From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Bottomley Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) Date: Tue, 11 Aug 2020 11:28:29 -0700 Message-ID: <1597170509.4325.55.camel@HansenPartnership.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> <1597073737.3966.12.camel@HansenPartnership.com> <6E907A22-02CC-42DD-B3CD-11D304F3A1A8@gmail.com> <1597124623.30793.14.camel@HansenPartnership.com> <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> Sender: linux-block-owner@vger.kernel.org To: Chuck Lever Cc: Mimi Zohar , James Morris , Deven Bowers , Pavel Machek , Sasha Levin , snitzer@redhat.com, dm-devel@redhat.com, tyhicks@linux.microsoft.com, agk@redhat.com, Paul Moore , Jonathan Corbet , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , eparis@redhat.com, linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linu List-Id: dm-devel.ids On Tue, 2020-08-11 at 10:48 -0400, Chuck Lever wrote: > Mimi's earlier point is that any IMA metadata format that involves > unsigned digests is exposed to an alteration attack at rest or in > transit, thus will not provide a robust end-to-end integrity > guarantee. I don't believe that is Mimi's point, because it's mostly not correct: the xattr mechanism does provide this today. The point is the mechanism we use for storing IMA hashes and signatures today is xattrs because they have robust security properties for local filesystems that the kernel enforces. This use goes beyond IMA, selinux labels for instance use this property as well. What I think you're saying is that NFS can't provide the robust security for xattrs we've been relying on, so you need some other mechanism for storing them. I think Mimi's other point is actually that IMA uses a flat hash which we derive by reading the entire file and then watching for mutations. Since you cannot guarantee we get notice of mutation with NFS, the entire IMA mechanism can't really be applied in its current form and we have to resort to chunk at a time verifications that a Merkel tree would provide. Doesn't this make moot any thinking about standardisation in NFS for the current IMA flat hash mechanism because we simply can't use it ... If I were to construct a prototype I'd have to work out and securely cache the hash of ever chunk when verifying the flat hash so I could recheck on every chunk read. I think that's infeasible for large files. James From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 978B1C433E0 for ; Tue, 11 Aug 2020 22:08:43 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3B75B206C3 for ; Tue, 11 Aug 2020 22:08:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3B75B206C3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=hansenpartnership.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-63-PbobetkyONm7Gty2BCN5HQ-1; Tue, 11 Aug 2020 18:08:39 -0400 X-MC-Unique: PbobetkyONm7Gty2BCN5HQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5F2CD107ACCA; Tue, 11 Aug 2020 22:08:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 017B08BB1B; Tue, 11 Aug 2020 22:08:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CBC4B1809554; Tue, 11 Aug 2020 22:08:34 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 07BISgFB013603 for ; Tue, 11 Aug 2020 14:28:43 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6934DF5AE2; Tue, 11 Aug 2020 18:28:42 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 64C70F5AD1 for ; Tue, 11 Aug 2020 18:28:40 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0A4AF80101A for ; Tue, 11 Aug 2020 18:28:40 +0000 (UTC) Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [66.63.167.143]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-420-vWYaYfSDMWegKCPXyAIiJA-1; Tue, 11 Aug 2020 14:28:35 -0400 X-MC-Unique: vWYaYfSDMWegKCPXyAIiJA-1 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 12B4B8EE19D; Tue, 11 Aug 2020 11:28:32 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuQo8S5FYJFD; Tue, 11 Aug 2020 11:28:31 -0700 (PDT) Received: from [153.66.254.174] (c-73-35-198-56.hsd1.wa.comcast.net [73.35.198.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 7EF748EE149; Tue, 11 Aug 2020 11:28:30 -0700 (PDT) Message-ID: <1597170509.4325.55.camel@HansenPartnership.com> Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) From: James Bottomley To: Chuck Lever Date: Tue, 11 Aug 2020 11:28:29 -0700 In-Reply-To: <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> <1597073737.3966.12.camel@HansenPartnership.com> <6E907A22-02CC-42DD-B3CD-11D304F3A1A8@gmail.com> <1597124623.30793.14.camel@HansenPartnership.com> <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> Mime-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Tue, 11 Aug 2020 18:08:33 -0400 Cc: snitzer@redhat.com, Deven Bowers , Mimi Zohar , dm-devel@redhat.com, tyhicks@linux.microsoft.com, Pavel Machek , Paul, agk@redhat.com, Sasha Levin , Jonathan Corbet , James Morris , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linux.microsoft.