From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
miklos@szeredi.hu, linux-fsdevel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 1/3] VFS: Add a call to obtain a file's hash
Date: Thu, 11 Oct 2018 14:37:27 -0400 [thread overview]
Message-ID: <1539283047.11939.95.camel@linux.ibm.com> (raw)
In-Reply-To: <CACdnJuscqpk-48Ahb4nNHNxawPq53FLKbLAdmmhmN_pp=jdqDA@mail.gmail.com>
On Thu, 2018-10-11 at 11:24 -0700, Matthew Garrett wrote:
> On Thu, Oct 11, 2018 at 11:21 AM Matthew Garrett <mjg59@google.com> wrote:
> >
> > On Thu, Oct 11, 2018 at 8:22 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > >
> > > This patch description starts out saying that IMA needs the file hash
> > > without explaining why. Without that explanation, simply extracting
> > > the file hash included in the file signature might sound plausible,
> > > but kind of defeats the purpose of IMA.
> >
> > I'm not sure how it defeats the purpose - IMA wants to know the hash
> > of a file so it can either log it or compare it against a signature,
> > and it currently obtains this hash by reading the entire file at
> > measurement time. If the filesystem later returns different data then
> > IMA won't notice, which allows a malicious filesystem to bypass the
> > measurements - there's no guarantee that we won't evict large parts of
> > the copy of an executable that IMA read, and the filesystem can give
> > us back a modified page when we page it back in. So IMA fundamentally
> > relies on the filesystem to be trustworthy, and if we rely on the
> > filesystem to be trustworthy then we should be able to rely on it to
> > accurately store and provide the hash of a file.
>
> Oh, to clarify on the signature part of things - it would obviously be
> inappropriate to, say, just read the hash out of security.ima and hand
> that back.
Right, reading it either directly or extracted from the file signature
stored in security.ima.
> But for a hypothetical case where the filesystem itself
> verifies the signature, then the filesystem would abort the
> transaction if the signature didn't match and it seems reasonable to
> avoid doing the validation twice (once up front and then again on
> every read)
Right, this is a hypothetical scenario as far as I'm aware, since none
of the filesystems are currently calculating and storing the file
hash. The default should be for IMA to re-calculate the file hash.
Mimi
next prev parent reply other threads:[~2018-10-12 2:06 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-04 20:30 Allow FUSE filesystems to provide out-of-band hashes to IMA Matthew Garrett
2018-10-04 20:30 ` [PATCH 1/3] VFS: Add a call to obtain a file's hash Matthew Garrett
2018-10-11 15:22 ` Mimi Zohar
2018-10-11 18:21 ` Matthew Garrett
2018-10-11 18:24 ` Matthew Garrett
2018-10-11 18:37 ` Mimi Zohar [this message]
2018-10-11 18:43 ` Matthew Garrett
2018-10-04 20:30 ` [PATCH 2/3] IMA: Make use of filesystem-provided hashes Matthew Garrett
2018-10-11 15:23 ` Mimi Zohar
2018-10-11 20:30 ` Matthew Garrett
2018-10-11 23:03 ` Mimi Zohar
2018-10-12 18:31 ` Matthew Garrett
2018-10-15 1:38 ` Mimi Zohar
2018-10-15 18:46 ` Matthew Garrett
2018-10-16 13:16 ` Mimi Zohar
2018-10-04 20:30 ` [PATCH 3/3] FUSE: Allow filesystems to provide gethash methods Matthew Garrett
2018-10-05 10:49 ` Allow FUSE filesystems to provide out-of-band hashes to IMA Mimi Zohar
2018-10-05 17:26 ` Matthew Garrett
2018-10-05 18:18 ` Mimi Zohar
2018-10-05 19:25 ` Matthew Garrett
2018-10-08 11:25 ` Mimi Zohar
2018-10-08 20:19 ` Matthew Garrett
2018-10-08 22:40 ` Mimi Zohar
2018-10-09 17:21 ` Matthew Garrett
2018-10-09 18:04 ` Mimi Zohar
2018-10-09 19:29 ` Matthew Garrett
2018-10-09 20:52 ` Mimi Zohar
2018-10-09 21:32 ` Matthew Garrett
2018-10-10 11:09 ` Mimi Zohar
2018-10-10 16:19 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1539283047.11939.95.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=mjg59@google.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).