From: Theodore Ts'o <tytso@mit.edu>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Andreas Dilger <adilger@dilger.ca>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection
Date: Sun, 28 Jan 2018 20:03:21 -0500 [thread overview]
Message-ID: <20180129010321.GB29839@thunk.org> (raw)
In-Reply-To: <1517185319.3082.92.camel@HansenPartnership.com>
On Sun, Jan 28, 2018 at 04:21:59PM -0800, James Bottomley wrote:
> OK, so I don't believe that to be true either. �Secure Boot was
> something we did based on MS mandated technologies and something *some*
> people though we had to impose strange policies over to please MS.
> �However, IMA was never part of that secure boot solution, so trying to
> tar it with the same brush is unfair (and inaccurate).
This was based on an assertion Mimi made that we had to do the full
data checksum verification at file open time due to requirements of
Trusted Boot. I know I am incredibility privileged in that I don't
have to worry about Trusted Boot, so I don't have any personal
knowledge one way or another; this was a claim articulated by Mimi.
> The question I'm poking at is how integrity is enforced. �Right at the
> moment it's a small number of security hooks but they're on the fops
> gates (exec and the like). �To verify a per page hash, they'd have to
> be in the mm subsystem as well (regardless of whether it's IMA or fs-
> verity doing it) ... unless you're planning to ignore all the security
> hooks as well.
The fs-verity design plumbs this into the file system's readpage
methods, just like we do with fs/crypto. Again, the idea was to make
something easy to use that would require minimal changes to the file
system (just as minimal changes are needed for fscrypt), and where you
could query the file to see if the verity bit is set, and that would
be the hook for the LSM's --- if you want to use LSM's. Essentially
the file system would provide the mechanism (data integrity
verification cleanly hooked into the file system's readpage method)
and the policy could be done using an LSM, but it could potentially be
done via other, more simpler mechanisms.
I think one of the things that made IMA challenging was that it was a
separate, foreign body that was stapled on top of the file system.
We're using a different approach, where it is integrated into the file
system, which makes the avoidance of locking problems *much* simpler,
since we're not trying to do file reads triggered by LSM hooks.
> > So in my opinion, clean design of the kernel trumps the requirement
> > of "not one change, not one jot, in the Docker client".
>
> OK, bad example on my part, thanks to runc and containerd I don't give
> much of a toss about the docker client. �I care much more about
> compliance with the container runtime standard. �At it's base that has
> anything you can do to tar is fine because it uses tar to define the
> image. �I buy that we can modify tools easily, but the same doesn't
> apply to standards.
OK, so what you care about the is the file format. Yes?
So if there as a solution which enapculated the information needed to
create the fs-verity header and the PKCS7 signature in an xattr ---
which is how you carry it around in the tar image --- and when the
tarfile is unpacked, the software which does the unpacking calls a
library which checks for the xattr, removes it, writes out the
fsverity header and Merkle tree, and then calls the ioctl which sets
the "verity" bit, thus instantiating the data integrity protection,
would this meet your requirements?
In other words, the xattr in the tar file is just the method for
carrying the information; and (a) it is not how the information would
be stored in the underlying file system when it is actually used, and
(b) it requires the userspace code to do this transformation, so we
don't have to build the Merkle tree in the kernel. Is this sufficient
for your container use case?
Whether we require IMA as a dependency for fs-verity then because a
separable question, and I think that basically boils down to (a) what
value-add does using IMA bring to fs-verity, and (b) what complexity
does IMA impose on fs-verity. That's a pretty simple cost benefit
analysis. And if the IMA integration is optional, that might be the
best win-win scenario. People who want the extra value of IMA, can
pay the costs (which might include the complexity burden imposed by
inadequate documentation), and those that don't, can skip it.
- Ted
next prev parent reply other threads:[~2018-01-29 1:03 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 19:11 [LSF/MM TOPIC] fs-verity: file system-level integrity protection Theodore Ts'o
2018-01-25 21:49 ` Chuck Lever
2018-01-25 23:39 ` Theodore Ts'o
2018-01-26 0:47 ` James Bottomley
2018-01-26 2:30 ` Theodore Ts'o
2018-01-26 4:50 ` James Bottomley
2018-01-26 14:58 ` Theodore Ts'o
2018-01-26 16:44 ` [Lsf-pc] " James Bottomley
2018-01-26 21:55 ` Theodore Ts'o
2018-01-27 7:58 ` Andreas Dilger
2018-01-27 16:19 ` James Bottomley
2018-01-27 17:08 ` James Bottomley
2018-01-28 2:46 ` Theodore Ts'o
2018-01-28 17:19 ` James Bottomley
2018-01-28 18:03 ` James Bottomley
2018-01-28 18:19 ` Chuck Lever
2018-01-29 6:39 ` James Bottomley
2018-01-29 15:22 ` Chuck Lever
2018-01-30 6:47 ` James Bottomley
2018-01-28 21:49 ` Theodore Ts'o
2018-01-28 22:49 ` Theodore Ts'o
2018-01-28 23:04 ` Mimi Zohar
2018-01-29 0:38 ` Theodore Ts'o
2018-01-29 1:53 ` Mimi Zohar
2018-01-29 2:38 ` Theodore Ts'o
2018-01-29 3:39 ` Mimi Zohar
2018-01-29 4:40 ` Theodore Ts'o
2018-01-29 4:50 ` Theodore Ts'o
2018-01-29 12:09 ` Mimi Zohar
2018-01-29 13:58 ` Mimi Zohar
2018-01-29 23:02 ` Theodore Ts'o
2018-01-30 23:25 ` Mimi Zohar
2018-01-31 16:05 ` Theodore Ts'o
2018-01-31 17:12 ` James Bottomley
2018-01-31 18:46 ` Theodore Ts'o
2018-01-31 20:41 ` James Bottomley
2018-02-01 0:03 ` Theodore Ts'o
2018-02-01 23:04 ` Dave Chinner
2018-02-01 23:43 ` Andreas Dilger
2018-02-02 0:13 ` Dave Chinner
2018-02-02 5:34 ` James Bottomley
2018-02-02 2:40 ` Theodore Ts'o
2018-02-02 9:05 ` Dave Chinner
2018-01-31 20:40 ` Mimi Zohar
2018-01-31 22:00 ` Theodore Ts'o
2018-02-01 15:17 ` Mimi Zohar
2018-01-29 0:21 ` James Bottomley
2018-01-29 1:03 ` Theodore Ts'o [this message]
2018-01-29 21:21 ` Andreas Dilger
2018-01-26 18:13 ` Mimi Zohar
2018-01-29 18:54 ` Michael Halcrow
2018-01-26 7:58 ` Colin Walters
2018-01-26 15:29 ` Theodore Ts'o
2018-01-26 16:40 ` Colin Walters
2018-01-26 16:49 ` [Lsf-pc] " James Bottomley
2018-01-26 17:05 ` Colin Walters
2018-01-26 17:54 ` Mimi Zohar
2018-02-02 0:02 ` Steve French
2018-02-07 13:04 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180129010321.GB29839@thunk.org \
--to=tytso@mit.edu \
--cc=James.Bottomley@HansenPartnership.com \
--cc=adilger@dilger.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).