From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3A0D9C001DB for ; Mon, 14 Aug 2023 21:43:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=sObWqNgcHw4CFDJW6/GIKyyhN0SVNT0akTnKkaJgH08=; b=mIuJBwNml2BZM+ BpUUEhKx44+xxY63U7QFygau01GSfYIHtItTDOO5T52zndXdzpqDQT0c06gt92GyGGn78+EIKluCq 6uac0lNyWHRGhRSDDDi2scvuQJpqYhXeQLAMnYaeHge+XM2aO3ToBp+WZn88sSfX8Jl2mQRiAf0kx hij2MUGm5x6+XeKtj1mkb8aQv3ecwCwz8q/n4v3IKdLc5z1wXeeNN30awjgj7vBtot7CdMB5vSwKW 0KroxZAWUngQo0Ck1bBS4mjykmXcWioG/o8RkiadvIyQ/6OAkNUHn1NdTUDDBs1Xkge4USsyXl/J6 Q+ErA+1m9VMFg5r6WuXw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qVfL0-000Nyz-0s; Mon, 14 Aug 2023 21:42:58 +0000 Received: from linux.microsoft.com ([13.77.154.182]) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qVfKx-000Nxx-0W for kexec@lists.infradead.org; Mon, 14 Aug 2023 21:42:57 +0000 Received: from [10.137.114.52] (unknown [131.107.159.180]) by linux.microsoft.com (Postfix) with ESMTPSA id B551D2109420; Mon, 14 Aug 2023 14:42:46 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com B551D2109420 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1692049366; bh=VrEk2AwesVAfdmRxYbk7yzrle2lO+wL2DH0neWh4nIQ=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=S9GJfn2Od14pgUphZugp6ChcUbBhcvXvRJJmXAiyk9k0z3kSl+E7o5AKgw4z88jwL GHNffr/RbYjde/7Z9L/cbq9qtsFY8czbDmddnuFb0bFiUsO9uo3CQTJitVPIBdmlGu e3BMNSfcYTNf9J+kZYDV2PXmY+kiBu7LT/aaNkpM= Message-ID: Date: Mon, 14 Aug 2023 14:42:46 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Subject: Re: [RFC] IMA Log Snapshotting Design Proposal To: Mimi Zohar , linux-integrity@vger.kernel.org, peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca, kgold@linux.ibm.com, bhe@redhat.com, vgoyal@redhat.com, dyoung@redhat.com, kexec@lists.infradead.org, jmorris@namei.org, Paul Moore , serge@hallyn.com Cc: code@tyhicks.com, nramas@linux.microsoft.com, Tushar Sugandhi , linux-security-module@vger.kernel.org References: <277db5491460d5fd607785f2bcc733de39022a35.camel@linux.ibm.com> Content-Language: en-US From: Sush Shringarputale In-Reply-To: <277db5491460d5fd607785f2bcc733de39022a35.camel@linux.ibm.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230814_144255_268072_D18716C5 X-CRM114-Status: GOOD ( 36.90 ) X-BeenThere: kexec@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Sender: "kexec" Errors-To: kexec-bounces+kexec=archiver.kernel.org@lists.infradead.org SGVsbG8gTWltaSwKClRoYW5rcyBmb3IgeW91ciBmZWVkYmFjayBvbiB0aGlzLgoKCk9uIDgvMTEv MjAyMyA2OjE0IEFNLCBNaW1pIFpvaGFyIHdyb3RlOgo+IEhpIFN1c2gsIFR1c2hhciwKPgo+IE9u IFR1ZSwgMjAyMy0wOC0wMSBhdCAxMjoxMiAtMDcwMCwgU3VzaCBTaHJpbmdhcnB1dGFsZSB3cm90 ZToKPj4gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Cj4+ IHwgQS4gUHJvYmxlbSBTdGF0ZW1lbnQgICAgICAgICAgICAgICAgICAgICAgICAgfAo+PiA9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KPj4gRGVwZW5kaW5n IG9uIHRoZSBJTUEgcG9saWN5LCB0aGUgSU1BIGxvZyBjYW4gY29uc3VtZSBhIGxvdCBvZiBLZXJu ZWwKPj4gbWVtb3J5IG9uCj4+IHRoZSBkZXZpY2UuICBGb3IgaW5zdGFuY2UsIHRoZSBldmVudHMg Zm9yIHRoZSBmb2xsb3dpbmcgSU1BIHBvbGljeQo+PiBlbnRyaWVzIG1heQo+PiBuZWVkIHRvIGJl IG1lYXN1cmVkIGluIGNlcnRhaW4gc2NlbmFyaW9zLCBidXQgdGhleSBjYW4gYWxzbyBsZWFkIHRv IGEKPj4gdmVyYm9zZQo+PiBJTUEgbG9nIHdoZW4gdGhlIGRldmljZSBpcyBydW5uaW5nIGZvciBh IGxvbmcgcGVyaW9kIG9mIHRpbWUuCj4+IOKUjOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUkAo+PiDilIIjIFBST0NfU1VQRVJfTUFH SUMgICAgICAgICAgICAgICAgICAgICDilIIKPj4g4pSCbWVhc3VyZSBmc21hZ2ljPTB4OWZhMCAg ICAgICAgICAgICAgICAg4pSCCj4+IOKUgiMgU1lTRlNfTUFHSUMgICAgICAgICAgICAgICAgICAg ICAgICAgIOKUggo+PiDilIJtZWFzdXJlIGZzbWFnaWM9MHg2MjY1NjU3MiAgICAgICAgICAgICDi lIIKPj4g4pSCIyBERUJVR0ZTX01BR0lDICAgICAgICAgICAgICAgICAgICAgICAg4pSCCj4+IOKU gm1lYXN1cmUgZnNtYWdpYz0weDY0NjI2NzIwICAgICAgICAgICAgIOKUggo+PiDilIIjIFRNUEZT X01BR0lDICAgICAgICAgICAgICAgICAgICAgICAgICDilIIKPj4g4pSCbWVhc3VyZSBmc21hZ2lj PTB4MDEwMjE5OTQgICAgICAgICAgICAg4pSCCj4+IOKUgiMgUkFNRlNfTUFHSUMgICAgICAgICAg ICAgICAgICAgICAgICAgIOKUggo+PiDilIJtZWFzdXJlIGZzbWFnaWM9MHg4NTg0NThmNiAgICAg ICAgICAgICDilIIKPj4g4pSCIyBTRUNVUklUWUZTX01BR0lDICAgICAgICAgICAgICAgICAgICAg 4pSCCj4+IOKUgm1lYXN1cmUgZnNtYWdpYz0weDczNjM2NjczICAgICAgICAgICAgIOKUggo+PiDi lIIjIE9WRVJMQVlGU19NQUdJQyAgICAgICAgICAgICAgICAgICAgICDilIIKPj4g4pSCbWVhc3Vy ZSBmc21hZ2ljPTB4Nzk0Yzc2MzAgICAgICAgICAgICAg4pSCCj4+IOKUgiMgbG9nLCBhdWRpdCBv ciB0bXAgZmlsZXMgICAgICAgICAgICAgIOKUggo+PiDilIJtZWFzdXJlIG9ial90eXBlPXZhcl9s b2dfdCAgICAgICAgICAgICDilIIKPj4g4pSCbWVhc3VyZSBvYmpfdHlwZT1hdWRpdGRfbG9nX3Qg ICAgICAgICAg4pSCCj4+IOKUgm1lYXN1cmUgb2JqX3R5cGU9dG1wX3QgICAgICAgICAgICAgICAg IOKUggo+PiDilJTilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi lIDilIDilIDilIDilIDilJgKPj4KPj4gU2Vjb25kbHksIGNlcnRhaW4gZGV2aWNlcyBhcmUgY29u ZmlndXJlZCB0byB0YWtlIEtlcm5lbCB1cGRhdGVzIHVzaW5nIEtleGVjCj4+IHNvZnQtYm9vdC4g IFRoZSBJTUEgbG9nIGZyb20gdGhlIHByZXZpb3VzIEtlcm5lbCBnZXRzIGNhcnJpZWQgb3ZlciBh bmQgdGhlCj4+IEtlcm5lbCBtZW1vcnkgY29uc3VtcHRpb24gcHJvYmxlbSB3b3JzZW5zIHdoZW4g c3VjaCBkZXZpY2VzIHVuZGVyZ28gbXVsdGlwbGUKPj4gS2V4ZWMgc29mdC1ib290cyBvdmVyIGEg bG9uZyBwZXJpb2Qgb2YgdGltZS4KPj4KPj4gVGhlIGFib3ZlIHR3byBzY2VuYXJpb3MgY2FuIGNh dXNlIElNQSBsb2cgdG8gZ3JvdyBhbmQgY29uc3VtZSBLZXJuZWwgbWVtb3J5Lgo+Pgo+PiBJbiBh ZGRpdGlvbiwgYSBsYXJnZSBJTUEgbG9nIGNhbiBhZGQgcHJlc3N1cmUgb24gdGhlIG5ldHdvcmsg YmFuZHdpZHRoIHdoZW4KPj4gdGhlIGF0dGVzdGF0aW9uIGNsaWVudCBzZW5kcyBpdCB0byByZW1v dGUtYXR0ZXN0YXRpb24tc2VydmljZS4KPj4KPj4gVHJ1bmNhdGluZyBJTUEgbG9nIHRvIHJlY2xh aW0gbWVtb3J5IGlzIG5vdCBmZWFzaWJsZSwgc2luY2UgaXQgbWFrZXMgdGhlCj4+IGxvZyBnbwo+ PiBvdXQgb2Ygc3luYyB3aXRoIHRoZSBUUE0gUENSIHF1b3RlIG1ha2luZyByZW1vdGUgYXR0ZXN0 YXRpb24gZmFpbC4KPj4KPj4gQSBzb3BoaXN0aWNhdGVkIHNvbHV0aW9uIGlzIHJlcXVpcmVkIHdo