From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>, linux-integrity@vger.kernel.org
Cc: dmitry.kasatkin@gmail.com, miklos@szeredi.hu,
linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk
Subject: Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes
Date: Thu, 11 Oct 2018 11:23:06 -0400 [thread overview]
Message-ID: <1539271386.11939.79.camel@linux.ibm.com> (raw)
In-Reply-To: <20181004203007.217320-3-mjg59@google.com>
On Thu, 2018-10-04 at 13:30 -0700, Matthew Garrett wrote:
> Some filesystems may be able to provide hashes in an out of band manner,
> and allowing them to do so is a performance win. This is especially true
> of FUSE-based filesystems where otherwise we recalculate the hash on
> every measurement. Make use of this by default, but provide a parameter
> to force recalculation rather than trusting the filesystem.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
Support for not calculating the file hash would need to be finer
grained than this, probably on a per mount basis. The default should
be for IMA to always calculate the file hash, unless explicitly told
not to.
> ---
> Documentation/admin-guide/kernel-parameters.txt | 5 +++++
> security/integrity/ima/ima_crypto.c | 11 +++++++++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 92eb1f42240d..617ae0f83b14 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1612,6 +1612,11 @@
> different crypto accelerators. This option can be used
> to achieve best performance for particular HW.
>
> + ima.force_hash= [IMA] Force hash calculation in IMA
> + Format: <bool>
> + Always calculate hashes rather than trusting the
> + filesystem to provide them to us.
> +
> init= [KNL]
> Format: <full_path>
> Run specified binary instead of /sbin/init as init
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 7e7e7e7c250a..f25259b2b6ec 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -32,6 +32,10 @@ static unsigned long ima_ahash_minsize;
> module_param_named(ahash_minsize, ima_ahash_minsize, ulong, 0644);
> MODULE_PARM_DESC(ahash_minsize, "Minimum file size for ahash use");
>
> +static bool ima_force_hash;
> +module_param_named(force_hash, ima_force_hash, bool_enable_only, 0644);
> +MODULE_PARM_DESC(force_hash, "Always calculate hashes");
> +
> /* default is 0 - 1 page. */
> static int ima_maxorder;
> static unsigned int ima_bufsize = PAGE_SIZE;
> @@ -431,6 +435,13 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
> return -EINVAL;
> }
>
> + if (!ima_force_hash) {
IMA should never skip the file hash calculation if the filesystem is
an untrusted mount (eg. SB_I_UNTRUSTED_MOUNTER).
Mimi
> + hash->length = hash_digest_size[hash->algo];
> + rc = vfs_get_hash(file, hash->algo, hash->digest, hash->length);
> + if (!rc)
> + return 0;
> + }
> +
> i_size = i_size_read(file_inode(file));
>
> if (ima_ahash_minsize && i_size >= ima_ahash_minsize) {
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>, linux-integrity@vger.kernel.org
Cc: dmitry.kasatkin@gmail.com, miklos@szeredi.hu,
linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk
Subject: Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes
Date: Thu, 11 Oct 2018 11:23:06 -0400 [thread overview]
Message-ID: <1539271386.11939.79.camel@linux.ibm.com> (raw)
Message-ID: <20181011152306.bk86EjNUKasMq8_4LQHcmgpCdKP71ugKEtxPJ0hV6eE@z> (raw)
In-Reply-To: <20181004203007.217320-3-mjg59@google.com>
On Thu, 2018-10-04 at 13:30 -0700, Matthew Garrett wrote:
> Some filesystems may be able to provide hashes in an out of band manner,
> and allowing them to do so is a performance win. This is especially true
> of FUSE-based filesystems where otherwise we recalculate the hash on
> every measurement. Make use of this by default, but provide a parameter
> to force recalculation rather than trusting the filesystem.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
Support for not calculating the file hash would need to be finer
grained than this, probably on a per mount basis. The default should
be for IMA to always calculate the file hash, unless explicitly told
not to.
> ---
> Documentation/admin-guide/kernel-parameters.txt | 5 +++++
> security/integrity/ima/ima_crypto.c | 11 +++++++++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 92eb1f42240d..617ae0f83b14 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1612,6 +1612,11 @@
> different crypto accelerators. This option can be used
> to achieve best performance for particular HW.
