[PATCH v5 0/8] ima: support fs-verity digests and signatures

Linux FSCRYPT development
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
	Eric Biggers <ebiggers@kernel.org>,
	Stefan Berger <stefanb@linux.ibm.com>,
	linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v5 0/8] ima: support fs-verity digests and signatures
Date: Fri, 11 Feb 2022 16:43:02 -0500	[thread overview]
Message-ID: <20220211214310.119257-1-zohar@linux.ibm.com> (raw)

Support for including fs-verity file digests and signatures in the IMA
measurement list as well as verifying the fs-verity file digest based
signatures, both based on IMA policy rules, was discussed prior to
fs-verity being upstreamed[1,2].

Support for including fs-verity file digests in the 'd-ng' template
field is based on a new policy rule option named 'digest_type=verity'.
A new template field named 'd-type' as well as a new template named
'ima-ngv2' are defined to differentiate between the regular IMA file
hashes from the fs-verity file digests (tree-hash based file hashes)
stored in the 'd-ng' template field of the measurement list.

A new signature version (v3) is defined as a hash of the 'ima_file_id'
struct, to disambiguate the signatures stored as 'security.ima' xattr.
The policy rule 'appraise_type=' option is extended to support 'sigv3',
which is initially limited to fs-verity.

The fs-verity 'appraise' rules are identified by the 'digest-type=verity'
option and require the 'appraise_type=sigv3' option.

Lastly, for IMA to differentiate between the original IMA signature
from an fs-verity signature a new 'xattr_type' named IMA_VERITY_DIGSIG
is defined.


[1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf
[2] Documentation/filesystems/fsverity.rst

Changelog v5:
- Define ima_max_digest_size struct, removing the locally defined versions.
- Don't overload the 'digest_type=verity' to imply a verity signature,
  but extend the 'appraise_type' policy rule option to define 'sigv3'.

Changelog v4:
- Based on Eric Bigger's signature verification concerns of replacing the
  contents of a file with the ima_file_id struct hash, require per policy
  rule signature versions.
- Addressed Eric Bigger's other comments.
- Added new audit messages "causes".
- Updated patch descriptions.

Changelog v3:
- Addressed Eric Bigger's comments: included Ack, incremented the
  signature format version, the crypto issues are generic and will be
  addressed by him separately.
- Addressed Vitaly Chikunov's comments: hard coded maximum digest size
  rather than using a flexible array, removed unnecessary assignment, and
  fixed comment to match variable name.
- Defined new "ima_max_digest_size" struct to avoid wrapping the
  "ima_digest_data" struct inside a function local structure or
  having to dynamically allocate it with enough memory for the specific
  hash algo size.

Changelog v2:
- Addressed Eric Bigger's comments: sign the hash of fsverity's digest
  and the digest's metadata, use match_string, use preferred function
  name fsverity_get_digest(), support including unsigned fs-verity's
  digests in the IMA measurement list.
- Remove signatures requirement for including fs-verity's file digests in
  the 'd-ng' field of the measurement list.

Changelog v1:
- Updated both fsverity and IMA documentation.
- Addressed both Eric Bigger's and Lakshmi's comments.

Mimi Zohar (8):
  ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS
  ima: define ima_max_digest_data struct without a flexible array
    variable
  fs-verity: define a function to return the integrity protected file
    digest
  ima: define a new template field 'd-type' and a new template
    'ima-ngv2'
  ima: permit fsverity's file digests in the IMA measurement list
  ima: define signature version 3
  ima: support fs-verity file digest based version 3 signatures
  fsverity: update the documentation

 Documentation/ABI/testing/ima_policy      |  30 +++++-
 Documentation/filesystems/fsverity.rst    |  22 +++--
 Documentation/security/IMA-templates.rst  |  11 ++-
 fs/verity/Kconfig                         |   1 +
 fs/verity/fsverity_private.h              |   7 --
 fs/verity/measure.c                       |  41 ++++++++
 include/linux/fsverity.h                  |  18 ++++
 security/integrity/digsig.c               |   3 +-
 security/integrity/ima/ima_api.c          |  49 ++++++++--
 security/integrity/ima/ima_appraise.c     | 112 +++++++++++++++++++++-
 security/integrity/ima/ima_init.c         |   5 +-
 security/integrity/ima/ima_main.c         |   7 +-
 security/integrity/ima/ima_policy.c       |  66 +++++++++++--
 security/integrity/ima/ima_template.c     |   3 +
 security/integrity/ima/ima_template_lib.c |  28 +++++-
 security/integrity/ima/ima_template_lib.h |   2 +
 security/integrity/integrity.h            |  39 +++++++-
 17 files changed, 388 insertions(+), 56 deletions(-)

-- 
2.27.0

next             reply	other threads:[~2022-02-11 21:43 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-11 21:43 Mimi Zohar [this message]
2022-02-11 21:43 ` [PATCH v5 1/8] ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS Mimi Zohar
2022-02-14 20:03   ` Stefan Berger
2022-02-15 18:11     ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 2/8] ima: define ima_max_digest_data struct without a flexible array variable Mimi Zohar
2022-02-14 20:13   ` Stefan Berger
2022-02-11 21:43 ` [PATCH v5 3/8] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-02-23 23:59   ` Eric Biggers
2022-02-24  1:21     ` Mimi Zohar
2022-02-24  1:26       ` Eric Biggers
2022-02-24  1:27         ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 4/8] ima: define a new template field 'd-type' and a new template 'ima-ngv2' Mimi Zohar
2022-02-14 20:38   ` Stefan Berger
2022-02-24  0:32   ` Eric Biggers
2022-02-24 16:16     ` Mimi Zohar
2022-02-24 18:46       ` Eric Biggers
2022-02-25 20:01         ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 5/8] ima: permit fsverity's file digests in the IMA measurement list Mimi Zohar
2022-02-24  0:40   ` Eric Biggers
2022-03-17 15:58     ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 6/8] ima: define signature version 3 Mimi Zohar
2022-02-24  0:50   ` Eric Biggers
2022-02-11 21:43 ` [PATCH v5 7/8] ima: support fs-verity file digest based version 3 signatures Mimi Zohar
2022-02-24  1:24   ` Eric Biggers
2022-03-17 15:46     ` Mimi Zohar
2022-02-11 21:43 ` [PATCH v5 8/8] fsverity: update the documentation Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220211214310.119257-1-zohar@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=ebiggers@kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stefanb@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox