From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
Andreas Dilger <adilger@dilger.ca>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection
Date: Mon, 29 Jan 2018 07:09:01 -0500 [thread overview]
Message-ID: <1517227741.29187.515.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180129045012.GB9516@thunk.org>
On Sun, 2018-01-28 at 23:50 -0500, Theodore Ts'o wrote:
> On Sun, Jan 28, 2018 at 10:39:10PM -0500, Mimi Zohar wrote:
> > At what point is the signature on the Merkle tree hash verified? I
> > can't imagine it being done every time a page is read. It must be
> > done and the result cached at file open.
>
> Sorry, I misread your question. The signature on the Merkle tree hash
> is verified the file is opened, and then validated Merkle tree hash is
> cached in the in-memory inode data structure.
Let's assume for the moment that there are valid, safe use cases for
fs-verity. (Defining under which circumstances the fs-verity
integrity verification method is safe to use, is a separate
discussion.)
The LSM security_file_open hook is where fs-verity and IMA meet. The
fs-verity Merkle tree hash signature would be another IMA-appraisal
integrity verification method.
For those that are interested in attesting to the measurement list or
including the file hash/signatures in the audit log, the same
mechanisms that currently exist would be in place for using the fs-
verity merkle tree signature. The same mechanisms that are in place
for including file signatures in software packages could be re-used.
Bringing it all together, what is needed?
- the signature of the Merkle tree hash
- a method for validating the signature
- a method for knowing if fs-verity is enabled on the system
A mode where fs-verity can not be disabled on the local, running
system, once enabled.
- lastly, a policy. Just because a file has a signature, does not
necessarily imply that it should be verified.
A decision was made years ago, at the time when LSMs "just" enforced
mandatory access control (MAC), that there would be a clear division
between integrity and MAC, totally independent of each other. Today,
LSMs do other things than enforce MAC, but this separation still
exists.
With Matthew Garrett's patch set this division will continue to exist,
but will be blurred by an LSM calling the integrity subsystem
directly.
Mimi
> This is similar to how we cache the per-file key in fscrypt; once the
> key is derived, we keep it in the inode cache until the inode is
> dropped from the inode cache, or after a userspace request to revoke
> all keys derived from a user's login key (which is triggered when the
> user logs out of their ChromeOS session).
>
> - Ted
>
next prev parent reply other threads:[~2018-01-29 12:09 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 19:11 [LSF/MM TOPIC] fs-verity: file system-level integrity protection Theodore Ts'o
2018-01-25 21:49 ` Chuck Lever
2018-01-25 23:39 ` Theodore Ts'o
2018-01-26 0:47 ` James Bottomley
2018-01-26 2:30 ` Theodore Ts'o
2018-01-26 4:50 ` James Bottomley
2018-01-26 14:58 ` Theodore Ts'o
2018-01-26 16:44 ` [Lsf-pc] " James Bottomley
2018-01-26 21:55 ` Theodore Ts'o
2018-01-27 7:58 ` Andreas Dilger
2018-01-27 16:19 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-28 2:46 ` Theodore Ts'o
2018-01-28 17:19 ` James Bottomley
2018-01-28 18:03 ` James Bottomley
2018-01-28 18:19 ` Chuck Lever
2018-01-29 6:39 ` James Bottomley
2018-01-29 15:22 ` Chuck Lever
2018-01-30 6:47 ` James Bottomley
2018-01-28 21:49 ` Theodore Ts'o
2018-01-28 22:49 ` Theodore Ts'o
2018-01-28 23:04 ` Mimi Zohar
2018-01-29 0:38 ` Theodore Ts'o
2018-01-29 1:53 ` Mimi Zohar
2018-01-29 2:38 ` Theodore Ts'o
2018-01-29 3:39 ` Mimi Zohar
2018-01-29 4:40 ` Theodore Ts'o
2018-01-29 4:50 ` Theodore Ts'o
2018-01-29 12:09 ` Mimi Zohar [this message]
2018-01-29 13:58 ` Mimi Zohar
2018-01-29 23:02 ` Theodore Ts'o
2018-01-30 23:25 ` Mimi Zohar
2018-01-31 16:05 ` Theodore Ts'o
2018-01-31 17:12 ` James Bottomley
2018-01-31 18:46 ` Theodore Ts'o
2018-01-31 20:41 ` James Bottomley
2018-02-01 0:03 ` Theodore Ts'o
2018-02-01 23:04 ` Dave Chinner
2018-02-01 23:43 ` Andreas Dilger
2018-02-02 0:13 ` Dave Chinner
2018-02-02 5:34 ` James Bottomley
2018-02-02 2:40 ` Theodore Ts'o
2018-02-02 9:05 ` Dave Chinner
2018-01-31 20:40 ` Mimi Zohar
2018-01-31 22:00 ` Theodore Ts'o
2018-02-01 15:17 ` Mimi Zohar
2018-01-29 0:21 ` James Bottomley
2018-01-29 1:03 ` Theodore Ts'o
2018-01-29 21:21 ` Andreas Dilger
2018-01-26 18:13 ` Mimi Zohar
2018-01-29 18:54 ` Michael Halcrow
2018-01-26 7:58 ` Colin Walters
2018-01-26 15:29 ` Theodore Ts'o
2018-01-26 16:40 ` Colin Walters
2018-01-26 16:49 ` [Lsf-pc] " James Bottomley
2018-01-26 17:05 ` Colin Walters
2018-01-26 17:54 ` Mimi Zohar
2018-02-02 0:02 ` Steve French
2018-02-07 13:04 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517227741.29187.515.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=adilger@dilger.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).