>
> + ima.force_hash= [IMA] Force hash calculation in IMA
> + Format: <bool>
> + Always calculate hashes rather than trusting the
> + filesystem to provide them to us.
> +
> init= [KNL]
> Format: <full_path>
> Run specified binary instead of /sbin/init as init
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 7e7e7e7c250a..f25259b2b6ec 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -32,6 +32,10 @@ static unsigned long ima_ahash_minsize;
> module_param_named(ahash_minsize, ima_ahash_minsize, ulong, 0644);
> MODULE_PARM_DESC(ahash_minsize, "Minimum file size for ahash use");
>
> +static bool ima_force_hash;
> +module_param_named(force_hash, ima_force_hash, bool_enable_only, 0644);
> +MODULE_PARM_DESC(force_hash, "Always calculate hashes");
> +
> /* default is 0 - 1 page. */
> static int ima_maxorder;
> static unsigned int ima_bufsize = PAGE_SIZE;
> @@ -431,6 +435,13 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
> return -EINVAL;
> }
>
> + if (!ima_force_hash) {
IMA should never skip the file hash calculation if the filesystem is
an untrusted mount (eg. SB_I_UNTRUSTED_MOUNTER).
Mimi
> + hash->length = hash_digest_size[hash->algo];
> + rc = vfs_get_hash(file, hash->algo, hash->digest, hash->length);
> + if (!rc)
> + return 0;
> + }
> +
> i_size = i_size_read(file_inode(file));
>
> if (ima_ahash_minsize && i_size >= ima_ahash_minsize) {
next prev parent reply other threads:[~2018-10-11 22:51 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-04 20:30 Allow FUSE filesystems to provide out-of-band hashes to IMA Matthew Garrett
2018-10-04 20:30 ` [PATCH 1/3] VFS: Add a call to obtain a file's hash Matthew Garrett
2018-10-11 15:22 ` Mimi Zohar
2018-10-11 15:22 ` Mimi Zohar
2018-10-11 18:21 ` Matthew Garrett
2018-10-11 18:24 ` Matthew Garrett
2018-10-11 18:37 ` Mimi Zohar
2018-10-11 18:37 ` Mimi Zohar
2018-10-11 18:43 ` Matthew Garrett
2018-10-04 20:30 ` [PATCH 2/3] IMA: Make use of filesystem-provided hashes Matthew Garrett
2018-10-11 15:23 ` Mimi Zohar [this message]
2018-10-11 15:23 ` Mimi Zohar
2018-10-11 20:30 ` Matthew Garrett
2018-10-11 23:03 ` Mimi Zohar
2018-10-12 18:31 ` Matthew Garrett
2018-10-15 1:38 ` Mimi Zohar
2018-10-15 1:38 ` Mimi Zohar
2018-10-15 18:46 ` Matthew Garrett
2018-10-16 13:16 ` Mimi Zohar
2018-10-16 13:16 ` Mimi Zohar
2018-10-04 20:30 ` [PATCH 3/3] FUSE: Allow filesystems to provide gethash methods Matthew Garrett
2018-10-05 10:49 ` Allow FUSE filesystems to provide out-of-band hashes to IMA Mimi Zohar
2018-10-05 10:49 ` Mimi Zohar
2018-10-05 17:26 ` Matthew Garrett
2018-10-05 18:18 ` Mimi Zohar
2018-10-05 19:25 ` Matthew Garrett
2018-10-08 11:25 ` Mimi Zohar
2018-10-08 11:25 ` Mimi Zohar
2018-10-08 20:19 ` Matthew Garrett
2018-10-08 22:40 ` Mimi Zohar
2018-10-08 22:40 ` Mimi Zohar
2018-10-09 17:21 ` Matthew Garrett
2018-10-09 18:04 ` Mimi Zohar
2018-10-09 19:29 ` Matthew Garrett
2018-10-09 20:52 ` Mimi Zohar
2018-10-09 21:32 ` Matthew Garrett
2018-10-10 11:09 ` Mimi Zohar
2018-10-10 11:09 ` Mimi Zohar
2018-10-10 16:19 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1539271386.11939.79.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=mjg59@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.