Re: [RFC] IMA Log Snapshotting Design Proposal

[Sush Shringarputale <sushring@linux.microsoft.com>]

On 8/14/2023 3:02 PM, Mimi Zohar wrote:
> On Mon, 2023-08-14 at 14:42 -0700, Sush Shringarputale wrote:
>>> This design seems overly complex and requires synchronization between
>>> the "snapshot" record and exporting the records from the measurement
>>> list.  None of this would be necessary if the measurements were copied
>>> from kernel memory to a backing file (e.g. tmpfs), as described in [1].
Even if the Kernel maintains the link between a tmpfs exported and an
in-memory IMA log - it still has to copy the tmpfs portion to the
Kernel memory during kexec soft boot.  tmpfs is cleared during kexec,
so this copying of tmpfs back to kernel memory is necessary to preserve
the integrity of the log during kexec.  But the copying would add back
the memory pressure on the node during kexec (which may result in
out-of-memory), defeating the purpose of the overall effort/feature.
Copying to a regular *persistent* protected file seems a cleaner
approach, compared to tmpfs.  We prototyped this solution, however it
does not seem to be a common pattern within the Kernel to write state
directly to files on disk file systems.  We considered two potential
options:

Option (A): (RECOMMENDED)
             Let Kernel write the file using KM file APIs
--------------------------------------------
     Use Kernel mode file APIs such as _file_open_root_, _vfs_llseek_,
     and _vfs_write_ to use a persistent file on disk.  There is not
     sufficient precedent for this pattern in the Kernel currently, so
     we need guidance from area experts on the best mechanism to
     implement this.

     As for the location of the file, we suggest setting this in
     KConfig. The file will be created by the Kernel, so it should be
     protected from UM access.  Additionally, on a full boot, the
     file should be cleared by the Kernel.

   POTENTIAL ISSUES AND MITIGATIONS
     - handling IO errors from KM

       A potential mitigation for this is to retry the failed write.
       This assumes that the vfs_write Kernel method can handle any
       failures gracefully without causing crashes.


     - using file system paths to resolve the file from KM

       Using the file_open_root seems to provide sufficient resiliency
       against this.  The file can be located at a well known location
       to minimize potential concerns.  However, any guidance in
       minimizing squatting risks would be greatly appreciated.

     - the file could be tampered by UM

       There needs to be a lock/kernel-only-permission on the file
       so that a UM process cannot tamper with the file.  A description
       on how this file would be protected was provided at [2].


Option (B): (NOT RECOMMENDED)
             Hand over the file writing to UM
--------------------------------------------
     Alternately, UM could write the file contents and decide the
     location of the file on disk.  If we want to preserve the Kernel
     behavior of rendering the IMA log as a single monolithic log on
     client (as ascii/binary_runtime_measurements file), the
     Kernel will have to read from a file written by UM and combine it
     with the remaining in-kernel-memory IMA log events.

     This approach of a Kernel reading from a UM written file as an
     IMA log violates the call stack, and thus it is not recommended.

If UM is to handle writing the IMA log to disk, the Kernel cannot read
those snapshotted events again.  Integrity of the IMA log can still be
maintained - a solution implementing this was in the original proposal
we submitted [1].

We appreciate the community's feedback on helping mold this feature to a
suitable implementation.

Thanks,
Sush and Tushar.


References:
[1]
https://lore.kernel.org/linux-integrity/c5737141-7827-1c83-ab38-0119dcfea485@linux.microsoft.com/ 


[2]
https://lore.kernel.org/linux-integrity/CAOQ4uxiBAGKco1BKgyLOMY54r_Ck2jnvz8RCFODD-V87CGqLEw@mail.gmail.com/ 

>>>
>>> What is the real problem - kernel memory pressure, memory pressure in
>>> general, or disk space?  Is the intention to remove or offload the
>>> exported measurements?
>> The main concern is the memory pressure on both the kernel and the
>> attestation client
>> when it sends the request.  The concern you bring up is valid and we are
>> working on
>> creating a prototype.  There is no intention to remove the exported
>> measurements.
> Glad to hear that you're not intending to remove the exported
> measurements.
>
> Defining and including a new record in the measurement list measurement
> is fine, if it helps with attestation and doesn't require pausing the
> measurements.
>