06 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520897400.3547.253.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=anjiandi@codeaurora.org \
--cc=david.safford@ge.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-ima-user@lists.sourceforge.net \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.