aWNoIHdpbGwgaGVscCByZWxpZXZlIHRoZSBtZW1vcnkKPj4gcHJlc3N1cmUgb24gdGhlIGRldmlj ZSBhbmQgY29udGludWUgc3VwcG9ydGluZyByZW1vdGUgYXR0ZXN0YXRpb24gd2l0aG91dAo+PiBk aXNydXB0aW9ucy4KPiBJZiB0aGUgcHJvYmxlbSBpcyBrZXJuZWwgbWVtb3J5LCB0aGVuIHVzaW5n IGEgc2luZ2xlIHRtcGZzIGZpbGUgaGFzCj4gYWxyZWFkeSBiZWVuIHByb3Bvc2VkIFsxXS4gIEFz IGVudHJpZXMgYXJlIGFkZGVkIHRvIHRoZSBtZWFzdXJlbWVudAo+IGxpc3QsIHRoZXkgYXJlIGNv cGllZCB0byB0aGUgdG1wZnMgZmlsZSBhbmQgcmVtb3ZlZCBmcm9tIGtlcm5lbCBtZW1vcnkuCj4g VXNlcnNwYWNlIHdvdWxkIHN0aWxsIGFjY2VzcyB0aGUgbWVhc3VyZW1lbnQgbGlzdCB2aWEgdGhl IGV4aXN0aW5nCj4gc2VjdXJpdHlmcyBmaWxlLgo+Cj4gVGhlIElNQSBtZWFzdXJlbWVudCBsaXN0 IGlzIGEgc2VxdWVudGlhbCBmaWxlLCBhbGxvd2luZyBpdCB0byBiZSByZWFkCj4gZnJvbSBhbiBv ZmZzZXQuICBIb3cgbXVjaCBvciBob3cgbGl0dGxlIG9mIHRoZSBtZWFzdXJlbW50IGxpc3QgaXMg cmVhZAo+IGJ5IHRoZSBhdHRlc3RhdGlvbiBjbGllbnQgYW5kIHNlbnQgdG8gdGhlIGF0dGVzdGF0 aW9uIHNlcnZlciBpcyB1cCB0bwo+IHRoZSBhdHRlc3RhdGlvbiBjbGllbnQvc2VydmVyLgo+Cj4g SWYgdGhlIHByb2JsZW0gaXMgbm90IGtlcm5lbCBtZW1vcnksIGJ1dCBtZW1vcnkgcHJlc3N1cmUg aW4gZ2VuZXJhbCwKPiB0aGVuIGluc3RlYWQgb2YgYSB0bXBmcyBmaWxlLCB0aGUgbWVhc3VyZW1l bnQgbGlzdCBjb3VsZCBzaW1pbGFybHkgYmUKPiBjb3BpZWQgdG8gYSBzaW5nbGUgcGVyc2lzdGVu dCBmaWxlIFsxXS4KVGhlIHN1Z2dlc3RlZCBhcHByb2FjaCBpbiB0aGlzIFJGQyBkaXNjdXNzaW9u IHVzaW5nIGEgdmZzX3RtcGZpbGUgd2FzCm9ubHkgZGlzY3Vzc2VkIGJ1dCBubyBwcm90b3R5cGUg d2FzIGNyZWF0ZWQgYmFjayB0aGVuLsKgIFdlIGFyZQpkaXNjdXNzaW5nIHRoZSBhcHByb2FjaCBp bnRlcm5hbGx5IG5vdyBhbmQgd2lsbCByZXNwb25kIHdpdGggbW9yZQpkZXRhaWxzIGFib3V0IGl0 Lgo+PiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCj4+ID09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQo+PiB8IEIuIFByb3Bvc2VkIFNvbHV0aW9uICAgICAgICAg ICAgICAgICAgICAgICAgIHwKPj4gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Cj4+IEluIHRoaXMgZG9jdW1lbnQsIHdlIHByb3Bvc2UgYW4gZW5oYW5jZW1l bnQgdG8gdGhlIElNQSBzdWJzeXN0ZW0gdG8gaW1wcm92ZQo+PiB0aGUgbG9uZy1ydW5uaW5nIHBl cmZvcm1hbmNlIGJ5IHNuYXBzaG90dGluZyB0aGUgSU1BIGxvZywgd2hpbGUgc3RpbGwKPj4gcHJv dmlkaW5nIG1lY2hhbmlzbXMgdG8gdmVyaWZ5IGl0cyBpbnRlZ3JpdHkgdXNpbmcgdGhlIFBDUiBx dW90ZXMuCj4+Cj4+IFRoZSByZW1haW5kZXIgb2YgdGhlIGRvY3VtZW50IGRlc2NyaWJlcyBkZXRh aWxzIG9mIHRoZSBwcm9wb3NlZCBzb2x1dGlvbgo+PiBpbiB0aGUKPj4gZm9sbG93aW5nIHN1Yi1z ZWN0aW9ucy4KPj4gICAgLSBIaWdoLWxldmVsIFdvcmstZmxvdwo+PiAgICAtIFNuYXBzaG90IFRy aWdnZXJpbmcgTWVjaGFuaXNtCj4+ICAgIC0gRGVzaWduIENob2ljZXMgZm9yIFN0b3JpbmcgU25h cHNob3RzCj4+ICAgIC0gQXR0ZXN0YXRpb24tQ2xpZW50IGFuZCBSZW1vdGUtQXR0ZXN0YXRpb24t U2VydmljZSBTaWRlIENoYW5nZXMKPj4gICAgLSBFeGFtcGxlIFdhbGstdGhyb3VnaAo+PiAgICAt IE9wZW4gUXVlc3Rpb25zCj4+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KPj4gPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Cj4+IHwgQi4xIEhpZ2gtbGV2ZWwg V29yay1mbG93ICAgICAgICAgICAgICAgICAgICAgfAo+PiA9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT0KPj4gUHJlLXJlcXVpc2l0ZXM6Cj4+IC0gSU1BIElu