From: Theodore Ts'o <tytso@mit.edu>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
Andreas Dilger <adilger@dilger.ca>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection
Date: Sun, 28 Jan 2018 19:38:43 -0500 [thread overview]
Message-ID: <20180129003842.GA29839@thunk.org> (raw)
In-Reply-To: <1517180692.29187.317.camel@linux.vnet.ibm.com>
On Sun, Jan 28, 2018 at 06:04:52PM -0500, Mimi Zohar wrote:
>
> Sigh, there seems to be some confusion. �Initially, when the Integrity
> Measurement Architecture (IMA) was first upstreamed, it only extended
> the trusted boot concept of measuring files before use up to the OS,
> but that was a long time ago. �Since then, IMA-appraisal was
> upstreamed, which extends the secure boot concept of verifying
> signatures up to the running OS.
Part of the problem is the documentation doesn't make any of this at
all clear. Indeed, I'll note that Documentation/ABI/testing/ima_policy
still talks about using file system magic numbers to determine whether
or not files should be measured, and I've been given to understand you're using
a per-filesytsem flag now.
The documentation seems to strongly imply that in order to be secure,
you can't use IMA by itself, you have to use EVM as well. Exactly
which components can be used independently is not clear, and
apparently I made the wrong guesses when trying to read through the
Linux-IMA wiki pages as well as the Gentoo pages on IMA and EVM.
Maybe it's just the documentation is badly written, but it leaves the
impression of *extreme* complexity.
I did try to play with it, but ima-evm-utils aren't packaged for
Debian, and when I tried building from source, they apparently don't
even build on Debian Testing. (Sorry, I don't use RHEL for my
development systems.) And I'll note the Gentoo pages warn, "don't use
on production systems". All of which do not make for a good first
look for IMA.
> Enabling IMA doesn't automatically require SELinux or any other LSM
> labels. �The rule granularity is up to you.
Yes, but if I only want to have a dozen or so files to be data
integrity protect, it appears that it's not simple to do, *without*
using SELinux. And anytime SELinux and "simple" go in the same
sentence, I weep a little. Every few years I try configuring SELinux
on Debian development laptop. And I conclude that I'm too stupid for
to configure SELinux.
- Ted
next prev parent reply other threads:[~2018-01-29 0:38 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 19:11 [LSF/MM TOPIC] fs-verity: file system-level integrity protection Theodore Ts'o
2018-01-25 21:49 ` Chuck Lever
2018-01-25 23:39 ` Theodore Ts'o
2018-01-26 0:47 ` James Bottomley
2018-01-26 2:30 ` Theodore Ts'o
2018-01-26 4:50 ` James Bottomley
2018-01-26 14:58 ` Theodore Ts'o
2018-01-26 16:44 ` [Lsf-pc] " James Bottomley
2018-01-26 21:55 ` Theodore Ts'o
2018-01-27 7:58 ` Andreas Dilger
2018-01-27 16:19 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-28 2:46 ` Theodore Ts'o
2018-01-28 17:19 ` James Bottomley
2018-01-28 18:03 ` James Bottomley
2018-01-28 18:19 ` Chuck Lever
2018-01-29 6:39 ` James Bottomley
2018-01-29 15:22 ` Chuck Lever
2018-01-30 6:47 ` James Bottomley
2018-01-28 21:49 ` Theodore Ts'o
2018-01-28 22:49 ` Theodore Ts'o
2018-01-28 23:04 ` Mimi Zohar
2018-01-29 0:38 ` Theodore Ts'o [this message]
2018-01-29 1:53 ` Mimi Zohar
2018-01-29 2:38 ` Theodore Ts'o
2018-01-29 3:39 ` Mimi Zohar
2018-01-29 4:40 ` Theodore Ts'o
2018-01-29 4:50 ` Theodore Ts'o
2018-01-29 12:09 ` Mimi Zohar
2018-01-29 13:58 ` Mimi Zohar
2018-01-29 23:02 ` Theodore Ts'o
2018-01-30 23:25 ` Mimi Zohar
2018-01-31 16:05 ` Theodore Ts'o
2018-01-31 17:12 ` James Bottomley
2018-01-31 18:46 ` Theodore Ts'o
2018-01-31 20:41 ` James Bottomley
2018-02-01 0:03 ` Theodore Ts'o
2018-02-01 23:04 ` Dave Chinner
2018-02-01 23:43 ` Andreas Dilger
2018-02-02 0:13 ` Dave Chinner
2018-02-02 5:34 ` James Bottomley
2018-02-02 2:40 ` Theodore Ts'o
2018-02-02 9:05 ` Dave Chinner
2018-01-31 20:40 ` Mimi Zohar
2018-01-31 22:00 ` Theodore Ts'o
2018-02-01 15:17 ` Mimi Zohar
2018-01-29 0:21 ` James Bottomley
2018-01-29 1:03 ` Theodore Ts'o
2018-01-29 21:21 ` Andreas Dilger
2018-01-26 18:13 ` Mimi Zohar
2018-01-29 18:54 ` Michael Halcrow
2018-01-26 7:58 ` Colin Walters
2018-01-26 15:29 ` Theodore Ts'o
2018-01-26 16:40 ` Colin Walters
2018-01-26 16:49 ` [Lsf-pc] " James Bottomley
2018-01-26 17:05 ` Colin Walters
2018-01-26 17:54 ` Mimi Zohar
2018-02-02 0:02 ` Steve French
2018-02-07 13:04 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180129003842.GA29839@thunk.org \
--to=tytso@mit.edu \
--cc=James.Bottomley@HansenPartnership.com \
--cc=adilger@dilger.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).