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, 2020-08-11 at 10:48 -0400, Chuck Lever wrote: > Mimi's earlier point is that any IMA metadata format that involves > unsigned digests is exposed to an alteration attack at rest or in > transit, thus will not provide a robust end-to-end integrity > guarantee. I don't believe that is Mimi's point, because it's mostly not correct: the xattr mechanism does provide this today. The point is the mechanism we use for storing IMA hashes and signatures today is xattrs because they have robust security properties for local filesystems that the kernel enforces. This use goes beyond IMA, selinux labels for instance use this property as well. What I think you're saying is that NFS can't provide the robust security for xattrs we've been relying on, so you need some other mechanism for storing them. I think Mimi's other point is actually that IMA uses a flat hash which we derive by reading the entire file and then watching for mutations. Since you cannot guarantee we get notice of mutation with NFS, the entire IMA mechanism can't really be applied in its current form and we have to resort to chunk at a time verifications that a Merkel tree would provide. Doesn't this make moot any thinking about standardisation in NFS for the current IMA flat hash mechanism because we simply can't use it ... If I were to construct a prototype I'd have to work out and securely cache the hash of ever chunk when verifying the flat hash so I could recheck on every chunk read. I think that's infeasible for large files. James -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 129F5C433DF for ; Tue, 11 Aug 2020 18:28:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DDE032076C for ; Tue, 11 Aug 2020 18:28:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="f8kSFMTU"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="OSDLkaQV" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726115AbgHKS2e (ORCPT ); Tue, 11 Aug 2020 14:28:34 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:43170 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725889AbgHKS2d (ORCPT ); Tue, 11 Aug 2020 14:28:33 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 12B4B8EE19D; Tue, 11 Aug 2020 11:28:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1597170512; bh=3WEnw6QUJlA/ul3OQNUWXjoU13+yLZLQS09srF5MAho=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=f8kSFMTUDNJBODH89PuFjILL2FIdhsJg734xkqUR/cnDMS0KoMreMUczSAhnUyPMA FTeH0AYqaAUb8S0lZlH/2MKXOBNx4BiGB+ITLubur3uSRnr1jBTuyfUMErztSAvCOK o6mPwANArB0pQb+2/z1bhs18+blmHF0lRNFSsct0= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuQo8S5FYJFD; Tue, 11 Aug 2020 11:28:31 -0700 (PDT) Received: from [153.66.254.174] (c-73-35-198-56.hsd1.wa.comcast.net [73.35.198.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 7EF748EE149; Tue, 11 Aug 2020 11:28:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1597170511; bh=3WEnw6QUJlA/ul3OQNUWXjoU13+yLZLQS09srF5MAho=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=OSDLkaQVZ4KRYf4a0s5X94LSMaapheTMG3B7iv1TDO9dOQ2MOULwugwtLeHe6qdeF qJgkWRBhCi9y0UIGoySKjkb+RHhMP2bUFkZ9nJkEdlUyNr1yc428zvmYrJhUC4gJZu kZoLKW8vwf99sZFDKUvV19sDo8EBD6kP0uULOtBM= Message-ID: <1597170509.4325.55.camel@HansenPartnership.com> Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) From: James Bottomley To: Chuck Lever Cc: Mimi Zohar , James Morris , Deven Bowers , Pavel Machek , Sasha Levin , snitzer@redhat.com, dm-devel@redhat.com, tyhicks@linux.microsoft.com, agk@redhat.com, Paul Moore , Jonathan Corbet , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , eparis@redhat.com, linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linux.microsoft.com Date: Tue, 11 Aug 2020 11:28:29 -0700 In-Reply-To: <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> <1597073737.3966.12.camel@HansenPartnership.com> <6E907A22-02CC-42DD-B3CD-11D304F3A1A8@gmail.com> <1597124623.30793.14.camel@HansenPartnership.com> <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org On Tue, 2020-08-11 at 10:48 -0400, Chuck Lever wrote: > Mimi's earlier point is that any IMA metadata format that involves > unsigned digests is exposed to an alteration attack at rest or in > transit, thus will not provide a robust end-to-end integrity > guarantee. I don't believe that is Mimi's point, because it's mostly not correct: the xattr mechanism does provide this today. The point is the mechanism we use for storing IMA hashes and signatures today is xattrs because they have robust security properties for local filesystems that the kernel enforces. This use goes beyond IMA, selinux labels for instance use this property as well. What I think you're saying is that NFS can't provide the robust security for xattrs we've been relying on, so you need some other mechanism for storing them. I think Mimi's other point is actually that IMA uses a flat hash which we derive by reading the entire file and then watching for mutations. Since you cannot guarantee we get notice of mutation with NFS, the entire IMA mechanism can't really be applied in its current form and we have to resort to chunk at a time verifications that a Merkel tree would provide. Doesn't this make moot any thinking about standardisation in NFS for the current IMA flat hash mechanism because we simply can't use it ... If I were to construct a prototype I'd have to work out and securely cache the hash of ever chunk when verifying the flat hash so I could recheck on every chunk read. I think that's infeasible for large files. James