dGVncml0eSBndWFyYW50ZWVzIGFyZSBtYWludGFpbmVkLgo+Pgo+PiBUaGUgcHJvcG9zZWQgaGln aCBsZXZlbCB3b3JrLWZsb3cgb2YgSU1BIGxvZyBzbmFwc2hvdHRpbmcgaXMgYXMgZm9sbG93czoK Pj4gLSBBIHVzZXItbW9kZSBwcm9jZXNzIHdpbGwgdHJpZ2dlciB0aGUgc25hcHNob3QgYnkgb3Bl bmluZyBhIGZpbGUgaW4gU3lzRlMKPj4gICAgIHNheSAvc3lzL2tlcm5lbC9zZWN1cml0eS9pbWEv c25hcHNob3QgKHJlZmVycmVkIHRvIGFzCj4+IHN5c2tfaW1hX3NuYXBzaG90X2ZpbGUKPj4gICAg IGhlcmUgb253YXJkcykuCj4gUGxlYXNlIGZpeCB0aGUgbWFpbGVyIHNvIHRoYXQgaXQgZG9lc24n dCB3cmFwIHNlbnRlbmNlcy4gICBBZGRpbmcgYmxhbmsKPiBsaW5lcyBiZXR3ZWVuIGJ1bGxldHMg d291bGQgaW1wcm92ZSByZWFkYWJpbGl0eS4KTm90ZWQsIHdpbGwgZG8uCj4+IC0gVGhlIEtlcm5l bCB3aWxsIGdldCB0aGUgY3VycmVudCBUUE0gUENSIHZhbHVlcyBhbmQgUENSIHVwZGF0ZSBjb3Vu dGVyIFsyXQo+PiAgICAgYW5kIHN0b3JlIHRoZW0gYXMgdGVtcGxhdGUgZGF0YSBpbiBhIG5ldyBJ TUEgZXZlbnQgInNuYXBzaG90X2FnZ3JlZ2F0ZSIuCj4+ICAgICBUaGlzIGV2ZW50IHdpbGwgYmUg bWVhc3VyZWQgYnkgSU1BIHVzaW5nIGNyaXRpY2FsIGRhdGEgbWVhc3VyZW1lbnQKPj4gICAgIGZ1 bmN0aW9uYWxpdHkgWzFdLiAgUmVjb3JkaW5nIHJlZ3VsYXIgSU1BIGV2ZW50cyB3aWxsIGJlIHBh dXNlZCB3aGlsZQo+PiAgICAgInNuYXBzaG90X2FnZ3JlZ2F0ZSIgaXMgYmVpbmcgY29tcHV0ZWQg dXNpbmcgdGhlIGV4aXN0aW5nIElNQSBtdXRleCBsb2NrLgo+PiAtIE9uY2UgdGhlICJzbmFwc2hv dF9hZ2dyZWdhdGUiIGlzIGNvbXB1dGVkIGFuZCBtZWFzdXJlZCBpbiBJTUEgbG9nLCB0aGUKPj4g cHJpb3IKPj4gICAgIElNQSBldmVudHMgd2lsbCBiZSBtYWRlIGF2YWlsYWJsZSBpbiB0aGUgc3lz a19pbWFfc25hcHNob3RfZmlsZS4KPj4gLSBUaGUgVU0gcHJvY2VzcyB3aWxsIGNvcHkgdGhvc2Ug SU1BIGV2ZW50cyBmcm9tIHN5c2tfaW1hX3NuYXBzaG90X2ZpbGUgdG8gYQo+PiAgICAgc25hcHNo b3QgZmlsZSBvbiBkaXNrIGNob3NlbiBieSBVTSAocmVmZXJyZWQgdG8gYXMgVU1fc25hcHNob3Rf ZmlsZSBoZXJlCj4+ICAgICBvbndhcmRzKS4gIFRoZSBsb2NhdGlvbiwgZmlsZS1zeXN0ZW0gdHlw ZSwgYWNjZXNzIHBlcm1pc3Npb25zIGV0Yy4gb2YgdGhlCj4+ICAgICBVTV9zbmFwc2hvdF9maWxl IHdvdWxkIGJlIGNvbnRyb2xsZWQgYnkgVU0gcHJvY2VzcyBpdHNlbGYuCj4+IC0gT25jZSBVTSBp cyBkb25lIGNvcHlpbmcgdGhlIElNQSBldmVudHMgZnJvbSBzeXNrX2ltYV9zbmFwc2hvdF9maWxl IHRvCj4+ICAgICBVTV9zbmFwc2hvdF9maWxlLCBpdCB3aWxsIGluZGljYXRlIHRvIHRoZSBLZXJu ZWwgdGhhdCB0aGUgc25hcHNob3QgY2FuIGJlCj4+ICAgICBmaW5hbGl6ZWQgYnkgdHJpZ2dlcmlu ZyBhIHdyaXRlIHdpdGggYW55IGRhdGEgdG8gdGhlCj4+IHN5c2tfaW1hX3NuYXBzaG90X2ZpbGUu Cj4+ICAgICBVTSBwcm9jZXNzIGNhbm5vdCBwcmV2ZW50IHRoZSBJTUEgbG9nIHB1cmdlIG9wZXJh dGlvbiBhZnRlciB0aGlzIHBvaW50Lgo+PiAtIFRoZSBLZXJuZWwgd2lsbCB0cnVuY2F0ZSB0aGUg Y3VycmVudCBJTUEgbG9nIGFuZCBhbmQgY2xlYXIgSFRhYmxlIHVwCj4+IHRvIHRoZQo+PiAgICAg InNuYXBzaG90X2FnZ3JlZ2F0ZSIgbWFya2VyLgo+PiAtIFRoZSBLZXJuZWwgd2lsbCBtZWFzdXJl IHRoZSBQQ1IgdXBkYXRlIGNvdW50ZXIgYXMgcGFydCBvZiBtZWFzdXJpbmcKPj4gICAgIHNuYXBz aG90X2FnZ3JlZ2F0ZSwgc28gdGhhdCBpdCBjYW4gYmUgdXNlZCBieSB0aGUgcmVtb3RlIGF0dGVz dGF0aW9uCj4+IHNlcnZpY2UKPj4gICAgIGZvciBkZXRlY3RpbmcgbWlzc2luZyBldmVudHMuCj4+ IC0gVU0gY2FuIHByZXZlbnQgdGhlIElNQSBsb2cgcHVyZ2UgYnkgY2xvc2luZyB0aGUgc3lza19p bWFfc25hcHNob3RfZmlsZQo+PiAgICAgd2l0aG91dCBwZXJmb3JtaW5nIGEgd3JpdGUgb3BlcmF0 aW9uIG9uIGl0LiAgSW4gdGhpcyBjYXNlLCB3aGlsZSB0aGUKPj4gICAgICJzbmFwc2hvdF9hZ2dy