Re: [PATCH 0/1] KEYS: Measure keys in trusted keyring

[Mimi Zohar <zohar@linux.ibm.com>]

[Cc'ing Matthew Garrett]

On Tue, 2019-08-27 at 17:27 -0700, Lakshmi Ramasubramanian wrote:
> Created using linux v5.3.0-rc5
> 
> Motive:
> 
> Motive behind this patch set is to measure the public keys in
> the trusted keyring. If CONFIG_SECONDARY_TRUSTED_KEYRING is
> enabled then the trusted keys keyring is secondary_trusted_keys.
> Otherwise, the trusted keys keyring is builtin_trusted_keys.
> 
> Measurement of the trusted keys is an addition to
> the existing IMA measurements and not a replacement for it.
> 
> The measurement is enabled through the configuration value
> CONFIG_IMA_MEASURE_TRUSTED_KEYS. This configuration
> is turned OFF by default and have to opted in by the kernel
> builder.
> 
> Background:
> 
> Currently IMA measures file hashes and .ima signatures. IMA signatures
> are validated against keys in ".ima" keyring. If the kernel is built with
> CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY enabled,
> then all keys in ".ima" keyring must be signed by a key in
> ".builtin_trusted_keys" or ".secondary_trusted_keys" keyrings.
> 
> On systems with CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
> enabled, measuring keys in the  trusted keyring provides a mechanism
> to attest that the client's system binaries are indeed signed by signers
> that chain to known trusted keys.
> 
> Without this patch set, to attest the clients one needs to maintain
> an "allowed list" of file hashes of all versions of all client binaries
> that are deployed on the clients in the enterprise.  That is a huge
> operational challenge in a large scale environment of clients with
> heterogenous builds. This also limits scalability and agility of
> rolling out frequent client binary updates.

The purpose of the ima-sig template, which includes the file signature
and header containing the keyid, is to avoid needing to maintain a
white list as you described.
 
> 
> Current patch:
> 
> This patch set to measure the public keys in the trusted keys
> keyring is disabled by default and can be enabled with
> CONFIG_IMA_MEASURE_TRUSTED_KEYS. When this configuration is
> enabled, during boot IMA enumerates keys in the trusted keys
> keyring and measures them in the IMA log.
> 
> Questions and concerns raised by reviewers on this patch set:
> 
> Question 1:
> Is "Signed with a trusted key" equal to "Trusted file"?
> Doesn't the service need the hashes of the system files to determine
> whether a file is trusted or not?
> 
> "Signed with a trusted key" does not equal "Trusted"
> 
> Answer:
> Agree "Signed with a trusted key" may not equal "Trusted".
> To address this, the attesting service can maintain a small
> manageable set of bad hashes (a "Blocked list") and a list of
> trusted keys expected in client's trusted keys keyring.
> Using this data, the service can detect the presence of
> "Disallowed (untrusted) version of client binaries".
> 
> Question 2:
> Providing more data to the service (such as the keys in trusted keyring)
> empowers the service to deny access to clients (block clients).
> IMA walks a fine line in enforcing and measuring file integrity.
> This patchset breaches that fine line and in doing so brings back
> the fears of trusted computing.
> 
> Answer:
> Any new measurement we add in IMA will provide more data to service
> and can enable it to deny access to clients. It is not clear why
> this patch set would breach the fine line between measuring
> and enforcing.
> 
> Since this patch set is disabled by default and enabled through
> CONFIG_IMA_MEASURE_TRUSTED_KEYS, only those enterprises that
> require this new measurement can opt-in for it. Since it is disabled
> by default, it does not restrict the autonomy of independent users
> who are unaffected by attestation.

The concern isn't on the client side, but the server side.  Once the
ability of including measurements of keys on the builtin and/or
secondary keyrings on the client side exists, the attestation servers
can start requiring it.  Providing a means of disabling it on the
client side doesn't address this problem.

> 
> Question 3:
> IMA log already contains a pointer to the IMA keys used for signature
> verification. Why does the service need to care what keys were used
> to sign (install) the IMA keys? What is gained by measuring the keys
> in the trusted keyring?
> 
> Answer:
> To attest the clients using the current IMA log, service needs to maintain
> hashes of all the deployed versions of all the system binaries for their
> enterprise. This will introduce a very high operational overhead in
> a large scale environment of clients with heterogenous builds.
> This limits scalability and agility of rolling out frequent client
> binary updates.

No, there is no need for maintaining a binary hash white list.  The
attestation server requires a set of trusted keys used to sign
software.

The only reason for measuring the keys on the builtin and/or secondary
keyrings is to prevent system owners from signing and running
applications on their own systems.

Since you obviously disagree, I'd really like to hear other people's thoughts.

Mimi

> 
> On the other hand, with the current patch set, we will have IMA
> validate the file signature on the clients and the service validate
> that the IMA keys were installed using trusted keys.
> 
> This provides a chain of trust:
>     => IMA Key validates file signature on the client
>     => Key in the trusted keyring attests IMA key on the client
>     => Attestation service attests the trusted keys
>        reported by the client in the IMA log
> 
> This approach, therefore, would require the service to maintain
> a manageble set of trusted keys that it receives from a trusted source.
> And, verify if the clients only have keys from that set of trusted keys.
> 
> Question 4:
> Where will the attestation service receive the keys to validate against?
> 
> Answer:
> Attestation service will receive the keys from a trusted source such as
> the enterprise build services that provides the client builds.
> The service will use this set of keys to verify that the keys reported by
> the clients in the IMA log contains only keys from this trusted list.
> 
> Question 5:
> What is changing in the IMA log through this patch set?
> 
> Answer:
> This patch set does not remove any data that is currently included
> in the IMA log. It only adds more data to the IMA log - the data on
> keys in the trusted keyring
> 
> Lakshmi Ramasubramanian (1):
>   KEYS: Measure keys in trusted keyring
> 
>  certs/system_keyring.c            | 15 ++++++
>  include/keys/system_keyring.h     |  4 ++
>  include/linux/key.h               | 21 ++++++++
>  security/integrity/ima/Kconfig    | 14 ++++++
>  security/integrity/ima/ima_init.c | 84 +++++++++++++++++++++++++++++++
>  security/keys/keyring.c           | 63 +++++++++++++++++++++++
>  6 files changed, 201 insertions(+)
>