From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: Roberto Sassu <roberto.sassu@huawei.com>
Cc: <zohar@linux.ibm.com>, <gregkh@linuxfoundation.org>,
<linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-doc@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [RFC][PATCH v2 11/12] diglim: Remote Attestation
Date: Wed, 28 Jul 2021 14:47:28 +0200 [thread overview]
Message-ID: <20210728144728.62ace280@sal.lan> (raw)
In-Reply-To: <20210726163700.2092768-12-roberto.sassu@huawei.com>
Em Mon, 26 Jul 2021 18:36:59 +0200
Roberto Sassu <roberto.sassu@huawei.com> escreveu:
> Add more information about remote attestation with IMA and DIGLIM in
> Documentation/security/diglim/remote_attestation.rst.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
> Documentation/security/diglim/index.rst | 1 +
> .../security/diglim/remote_attestation.rst | 87 +++++++++++++++++++
> MAINTAINERS | 1 +
> 3 files changed, 89 insertions(+)
> create mode 100644 Documentation/security/diglim/remote_attestation.rst
>
> diff --git a/Documentation/security/diglim/index.rst b/Documentation/security/diglim/index.rst
> index 4771134c2f0d..0f28c5ad71c0 100644
> --- a/Documentation/security/diglim/index.rst
> +++ b/Documentation/security/diglim/index.rst
> @@ -10,3 +10,4 @@ Digest Lists Integrity Module (DIGLIM)
> introduction
> architecture
> implementation
> + remote_attestation
> diff --git a/Documentation/security/diglim/remote_attestation.rst b/Documentation/security/diglim/remote_attestation.rst
> new file mode 100644
> index 000000000000..83fd7581c460
> --- /dev/null
> +++ b/Documentation/security/diglim/remote_attestation.rst
> @@ -0,0 +1,87 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +Remote Attestation
> +==================
> +
> +When a digest list is added or deleted through the ``digest_list_add`` or
> +``digest_list_del`` interfaces, its buffer is sent to the IMA function
> +``ima_measure_critical_data()``. The primary reason for it is to calculate
> +the buffer digest, so that the digest list itself is searchable in the hash
> +table.
> +
> +``ima_measure_critical_data()`` can be also used to create a new
> +measurement entry each time this function is called, if there is an
> +appropriate rule in the IMA policy. Given that this function is called
> +during an addition or deletion of a digest list, a remote verifier can
> +infer from the measurement list precise information about what has been
> +uploaded to the kernel.
> +
> +To enable this functionality, the following rule must be added to the IMA
> +policy:
> +
> +::
As commented on other patches at this series, you can merge :: at the
previous text line, e. g.:
policy::
does the same as:
policy:
::
but it is nicer for text-only readers, IMO.
> +
> + measure func=CRITICAL_DATA label=diglim
> +
> +
> +When a file is uploaded, the workflow and the resulting IMA measurement
> +list are:
> +
> +.. code-block:: bash
> +
> + # echo $PWD/0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_add
> + # echo $PWD/0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_del
> + # cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
> + ...
> + 10 <template digest> ima-buf sha256:<buffer digest> add_file_0-file_list-compact-cat <buffer>
> + 10 <template digest> ima-buf sha256:<buffer digest> del_file_0-file_list-compact-cat <buffer>
> +
> +When a buffer is uploaded, the workflow and the resulting IMA measurement
> +list are:
> +
> +.. code-block:: bash
> +
> + # echo 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_label
> + # cat 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_add
> + # echo 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_label
> + # cat 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_del
> + # cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
> + ...
> + 10 <template digest> ima-buf sha256:<buffer digest> add_buffer_0-file_list-compact-cat <buffer>
> + 10 <template digest> ima-buf sha256:<buffer digest> del_buffer_0-file_list-compact-cat <buffer>
> +
> +In the second case, the digest list label must be set explicitly, as the
> +kernel cannot determine it by itself (in the first case it is derived from
> +the name of the file uploaded).
> +
> +The confirmation that the digest list has been processed by IMA can be
> +obtained by reading the ASCII representation of the digest list:
> +
> +.. code-block:: bash
> +
> + # cat /sys/kernel/security/integrity/diglim/digest_lists_loaded/sha256-<digest list digest>-0-file_list-compact-cat.ascii
> + actions: 1, version: 1, algo: sha256, type: 2, modifiers: 1, count: 1, datalen: 32
> + 87e5bd81850e11eeec2d3bb696b626b2a7f45673241cbbd64769c83580432869
> +
> +In this output, ``actions`` is set to 1 (``COMPACT_ACTION_IMA_MEASURED``
> +bit set).
