From: Sush Shringarputale <sushring@linux.microsoft.com>
To: Ken Goldman <kgold@linux.ibm.com>,
Tushar Sugandhi <tusharsu@linux.microsoft.com>,
linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
peterhuewe@gmx.de, Jarkko Sakkinen <jarkko@kernel.org>,
jgg@ziepe.ca, bhe@redhat.com, vgoyal@redhat.com,
Dave Young <dyoung@redhat.com>,
"kexec@lists.infradead.org" <kexec@lists.infradead.org>,
jmorris@namei.org, Paul Moore <paul@paul-moore.com>,
serge@hallyn.com,
James Bottomley <James.Bottomley@HansenPartnership.com>,
linux-security-module@vger.kernel.org
Cc: Tyler Hicks <tyhicks@linux.microsoft.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Subject: Re: [RFC V2] IMA Log Snapshotting Design Proposal
Date: Mon, 13 Nov 2023 10:14:34 -0800 [thread overview]
Message-ID: <86366328-512e-47a0-950d-450412319c26@linux.microsoft.com> (raw)
In-Reply-To: <1f7bdb13-859e-46ce-b327-8043e7dbd598@linux.ibm.com>
On 10/31/2023 11:37 AM, Ken Goldman wrote:
> On 10/19/2023 2:49 PM, Tushar Sugandhi wrote:
>> f. A new event, "snapshot_aggregate", will be computed and measured
>> in the IMA log as part of this feature. It should help the
>> remote-attestation client/service to benefit from the IMA log
>> snapshot feature.
>> The "snapshot_aggregate" event is described in more details in
>> section "D.1 Snapshot Aggregate Event" below.
>
> What is the use case for the snapshot aggregate? My thinking is:
>
> 1. The platform must retain the entire measurement list. Early
> measurements can never be discarded because a new quote verifier
> must receive the entire log starting at the first measurement.
>
> In this case, isn't the snapshot aggregate redundant?
Not quite. The snapshot aggregate still has a purpose, which is to stitch
together the snapshots on the disk and the in-memory segment of the IMA
log. The specific details are in the RFC Section D.1, quoted here:
The "snapshot_aggregate" marker provides the following benefits:
a. It facilitates the IMA log to be divided into multiple chunks and
provides mechanism to verify the integrity of the system using only the
latest chunks during remote attestation.
b. It provides tangible evidence from Kernel to the attestation client
that IMA log snapshotting has been enabled and at least one snapshot
exists on the system.
c. It helps both the Kernel and UM attestation client define clear
boundaries between multiple snapshots.
d. In the event of multiple snapshots, the last measured
"snapshot_aggregate" marker, which is present in the current segment of
the IMA log, has sufficient information to verify the integrity of the
IMA log segment as well as the previous snapshots using the PCR quotes.
e. In the event of multiple snapshots, say N, if the remote-attestation
service has already processed the last N-1 snapshots, it can efficiently
parse through them by just processing "snapshot_aggregate" events to
compute the PCR quotes needed to verify the events in the last snapshot.
This should drastically improve the IMA log processing efficiency of
the service.
>
> 2. There is a disadvantage to redundant data. The verifier must
> support this new event type. It receives this event and must validate
> the aggregate against the snapshot-ed events. This is an attack
> surface. The attacker can send an aggregate and snapshot-ed
> measurements that do not match to exploit a flaw in the verifier.
I disagree with this. Redundancy is a moot point because
"snapshot_aggregate" is required for the points mentioned above.
- Sush
next prev parent reply other threads:[~2023-11-13 18:14 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-19 18:49 [RFC V2] IMA Log Snapshotting Design Proposal Tushar Sugandhi
2023-10-31 18:37 ` Ken Goldman
2023-11-13 18:14 ` Sush Shringarputale [this message]
2023-10-31 19:15 ` Mimi Zohar
2023-11-16 22:28 ` Paul Moore
2023-11-22 1:01 ` Tushar Sugandhi
2023-11-22 1:18 ` Mimi Zohar
2023-11-22 4:27 ` Paul Moore
2023-11-22 13:18 ` Mimi Zohar
2023-11-22 14:22 ` Paul Moore
2023-11-27 17:07 ` Mimi Zohar
2023-11-27 22:16 ` Paul Moore
2023-11-28 12:09 ` Mimi Zohar
2023-11-29 1:06 ` Paul Moore
2023-11-29 2:07 ` Mimi Zohar
2024-01-06 23:27 ` Paul Moore
2024-01-07 12:58 ` Mimi Zohar
2024-01-08 2:58 ` Paul Moore
2024-01-08 11:48 ` Mimi Zohar
2024-01-08 17:15 ` Paul Moore
2023-12-20 22:13 ` Ken Goldman
2024-01-06 23:44 ` Paul Moore
2023-11-13 18:59 ` Stefan Berger
2023-11-14 18:36 ` Sush Shringarputale
2023-11-14 18:58 ` Stefan Berger
2023-11-16 22:07 ` Paul Moore
2023-11-16 22:41 ` Stefan Berger
2023-11-16 22:56 ` Paul Moore
2023-11-17 22:41 ` Sush Shringarputale
2023-11-20 20:03 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86366328-512e-47a0-950d-450412319c26@linux.microsoft.com \
--to=sushring@linux.microsoft.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=bhe@redhat.com \
--cc=dyoung@redhat.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=serge@hallyn.com \
--cc=tusharsu@linux.microsoft.com \
--cc=tyhicks@linux.microsoft.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox