From: Stefan Berger <stefanb@linux.ibm.com>
To: Eric Biggers <ebiggers@kernel.org>, Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, linux-fscrypt@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 5/6] ima: support fs-verity file digest based signatures
Date: Mon, 10 Jan 2022 22:26:23 -0500 [thread overview]
Message-ID: <b4105f9b-98f7-f941-47db-2f72e0c5b8bd@linux.ibm.com> (raw)
In-Reply-To: <Ydy3EA9ONY3kn1xr@gmail.com>
On 1/10/22 17:45, Eric Biggers wrote:
> On Sun, Jan 09, 2022 at 01:55:16PM -0500, Mimi Zohar wrote:
>> + case IMA_VERITY_DIGSIG:
>> + set_bit(IMA_DIGSIG, &iint->atomic_flags);
>> +
>> + algo = iint->ima_hash->algo;
>> + hash = kzalloc(sizeof(*hash) + hash_digest_size[algo],
>> + GFP_KERNEL);
>> + if (!hash) {
>> + *cause = "verity-hashing-error";
>> + *status = INTEGRITY_FAIL;
>> + break;
>> + }
>> +
>> + rc = calc_tbs_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
>> + iint->ima_hash->digest, hash);
>> + if (rc) {
>> + *cause = "verity-hashing-error";
>> + *status = INTEGRITY_FAIL;
>> + break;
>> + }
>> +
>> + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
>> + (const char *)xattr_value,
>> + xattr_len, hash->digest,
>> + hash->length);
> This is still verifying a raw hash value, which is wrong as I've explained
> several times. Yes, you are now hashing the hash algorithm ID together with the
> original hash value, but at the end the thing being signed/verified is still a
> raw hash value, which is ambigious.
>
> I think I see where the confusion is. If rsa-pkcs1pad is used, then the
> asymmetric algorithm is parameterized by a hash algorithm, and this hash
> algorithm's identifier is automatically built-in to the data which is
> signed/verified. And the data being signed/verified is assumed to be a hash
> value of the same type. So in this case, the caller doesn't need to handle
> disambiguating raw hashes.
>
> However, asymmetric_verify() also supports ecdsa and ecrdsa signatures. As far
> as I can tell, those do *not* have the hash algorithm identifier built-in to the
> data which is signed/verified; they just sign/verify the data given. That
The signatures are generated by evmctl by this code here, which works
for RSA and ECDSA and likely also ECRDSA:
https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/src/libimaevm.c#l1036
if (!EVP_PKEY_sign_init(ctx))
goto err;
st = "EVP_get_digestbyname";
if (!(md = EVP_get_digestbyname(algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
goto err;
st = "EVP_PKEY_sign";
sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr) - 1;
if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size))
goto err;
len = (int)sigsize;
As far as I know, these are not raw signatures but generate the OIDs for
RSA + shaXYZ or ECDSA + shaXYZ (1.2.840.10045.4.1 et al) and prepend
them to the hash and then sign that.
> creates an ambiguity if the hash algorithm identifier is not included. For
> example, someone might have intended to sign the SHA-256 hash
> 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b. However, the
> Streebog or SM3 hash
> 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b would also pass
> the signature check too. That's wrong; to have a valid cryptosystem, you
> mustn't let the adversary choose the crypto algorithms for you.
There's a hash algorithm identifier in the xattr in the header, which is
prepended to the bytes of the actual signature. This hash algo identifer
tells IMA which hash to use on the file data so that subsequent
signature verification with the same hash works. That same hash
identifier is then again embedded in the signature using the OID and
thus has to match on the signature verification level.
The effectively double hashed data via calc_tbs_hash() above is not
good. calc_tbs_hash() is unnecessary.
On the evmctl level the signature should be created from the digest
retrieved via ioctl() [or similar I suppose] from fsverity on the file
and fsverity presumably then also says what type of hash this is. So,
fsverity ioctl response of hash + size of hash and hash_algo become
input to the evmctl snippet above. On the kernel level the data from
fsverity_get_digest() should be all it takes to verify against an xattr
created by evmctl as described.
>
> I'm not sure how this can be reconciled, given the differences between
> rsa-pkcs1pad and ecdsa and ecrdsa. Could you just use the lowest common
> denominator and prepend the hash algorithm ID to the hash value, or would that
> cause issues with rsa-pkcs1pad? In any case, to move forward you're going to
> need to solve this problem.
>
> - Eric
next prev parent reply other threads:[~2022-01-11 3:26 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-09 18:55 [PATCH v2 0/6] ima: support fs-verity digests and signatures Mimi Zohar
2022-01-09 18:55 ` [PATCH v2 1/6] ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS Mimi Zohar
2022-01-09 18:55 ` [PATCH v2 2/6] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-01-10 0:47 ` Vitaly Chikunov
2022-01-10 12:13 ` Mimi Zohar
2022-01-10 22:15 ` Eric Biggers
2022-01-09 18:55 ` [PATCH v2 3/6] ima: define a new template field 'd-type' and a new template 'ima-ngv2' Mimi Zohar
2022-01-09 18:55 ` [PATCH v2 4/6] ima: include fsverity's file digests in the IMA measurement list Mimi Zohar
2022-01-09 18:55 ` [PATCH v2 5/6] ima: support fs-verity file digest based signatures Mimi Zohar
2022-01-10 1:24 ` Vitaly Chikunov
2022-01-10 12:12 ` Mimi Zohar
2022-01-10 22:45 ` Eric Biggers
2022-01-11 3:26 ` Stefan Berger [this message]
2022-01-11 4:48 ` Eric Biggers
2022-01-09 18:55 ` [PATCH v2 6/6] fsverity: update the documentation Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4105f9b-98f7-f941-47db-2f72e0c5b8bd@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).