Re: violations and invalidated PCR value

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Magalhaes,
	Guilherme (Brazil R&D-CL)" <guilherme.magalhaes@hpe.com>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>
Subject: Re: violations and invalidated PCR value
Date: Wed, 06 Jun 2018 10:28:35 -0400	[thread overview]
Message-ID: <1528295315.3255.25.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <AT5PR8401MB113985C429E1F854FE9B62D3FF660@AT5PR8401MB1139.NAMPRD84.PROD.OUTLOOK.COM>

Hi Guilherme,

On Tue, 2018-06-05 at 21:22 +0000, Magalhaes, Guilherme (Brazil R&D-
CL) wrote:
> Hi Mimi,
> I am trying to understand why violations (tomtou, open writers) cause 
> the aggregated PCR value to be invalidated. 
> 
> Invalidating the PCR makes clear the file measurement errors, but once 
> violations are common (when using the (TCB) default policy) it seems 
> difficult to perform a full attestation process if violations are not 
> handled.
> 
> Is it safe to just report the violations and still perform a full attestation 
> of the log by replacing zeroed digest with ff..ff? I believe we can safely 
> detect a violation entry in the log by checking the hash values are zeroes. 
> Please confirm.

It's not clear if you're asking what your attestation server should
being do or suggesting that the kernel should not invalidate the PCR.

The builtin policies are loaded before the LSM policies. As a result,
they can not be defined in terms of LSM labels.  The builtin policies
can be replaced at run time with a policy based on LSM labels (eg. log
files), which should limit a number of these violations.

Someone should go through the remaining violations to determine if
they're benign, expected or not.  Some applications unnecessarily open
files rw.  Fix those applications.  Identify those violations which
are acceptable.  Only then can the attestation server safely know how
to handle violations, whether it is safe to replace the 0x00's with
0xff's.

Mimi

     prev parent reply	other threads:[~2018-06-06 14:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-05 21:22 violations and invalidated PCR value Magalhaes, Guilherme (Brazil R&D-CL)
2018-06-06 14:28 ` Mimi Zohar [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1528295315.3255.25.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=guilherme.magalhaes@hpe.com \
    --cc=linux-integrity@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.