From: Mimi Zohar <zohar@linux.ibm.com>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Dave Chinner <david@fromorbit.com>,
Christoph Hellwig <hch@infradead.org>,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Eric Biggers <ebiggers@kernel.org>,
linux-fscrypt@vger.kernel.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: Re: Proposal: Yet another possible fs-verity interface
Date: Tue, 12 Feb 2019 08:06:52 -0500 [thread overview]
Message-ID: <1549976812.12743.225.camel@linux.ibm.com> (raw)
In-Reply-To: <20190212053123.GR23000@mit.edu>
Hi Ted,
The context for my comments/questions was Linus' suggestions, which
you've removed.
On Tue, 2019-02-12 at 00:31 -0500, Theodore Y. Ts'o wrote:
> On Sun, Feb 10, 2019 at 09:06:55AM -0500, Mimi Zohar wrote:
> > For which files will the Merkle tree be created? Is this for all
> > files on a per file system basis? Or is there some sort of "flag" or
> > policy? The original design was based on an ioctl enabling/disabling
> > a flag. In this new design, is there still an ioctl?
>
> So for our first use case, it will be used for "privileged APK files"
> in Android. You can think of this as a "setuid binary", effectively.
Yes, I understand that your primary goal hasn't changed. Linus was
suggesting "the interface be made idempotent" to support "filesystems
that don't actually have any long-term storage model for the merkle
tree. IOW, you could do the merkle tree calculation (and
verification) every time at bootup". In that context, I asked whether
the Merkle tree file hash would be for every file on the filesystem or
not, and how to identify those files.
> > The existing file hashes included in the measurement list and the
> > audit log, are currently being used for remote attestation, forensics
> > and security analytics.
Again, the context for this comment was Linus' suggestion "each level
of the merkle tree needs to have a hash seeding thing or whatever."
Up to this point, I had assumed the Merkle tree file root hash could
be used as an identifier, similar to the file hash. With his
suggestion, it sounds like the Merkle tree file root hash would be
system dependent, making it useless for the above usages.
>
> IMA has a very different set primary use cases than fsverity.
We need to differentiate between IMA's method of calculating the file
hash from the IMA measurement list. I totally agree there is a place
for both methods of calculating the file hash. I am hoping that we
would be able to use the Merkle tree file root hash in the IMA
measurement list. It makes no sense to have to calculate the file
hash for the measurement list, if you're using fs-verity.
Mimi
next prev parent reply other threads:[~2019-02-12 13:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-07 3:11 Proposal: Yet another possible fs-verity interface Theodore Y. Ts'o
2019-02-08 19:10 ` James Bottomley
2019-02-09 20:38 ` Linus Torvalds
2019-02-10 14:06 ` Mimi Zohar
2019-02-12 5:31 ` Theodore Y. Ts'o
2019-02-12 13:06 ` Mimi Zohar [this message]
2019-02-12 17:24 ` Theodore Y. Ts'o
2019-02-12 18:42 ` [f2fs-dev] " Eric Biggers
2019-02-12 5:12 ` Theodore Y. Ts'o
2019-02-12 14:44 ` Mimi Zohar
2019-02-12 17:11 ` Theodore Y. Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1549976812.12743.225.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=ebiggers@kernel.org \
--cc=hch@infradead.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).