ZWdhdGUiIG1hcmtlciBtYXkgc3RpbGwgYmUgaW4gdGhlIGxvZywgdGhlIGV2ZW50IGNhbiBiZQo+ PiBpZ25vcmVkCj4+ICAgICBzaW5jZSB0aGUgcHJldmlvdXMgZW50cmllcyBpbiB0aGUgSU1BIGxv ZyB3aWxsIG5vdCBiZSBwdXJnZWQuCj4+Cj4+IE5vdGU6Cj4+IC0gVGhpcyB3b3JrLWZsb3cgc2hv dWxkIHdvcmsgd2hlbiBpbnRlcmxlYXZlZCB3aXRoIEtleGVjICdsb2FkJyBhbmQKPj4gJ2V4ZWN1 dGUnCj4+ICAgICBldmVudHMgYW5kIHNob3VsZCBub3QgY2F1c2UgSU1BIGxvZyArIHNuYXBzaG90 IHRvIGdvIG91dCBvZiBzeW5jIHdpdGggUENSCj4+ICAgICBxdW90ZXMuIFRoZSBpbXBsZW1lbnRh dGlvbiBkZXRhaWxzIGFyZSBvbWl0dGVkIGZyb20gdGhpcyBkb2N1bWVudCBmb3IKPj4gICAgIGJy ZXZpdHkuCj4gVGhpcyBkZXNpZ24gc2VlbXMgb3Zlcmx5IGNvbXBsZXggYW5kIHJlcXVpcmVzIHN5 bmNocm9uaXphdGlvbiBiZXR3ZWVuCj4gdGhlICJzbmFwc2hvdCIgcmVjb3JkIGFuZCBleHBvcnRp bmcgdGhlIHJlY29yZHMgZnJvbSB0aGUgbWVhc3VyZW1lbnQKPiBsaXN0LiAgTm9uZSBvZiB0aGlz IHdvdWxkIGJlIG5lY2Vzc2FyeSBpZiB0aGUgbWVhc3VyZW1lbnRzIHdlcmUgY29waWVkCj4gZnJv bSBrZXJuZWwgbWVtb3J5IHRvIGEgYmFja2luZyBmaWxlIChlLmcuIHRtcGZzKSwgYXMgZGVzY3Jp YmVkIGluIFsxXS4KPgo+IFdoYXQgaXMgdGhlIHJlYWwgcHJvYmxlbSAtIGtlcm5lbCBtZW1vcnkg cHJlc3N1cmUsIG1lbW9yeSBwcmVzc3VyZSBpbgo+IGdlbmVyYWwsIG9yIGRpc2sgc3BhY2U/ICBJ cyB0aGUgaW50ZW50aW9uIHRvIHJlbW92ZSBvciBvZmZsb2FkIHRoZQo+IGV4cG9ydGVkIG1lYXN1 cmVtZW50cz8KVGhlIG1haW4gY29uY2VybiBpcyB0aGUgbWVtb3J5IHByZXNzdXJlIG9uIGJvdGgg dGhlIGtlcm5lbCBhbmQgdGhlIAphdHRlc3RhdGlvbiBjbGllbnQKd2hlbiBpdCBzZW5kcyB0aGUg cmVxdWVzdC7CoCBUaGUgY29uY2VybiB5b3UgYnJpbmcgdXAgaXMgdmFsaWQgYW5kIHdlIGFyZSAK d29ya2luZyBvbgpjcmVhdGluZyBhIHByb3RvdHlwZS7CoCBUaGVyZSBpcyBubyBpbnRlbnRpb24g dG8gcmVtb3ZlIHRoZSBleHBvcnRlZCAKbWVhc3VyZW1lbnRzLgotIFN1c2gKPiBDb25jZXJuczoK PiAtIFBhdXNpbmcgZXh0ZW5kaW5nIHRoZSBtZWFzdXJlbWVudCBsaXN0Lgo+Cj4gWzFdCj4gaHR0 cHM6Ly9sb3JlLmtlcm5lbC5vcmcvbGludXgtaW50ZWdyaXR5L0NBT1E0dXhqNFB2MldyMXdndkJD RFItdG5BNWRzWlQzcnZkRHpLZ0FIMWFFVl8tcjlRZ0BtYWlsLmdtYWlsLmNvbS8jdAo+CgpfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwprZXhlYyBtYWlsaW5n IGxpc3QKa2V4ZWNAbGlzdHMuaW5mcmFkZWFkLm9yZwpodHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9y Zy9tYWlsbWFuL2xpc3RpbmZvL2tleGVjCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E55ACC04FE0 for ; Mon, 14 Aug 2023 21:43:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229625AbjHNVm7 (ORCPT ); Mon, 14 Aug 2023 17:42:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56188 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232988AbjHNVmt (ORCPT ); Mon, 14 Aug 2023 17:42:49 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 79722127; Mon, 14 Aug 2023 14:42:47 -0700 (PDT) Received: from [10.137.114.52] (unknown [131.107.159.180]) by linux.microsoft.com (Postfix) with ESMTPSA id B551D2109420; Mon, 14 Aug 2023 14:42:46 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com B551D2109420 