From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>, linux-integrity@vger.kernel.org
Cc: dmitry.kasatkin@gmail.com, miklos@szeredi.hu,
linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk
Subject: Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes
Date: Thu, 11 Oct 2018 11:23:06 -0400 [thread overview]
Message-ID: <1539271386.11939.79.camel@linux.ibm.com> (raw)
In-Reply-To: <20181004203007.217320-3-mjg59@google.com>
On Thu, 2018-10-04 at 13:30 -0700, Matthew Garrett wrote:
> Some filesystems may be able to provide hashes in an out of band manner,
> and allowing them to do so is a performance win. This is especially true
> of FUSE-based filesystems where otherwise we recalculate the hash on
> every measurement. Make use of this by default, but provide a parameter
> to force recalculation rather than trusting the filesystem.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
Support for not calculating the file hash would need to be finer
grained than this, probably on a per mount basis. The default should
be for IMA to always calculate the file hash, unless explicitly told
not to.
> ---
> Documentation/admin-guide/kernel-parameters.txt | 5 +++++
> security/integrity/ima/ima_crypto.c | 11 +++++++++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 92eb1f42240d..617ae0f83b14 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1612,6 +1612,11 @@
> different crypto accelerators. This option can be used
> to achieve best performance for particular HW.
>
> + ima.force_hash= [IMA] Force hash calculation in IMA
> + Format: <bool>
> + Always calculate hashes rather than trusting the
> + filesystem to provide them to us.
> +
> init= [KNL]
> Format: <full_path>
> Run specified binary instead of /sbin/init as init
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 7e7e7e7c250a..f25259b2b6ec 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -32,6 +32,10 @@ static unsigned long ima_ahash_minsize;
> module_param_named(ahash_minsize, ima_ahash_minsize, ulong, 0644);
> MODULE_PARM_DESC(ahash_minsize, "Minimum file size for ahash use");
>
> +static bool ima_force_hash;
> +module_param_named(force_hash, ima_force_hash, bool_enable_only, 0644);
> +MODULE_PARM_DESC(force_hash, "Always calculate hashes");
> +
> /* default is 0 - 1 page. */
> static int ima_maxorder;
> static unsigned int ima_bufsize = PAGE_SIZE;
> @@ -431,6 +435,13 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
> return -EINVAL;
> }
>
> + if (!ima_force_hash) {
IMA should never skip the file hash calculation if the filesystem is
an untrusted mount (eg. SB_I_UNTRUSTED_MOUNTER).
Mimi
> + hash->length = hash_digest_size[hash->algo];
> + rc = vfs_get_hash(file, hash->algo, hash->digest, hash->length);
> + if (!rc)
> + return 0;
> + }
> +
> i_size = i_size_read(file_inode(file));
>
> if (ima_ahash_minsize && i_size >= ima_ahash_minsize) {
next prev parent reply other threads:[~2018-10-11 22:51 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-04 20:30 Allow FUSE filesystems to provide out-of-band hashes to IMA Matthew Garrett
2018-10-04 20:30 ` [PATCH 1/3] VFS: Add a call to obtain a file's hash Matthew Garrett
2018-10-11 15:22 ` Mimi Zohar
2018-10-11 18:21 ` Matthew Garrett
2018-10-11 18:24 ` Matthew Garrett
2018-10-11 18:37 ` Mimi Zohar
2018-10-11 18:43 ` Matthew Garrett
2018-10-04 20:30 ` [PATCH 2/3] IMA: Make use of filesystem-provided hashes Matthew Garrett
2018-10-11 15:23 ` Mimi Zohar [this message]
2018-10-11 20:30 ` Matthew Garrett
2018-10-11 23:03 ` Mimi Zohar
2018-10-12 18:31 ` Matthew Garrett
2018-10-15 1:38 ` Mimi Zohar
2018-10-15 18:46 ` Matthew Garrett
2018-10-16 13:16 ` Mimi Zohar
2018-10-04 20:30 ` [PATCH 3/3] FUSE: Allow filesystems to provide gethash methods Matthew Garrett
2018-10-05 10:49 ` Allow FUSE filesystems to provide out-of-band hashes to IMA Mimi Zohar
2018-10-05 17:26 ` Matthew Garrett
2018-10-05 18:18 ` Mimi Zohar
2018-10-05 19:25 ` Matthew Garrett
2018-10-08 11:25 ` Mimi Zohar
2018-10-08 20:19 ` Matthew Garrett
2018-10-08 22:40 ` Mimi Zohar
2018-10-09 17:21 ` Matthew Garrett
2018-10-09 18:04 ` Mimi Zohar
2018-10-09 19:29 ` Matthew Garrett
2018-10-09 20:52 ` Mimi Zohar
2018-10-09 21:32 ` Matthew Garrett
2018-10-10 11:09 ` Mimi Zohar
2018-10-10 16:19 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1539271386.11939.79.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=mjg59@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).