> +
> +
> +DIGLIM guarantees that the information reported in the IMA measurement list
> +is complete. If digest list loading is not recorded, digest query results
> +are ignored by IMA. If the addition was recorded, deletion can be performed
> +only if also the deletion is recorded. This can be seen in the following
> +sequence of commands:
> +
> +.. code-block:: bash
> +
> + # echo 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_label
> + # cat 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_add
> + # echo 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_label
> + # /tmp/cat 0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_del
> + diglim: actions mismatch, add: 1, del: 0
> + diglim: unable to upload generated digest list
> + /tmp/cat: write error: Invalid argument
> +
> +Digest list measurement is avoided with the execution of ``/tmp/cat``, for
> +which a dont_measure rule was previously added in the IMA policy.
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 0672128fae7f..a7c502685109 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -5461,6 +5461,7 @@ F: Documentation/security/diglim/architecture.rst
> F: Documentation/security/diglim/implementation.rst
> F: Documentation/security/diglim/index.rst
> F: Documentation/security/diglim/introduction.rst
> +F: Documentation/security/diglim/remote_attestation.rst
> F: include/linux/diglim.h
> F: include/uapi/linux/diglim.h
> F: security/integrity/diglim/diglim.h
next prev parent reply other threads:[~2021-07-28 12:47 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-26 16:36 [RFC][PATCH v2 00/12] integrity: Introduce DIGLIM Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 01/12] diglim: Overview Roberto Sassu
2021-07-28 11:10 ` Mauro Carvalho Chehab
2021-07-28 11:40 ` Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 02/12] diglim: Basic definitions Roberto Sassu
2021-07-27 14:43 ` Greg KH
2021-07-27 15:35 ` Roberto Sassu
2021-07-27 15:44 ` Greg KH
2021-07-27 16:09 ` Roberto Sassu
2021-07-27 16:13 ` Greg KH
2021-07-28 6:59 ` Roberto Sassu
2021-07-28 11:31 ` Mauro Carvalho Chehab
2021-07-28 11:45 ` Roberto Sassu
2021-07-28 13:08 ` Mauro Carvalho Chehab
2021-07-28 13:47 ` Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 03/12] diglim: Objects Roberto Sassu
2021-07-28 11:38 ` Mauro Carvalho Chehab
2021-07-28 11:47 ` Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 04/12] diglim: Methods Roberto Sassu
2021-07-28 12:18 ` Mauro Carvalho Chehab
2021-07-28 12:30 ` Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 05/12] diglim: Parser Roberto Sassu
2021-07-28 12:35 ` Mauro Carvalho Chehab
2021-07-26 16:36 ` [RFC][PATCH v2 06/12] diglim: Interfaces - digest_list_add, digest_list_del Roberto Sassu
2021-07-28 12:38 ` Mauro Carvalho Chehab
2021-07-29 21:20 ` Mimi Zohar
2021-07-30 7:16 ` Roberto Sassu
2021-07-30 12:39 ` Mimi Zohar
2021-07-30 13:16 ` Roberto Sassu
2021-07-30 14:03 ` Mimi Zohar
2021-07-30 14:24 ` Roberto Sassu
2021-08-02 8:14 ` Roberto Sassu
2021-08-02 15:01 ` Mimi Zohar
2021-08-02 14:42 ` Mimi Zohar
2021-08-02 15:12 ` Roberto Sassu
2021-08-02 16:54 ` Roberto Sassu
2021-08-05 15:38 ` Mimi Zohar
2021-08-05 17:04 ` Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 07/12] diglim: Interfaces - digest_lists_loaded Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 08/12] diglim: Interfaces - digest_label Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 09/12] diglim: Interfaces - digest_query Roberto Sassu
2021-07-26 16:36 ` [RFC][PATCH v2 10/12] diglim: Interfaces - digests_count Roberto Sassu
2021-07-28 12:45 ` Mauro Carvalho Chehab
2021-07-26 16:36 ` [RFC][PATCH v2 11/12] diglim: Remote Attestation Roberto Sassu
2021-07-28 12:47 ` Mauro Carvalho Chehab [this message]
2021-07-28 12:54 ` Roberto Sassu
2021-07-26 16:37 ` [RFC][PATCH v2 12/12] diglim: Tests Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210728144728.62ace280@sal.lan \
--to=mchehab+huawei@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.