From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:34958 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728164AbeJLCGM (ORCPT ); Thu, 11 Oct 2018 22:06:12 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9BIW82I148011 for ; Thu, 11 Oct 2018 14:37:46 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0b-001b2d01.pphosted.com with ESMTP id 2n29jsqv7h-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 11 Oct 2018 14:37:45 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 11 Oct 2018 19:37:42 +0100 Subject: Re: [PATCH 1/3] VFS: Add a call to obtain a file's hash From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , Mimi Zohar , Dmitry Kasatkin , miklos@szeredi.hu, linux-fsdevel@vger.kernel.org, Alexander Viro Date: Thu, 11 Oct 2018 14:37:27 -0400 In-Reply-To: References: <20181004203007.217320-1-mjg59@google.com> <20181004203007.217320-2-mjg59@google.com> <1539271337.11939.78.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1539283047.11939.95.camel@linux.ibm.com> Sender: linux-integrity-owner@vger.kernel.org List-ID: On Thu, 2018-10-11 at 11:24 -0700, Matthew Garrett wrote: > On Thu, Oct 11, 2018 at 11:21 AM Matthew Garrett wrote: > > > > On Thu, Oct 11, 2018 at 8:22 AM Mimi Zohar wrote: > > > > > > This patch description starts out saying that IMA needs the file hash > > > without explaining why. Without that explanation, simply extracting > > > the file hash included in the file signature might sound plausible, > > > but kind of defeats the purpose of IMA. > > > > I'm not sure how it defeats the purpose - IMA wants to know the hash > > of a file so it can either log it or compare it against a signature, > > and it currently obtains this hash by reading the entire file at > > measurement time. If the filesystem later returns different data then > > IMA won't notice, which allows a malicious filesystem to bypass the > > measurements - there's no guarantee that we won't evict large parts of > > the copy of an executable that IMA read, and the filesystem can give > > us back a modified page when we page it back in. So IMA fundamentally > > relies on the filesystem to be trustworthy, and if we rely on the > > filesystem to be trustworthy then we should be able to rely on it to > > accurately store and provide the hash of a file. > > Oh, to clarify on the signature part of things - it would obviously be > inappropriate to, say, just read the hash out of security.ima and hand > that back. Right, reading it either directly or extracted from the file signature stored in security.ima. > But for a hypothetical case where the filesystem itself > verifies the signature, then the filesystem would abort the > transaction if the signature didn't match and it seems reasonable to > avoid doing the validation twice (once up front and then again on > every read) Right, this is a hypothetical scenario as far as I'm aware, since none of the filesystems are currently calculating and storing the file hash. The default should be for IMA to re-calculate the file hash. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBDC7C677FC for ; Thu, 11 Oct 2018 18:37:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C07F8204FD for ; Thu, 11 Oct 2018 18:37:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C07F8204FD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.ibm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-integrity-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728859AbeJLCGM (ORCPT ); Thu, 11 Oct 2018 22:06:12 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:34958 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728164AbeJLCGM (ORCPT ); Thu, 11 Oct 2018 22:06:12 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9BIW82I148011 for ; Thu, 11 Oct 2018 14:37:46 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0b-001b2d01.pphosted.com with ESMTP id 2n29jsqv7h-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 11 Oct 2018 14:37:45 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 11 Oct 2018 19:37:42 +0100 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 11 Oct 2018 19:37:40 +0100 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w9BIbdTG5243228 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 11 Oct 2018 18:37:39 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DCDF94203F; Thu, 11 Oct 2018 21:37:14 +0100 (BST) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E704442042; Thu, 11 Oct 2018 21:37:13 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.86.29]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 11 Oct 2018 21:37:13 +0100 (BST) Subject: Re: [PATCH 1/3] VFS: Add a call to obtain a file's hash From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , Mimi Zohar , Dmitry Kasatkin , miklos@szeredi.hu, linux-fsdevel@vger.kernel.org, Alexander Viro Date: Thu, 11 Oct 2018 14:37:27 -0400 In-Reply-To: References: <20181004203007.217320-1-mjg59@google.com> <20181004203007.217320-2-mjg59@google.com> <1539271337.11939.78.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18101118-0016-0000-0000-00000211D154 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18101118-0017-0000-0000-00003269494C Message-Id: <1539283047.11939.95.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-10-11_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810110175 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Message-ID: <20181011183727.76sTSWOk_YCkIeIbtgkqgHPagVP4n-48sSRrny557Mw@z> On Thu, 2018-10-11 at 11:24 -0700, Matthew Garrett wrote: > On Thu, Oct 11, 2018 at 11:21 AM Matthew Garrett wrote: > > > > On Thu, Oct 11, 2018 at 8:22 AM Mimi Zohar wrote: > > > > > > This patch description starts out saying that IMA needs the file hash > > > without explaining why. Without that explanation, simply extracting > > > the file hash included in the file signature might sound plausible, > > > but kind of defeats the purpose of IMA. > > > > I'm not sure how it defeats the purpose - IMA wants to know the hash > > of a file so it can either log it or compare it against a signature, > > and it currently obtains this hash by reading the entire file at > > measurement time. If the filesystem later returns different data then > > IMA won't notice, which allows a malicious filesystem to bypass the > > measurements - there's no guarantee that we won't evict large parts of > > the copy of an executable that IMA read, and the filesystem can give > > us back a modified page when we page it back in. So IMA fundamentally > > relies on the filesystem to be trustworthy, and if we rely on the > > filesystem to be trustworthy then we should be able to rely on it to > > accurately store and provide the hash of a file. > > Oh, to clarify on the signature part of things - it would obviously be > inappropriate to, say, just read the hash out of security.ima and hand > that back. Right, reading it either directly or extracted from the file signature stored in security.ima. > But for a hypothetical case where the filesystem itself > verifies the signature, then the filesystem would abort the > transaction if the signature didn't match and it seems reasonable to > avoid doing the validation twice (once up front and then again on > every read) Right, this is a hypothetical scenario as far as I'm aware, since none of the filesystems are currently calculating and storing the file hash.  The default should be for IMA to re-calculate the file hash. Mimi