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1692049366; bh=VrEk2AwesVAfdmRxYbk7yzrle2lO+wL2DH0neWh4nIQ=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=S9GJfn2Od14pgUphZugp6ChcUbBhcvXvRJJmXAiyk9k0z3kSl+E7o5AKgw4z88jwL GHNffr/RbYjde/7Z9L/cbq9qtsFY8czbDmddnuFb0bFiUsO9uo3CQTJitVPIBdmlGu e3BMNSfcYTNf9J+kZYDV2PXmY+kiBu7LT/aaNkpM= Message-ID: Date: Mon, 14 Aug 2023 14:42:46 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Subject: Re: [RFC] IMA Log Snapshotting Design Proposal To: Mimi Zohar , linux-integrity@vger.kernel.org, peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca, kgold@linux.ibm.com, bhe@redhat.com, vgoyal@redhat.com, dyoung@redhat.com, kexec@lists.infradead.org, jmorris@namei.org, Paul Moore , serge@hallyn.com Cc: code@tyhicks.com, nramas@linux.microsoft.com, Tushar Sugandhi , linux-security-module@vger.kernel.org References: <277db5491460d5fd607785f2bcc733de39022a35.camel@linux.ibm.com> Content-Language: en-US From: Sush Shringarputale In-Reply-To: <277db5491460d5fd607785f2bcc733de39022a35.camel@linux.ibm.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Hello Mimi, Thanks for your feedback on this. On 8/11/2023 6:14 AM, Mimi Zohar wrote: > Hi Sush, Tushar, > > On Tue, 2023-08-01 at 12:12 -0700, Sush Shringarputale wrote: >> ================================================ >> | A. Problem Statement | >> ================================================ >> Depending on the IMA policy, the IMA log can consume a lot of Kernel >> memory on >> the device. For instance, the events for the following IMA policy >> entries may >> need to be measured in certain scenarios, but they can also lead to a >> verbose >> IMA log when the device is running for a long period of time. >> ┌───────────────────────────────────────┐ >> │# PROC_SUPER_MAGIC │ >> │measure fsmagic=0x9fa0 │ >> │# SYSFS_MAGIC │ >> │measure fsmagic=0x62656572 │ >> │# DEBUGFS_MAGIC │ >> │measure fsmagic=0x64626720 │ >> │# TMPFS_MAGIC │ >> │measure fsmagic=0x01021994 │ >> │# RAMFS_MAGIC │ >> │measure fsmagic=0x858458f6 │ >> │# SECURITYFS_MAGIC │ >> │measure fsmagic=0x73636673 │ >> │# OVERLAYFS_MAGIC │ >> │measure fsmagic=0x794c7630 │ >> │# log, audit or tmp files │ >> │measure obj_type=var_log_t │ >> │measure obj_type=auditd_log_t │ >> │measure obj_type=tmp_t │ >> └───────────────────────────────────────┘ >> >> Secondly, certain devices are configured to take Kernel updates using Kexec >> soft-boot. The IMA log from the previous Kernel gets carried over and the >> Kernel memory consumption problem worsens when such devices undergo multiple >> Kexec soft-boots over a long period of time. >> >> The above two scenarios can cause IMA log to grow and consume Kernel memory. >> >> In addition, a large IMA log can add pressure on the network bandwidth when >> the attestation client sends it to remote-attestation-service. >> >> Truncating IMA log to reclaim memory