From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
Andreas Dilger <adilger@dilger.ca>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection
Date: Tue, 30 Jan 2018 18:25:02 -0500 [thread overview]
Message-ID: <1517354702.3469.60.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180129230209.GA30762@thunk.org>
On Mon, 2018-01-29 at 18:02 -0500, Theodore Ts'o wrote:
> On Mon, Jan 29, 2018 at 07:09:01AM -0500, Mimi Zohar wrote:
> >
> > The LSM security_file_open hook is where fs-verity and IMA meet. The
> > fs-verity Merkle tree hash signature would be another IMA-appraisal
> > integrity verification method.
>
> I wasn't planning on using the file open hook for fs-verity at all,
> since the merkle hash signature is going to be cached in the per-file
> system inode --- e.g., for ext4, it would be stored in EXT4_I(inode),
> aka "struct ext4_inode_info".
Ok, so if not at open, at what point do you plan on validating the
merkle hash signature?
> > For those that are interested in attesting to the measurement list or
> > including the file hash/signatures in the audit log, the same
> > mechanisms that currently exist would be in place for using the fs-
> > verity merkle tree signature. The same mechanisms that are in place
> > for including file signatures in software packages could be re-used.
>
> This is *your* set of requiremnets, not mine. If it's easy to do,
> that's fine. But if it doesn't, piling on extra requirements which
> fs-verity can't meet is not a proof of fs-verity being not fit for
> purpose, at least some use cases (e.g,. the ones we are envisioning
> for fs-verity).
That didn't sound like requirements to me, but more a benefit
statement.
> Again, I'm not the one arguing for IMA/fs-verity integration, and
> while I am happy to work with IMA if at all possible, I am *not*
> interested in compromising the fs-verity use case, or adding vast
> amounts of complexity to fs-verity just to confirm to the IMA
> architecture. (That is, any complexity will need to be in optional
> userspace components, such as what I've been discussing with James to
> support his docker use case, or in the security/integrity subtree. I
> really *don't* want to deal with unnecessary complexity into fs/ext4,
> fs/f2fs, or fs/verity.)
I agree with you that the integrity architecture needs to be easily
extendsible to support different integrity authentication methods.
The list, below, is a set of fs-verity functions needed to be
exported for IMA. Hopefully I didn't miss anything.
> > Bringing it all together, what is needed?
> > - the signature of the Merkle tree hash
> > - a method for validating the signature
> > - a method for knowing if fs-verity is enabled on the system
> > A mode where fs-verity can not be disabled on the local, running
> > system, once enabled.
> > - lastly, a policy. Just because a file has a signature, does not
> > necessarily imply that it should be verified.
>
> So I want to support a very simple case where the policy is simply
> "the public key needed to verify the PKCS7 signing block is in a
> trusted keyring".
Which trusted keyring? How is the keyring populated? What prevents
other keys from being added to that keyring?
So the implied policy is that no signatures will be verified unless
userspace turns the bit on. So you're trust is based in userspace.
> If someone needs something more complex than the simple "key is in the
> trusted keyring", I'm happy to say that the right answer is to use the
> LSM hooks, and it should be straight forward to provide interfaces so
> that the LSM can determine that file system supports verity and the
> file has the verity bit set. The LSM could also apply additional
> restrictions (if the SELinux file type is supersekrit_t, then only a
> smaller set of keys will be allowed to be used to sign the PKCS7
> signature block).
Interesting, so there is an additional policy limiting which keys may
be used based on an LSM labels, if so desired.
> Is this sufficient to allow fs-verity the ability to use IMA, if the
> policy so requests it?
- A function to verify that the kernel supports and is currently enforcing verity.
- A function to know if the file is in policy and has a signature.
Different return codes.
- A function to force re-validation of the file signature.
- Access to the signature, wherever it might be stored, for inclusion
in the measurement list and audit log.
(- Possibly access to the public keys for the remote attestation
server.)
Mimi
next prev parent reply other threads:[~2018-01-30 23:25 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 19:11 [LSF/MM TOPIC] fs-verity: file system-level integrity protection Theodore Ts'o
2018-01-25 21:49 ` Chuck Lever
2018-01-25 23:39 ` Theodore Ts'o
2018-01-26 0:47 ` James Bottomley
2018-01-26 2:30 ` Theodore Ts'o
2018-01-26 4:50 ` James Bottomley
2018-01-26 14:58 ` Theodore Ts'o
2018-01-26 16:44 ` [Lsf-pc] " James Bottomley
2018-01-26 21:55 ` Theodore Ts'o
2018-01-27 7:58 ` Andreas Dilger
2018-01-27 16:19 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-28 2:46 ` Theodore Ts'o
2018-01-28 17:19 ` James Bottomley
2018-01-28 18:03 ` James Bottomley
2018-01-28 18:19 ` Chuck Lever
2018-01-29 6:39 ` James Bottomley
2018-01-29 15:22 ` Chuck Lever
2018-01-30 6:47 ` James Bottomley
2018-01-28 21:49 ` Theodore Ts'o
2018-01-28 22:49 ` Theodore Ts'o
2018-01-28 23:04 ` Mimi Zohar
2018-01-29 0:38 ` Theodore Ts'o
2018-01-29 1:53 ` Mimi Zohar
2018-01-29 2:38 ` Theodore Ts'o
2018-01-29 3:39 ` Mimi Zohar
2018-01-29 4:40 ` Theodore Ts'o
2018-01-29 4:50 ` Theodore Ts'o
2018-01-29 12:09 ` Mimi Zohar
2018-01-29 13:58 ` Mimi Zohar
2018-01-29 23:02 ` Theodore Ts'o
2018-01-30 23:25 ` Mimi Zohar [this message]
2018-01-31 16:05 ` Theodore Ts'o
2018-01-31 17:12 ` James Bottomley
2018-01-31 18:46 ` Theodore Ts'o
2018-01-31 20:41 ` James Bottomley
2018-02-01 0:03 ` Theodore Ts'o
2018-02-01 23:04 ` Dave Chinner
2018-02-01 23:43 ` Andreas Dilger
2018-02-02 0:13 ` Dave Chinner
2018-02-02 5:34 ` James Bottomley
2018-02-02 2:40 ` Theodore Ts'o
2018-02-02 9:05 ` Dave Chinner
2018-01-31 20:40 ` Mimi Zohar
2018-01-31 22:00 ` Theodore Ts'o
2018-02-01 15:17 ` Mimi Zohar
2018-01-29 0:21 ` James Bottomley
2018-01-29 1:03 ` Theodore Ts'o
2018-01-29 21:21 ` Andreas Dilger
2018-01-26 18:13 ` Mimi Zohar
2018-01-29 18:54 ` Michael Halcrow
2018-01-26 7:58 ` Colin Walters
2018-01-26 15:29 ` Theodore Ts'o
2018-01-26 16:40 ` Colin Walters
2018-01-26 16:49 ` [Lsf-pc] " James Bottomley
2018-01-26 17:05 ` Colin Walters
2018-01-26 17:54 ` Mimi Zohar
2018-02-02 0:02 ` Steve French
2018-02-07 13:04 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517354702.3469.60.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=adilger@dilger.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).