From: Mimi Zohar <zohar@linux.ibm.com>
To: Ken Goldman <kgold@linux.ibm.com>,
Linux Integrity <linux-integrity@vger.kernel.org>,
Ken Goldman <kgoldman@us.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: Spec needed for ima-modsig template
Date: Mon, 06 Jan 2020 12:18:27 -0500 [thread overview]
Message-ID: <1578331107.5222.77.camel@linux.ibm.com> (raw)
In-Reply-To: <7958a6d2-d7ca-98b2-55b7-def1675fb674@linux.ibm.com>
[Cc'ing Roberto]
On Mon, 2020-01-06 at 09:27 -0500, Ken Goldman wrote:
> On 1/4/2020 6:32 PM, Mimi Zohar wrote:
> > The "ima-modsig" template may include the "sig" and/or the "modsig"
> > fields. As the "d-modsig" and "modsig" are tied together, either both
> > are defined or neither are defined. The file hash ("d-ng") must
> > always exist.
> That's clear for the predefined (is there a formal term for them?)
> templates. How would this be specified when IMA permits custom templates?
"predefined" is fine, or "builtin".
>
> E.g., I can create a template 'modsig', I have the signature but not the
> file data hash. I can create a template 'd-modsig' that has the file
> data hash but no signature.
That should be flagged as an error.
>
> With custom templates, the attacker can create any IMA log, and the
> parser has to handle it.
>
> Note: When you say "either both are defined or neither is defined",
> this may be enforced by the official IMA code. However, the attacker is
> free to modify the IMA code to send any log it likes. The parser has to
> know what to do.
An attacker shouldn't be able to spoof the PCR quote. As previously
discussed, the verifier should first walk the measurement list
calculating the PCR values. Only if the PCRs match, should the
verifier attempt to parse the individual template data records.
>
> That is, an event log specification (which I'm trying to write) has to
> state precisely that the dependencies are and what should be rejected.
> For example, it might say (if this is corrct):
>
> 1 - If d-modsig is present, modsig MUST be present. Else error.
> 2 - If modsig is present, d-modsig MUST be present.
Yes
> 3 - If ???, d-ng MUST be present.
Templates were designed to be extensible, allowing new fields to be
defined and combined. I can't say definitively that there will never
be a case when the "d-ng" field isn't needed, but at least for the
moment that is the case. Perhaps with IMA fs-verity support, only a
digest and signature, based on the merkle tree file hash will be
needed.
Mimi
next prev parent reply other threads:[~2020-01-06 17:18 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-02 20:10 Spec needed for ima-modsig template Ken Goldman
2020-01-02 20:25 ` Mimi Zohar
2020-01-02 22:24 ` Ken Goldman
2020-01-02 23:22 ` Mimi Zohar
2020-01-03 18:27 ` Ken Goldman
2020-01-03 18:57 ` Spec needed for ima-buf template Ken Goldman
2020-01-03 19:25 ` Spec needed for ima-buf template - missing hash algorithm Ken Goldman
2020-01-04 23:32 ` Spec needed for ima-modsig template Mimi Zohar
2020-01-06 14:27 ` Ken Goldman
2020-01-06 17:18 ` Mimi Zohar [this message]
2020-01-06 14:36 ` Ken Goldman
2020-01-06 15:50 ` Mimi Zohar
2020-01-06 16:01 ` Ken Goldman
2020-01-06 16:55 ` Mimi Zohar
2020-01-07 8:53 ` Roberto Sassu
2020-01-07 15:40 ` Ken Goldman
2020-01-07 17:53 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1578331107.5222.77.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=kgold@linux.ibm.com \
--cc=kgoldman@us.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).