is not feasible, since it makes the >> log go >> out of sync with the TPM PCR quote making remote attestation fail. >> >> A sophisticated solution is required which will help relieve the memory >> pressure on the device and continue supporting remote attestation without >> disruptions. > If the problem is kernel memory, then using a single tmpfs file has > already been proposed [1]. As entries are added to the measurement > list, they are copied to the tmpfs file and removed from kernel memory. > Userspace would still access the measurement list via the existing > securityfs file. > > The IMA measurement list is a sequential file, allowing it to be read > from an offset. How much or how little of the measuremnt list is read > by the attestation client and sent to the attestation server is up to > the attestation client/server. > > If the problem is not kernel memory, but memory pressure in general, > then instead of a tmpfs file, the measurement list could similarly be > copied to a single persistent file [1]. The suggested approach in this RFC discussion using a vfs_tmpfile was only discussed but no prototype was created back then.  We are discussing the approach internally now and will respond with more details about it. >> ------------------------------------------------------------------------------- >> ================================================ >> | B. Proposed Solution | >> ================================================ >> In this document, we propose an enhancement to the IMA subsystem to improve >> the long-running performance by snapshotting the IMA log, while still >> providing mechanisms to verify its integrity using the PCR quotes. >> >> The remainder of the document describes details of the proposed solution >> in the >> following sub-sections. >> - High-level Work-flow >> - Snapshot Triggering Mechanism >> - Design Choices for Storing Snapshots >> - Attestation-Client and Remote-Attestation-Service Side Changes >> - Example Walk-through >> - Open Questions >> ------------------------------------------------------------------------------- >> ================================================ >> | B.1 High-level Work-flow | >> ================================================ >> Pre-requisites: >> - IMA Integrity guarantees are maintained. >> >> The proposed high level work-flow of IMA log snapshotting is as follows: >> - A user-mode process will trigger the snapshot by opening a file in SysFS >> say /sys/kernel/security/ima/snapshot (referred to as >> sysk_ima_snapshot_file >> here onwards). > Please fix the mailer so that it doesn't wrap sentences. Adding blank > lines between bullets would improve readability. Noted, will do. >> - The Kernel will get the current TPM PCR values and PCR update counter [2] >> and store them as template data in a new IMA event "snapshot_aggregate". >> This event will be measured by IMA using critical data measurement >> functionality [1]. Recording regular IMA events will be paused while >> "snapshot_aggregate" is being computed using the existing IMA mutex lock. >> - Once the "snapshot_aggregate" is computed and measured in IMA log, the >> prior >> IMA events will be made available in the sysk_ima_snapshot_file. >> - The UM process will copy those IMA events from sysk_ima_snapshot_file to a >> snapshot file on disk chosen by UM (referred to as UM_snapshot_file here >> onwards). The location, file-system type, access permissions etc. of the >> UM_snapshot_file would be controlled by UM process itself. >> - Once UM is done copying the IMA events from sysk_ima_snapshot_file to >> UM_snapshot_file, it will indicate to the Kernel that the snapshot can be >> finalized by triggering a write with any data to the >> sysk_ima_snapshot_file. >> UM process cannot prevent the IMA log purge operation after this point. >> - The Kernel will truncate the current IMA log and and clear HTable up >> to the >> "snapshot_aggregate" marker. >> - The Kernel will measure the PCR update counter as part of measuring >> snapshot_aggregate, so that it can be used by the remote attestation >> service >> for detecting missing events. >> - UM can prevent the IMA log purge by closing the sysk_ima_snapshot_file >> without performing a write operation on it. In this case, while the >> "snapshot_aggregate" marker may still be in the log, the event can be >> ignored >> since the previous entries in the IMA log will not be purged. >> >> Note: >> - This work-flow should work when interleaved with Kexec 'load' and >> 'execute' >> events and should not cause IMA log + snapshot to go out of sync with PCR >> quotes. The implementation details are omitted from this document for >> brevity. > This design seems overly complex and requires synchronization between > the "snapshot" record and exporting the records from the measurement > list. None of this would be necessary if the measurements were copied > from kernel memory to a backing file (e.g. tmpfs), as described in [1]. > > What is the real problem - kernel memory pressure, memory pressure in > general, or disk space? Is the intention to remove or offload the > exported measurements? The main concern is the memory pressure on both the kernel and the attestation client when it sends the request.  The concern you bring up is valid and we are working on creating a prototype.  There is no intention to remove the exported measurements. - Sush > Concerns: > - Pausing extending the measurement list. > > [1] > https://lore.kernel.org/linux-integrity/CAOQ4uxj4Pv2Wr1wgvBCDR-tnA5dsZT3rvdDzKgAH1aEV_-r9Qg@mail.gmail.com/#t >