Re: [PATCH v9 6/7] ima: support fs-verity file digest based version 3 signatures

Linux Integrity Measurement development
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: Eric Biggers <ebiggers@kernel.org>,
	linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v9 6/7] ima: support fs-verity file digest based version 3 signatures
Date: Fri, 06 May 2022 07:34:52 -0400	[thread overview]
Message-ID: <e223929f4fbbfcba51b8cc9dda6a07ace12f5dd8.camel@linux.ibm.com> (raw)
In-Reply-To: <ae5889bc-f5aa-6d0a-fdce-81819a15d22c@linux.ibm.com>

On Thu, 2022-05-05 at 13:12 -0400, Stefan Berger wrote:
> 
> On 5/5/22 08:31, Mimi Zohar wrote:
> > IMA may verify a file's integrity against a "good" value stored in the
> > 'security.ima' xattr or as an appended signature, based on policy.  When
> > the "good value" is stored in the xattr, the xattr may contain a file
> > hash or signature.  In either case, the "good" value is preceded by a
> > header.  The first byte of the xattr header indicates the type of data
> > - hash, signature - stored in the xattr.  To support storing fs-verity
> > signatures in the 'security.ima' xattr requires further differentiating
> > the fs-verity signature from the existing IMA signature.
> > 
> > In addition the signatures stored in 'security.ima' xattr, need to be
> > disambiguated.  Instead of directly signing the fs-verity digest, a new
> > signature format version 3 is defined as the hash of the ima_file_id
> > structure, which identifies the type of signature and the digest.
> > 
> > The IMA policy defines "which" files are to be measured, verified, and/or
> > audited.  For those files being verified, the policy rules indicate "how"
> > the file should be verified.  For example to require a file be signed,
> > the appraise policy rule must include the 'appraise_type' option.
> > 
> > 	appraise_type:= [imasig] | [imasig|modsig] | [sigv3]
> >             where 'imasig' is the original or signature format v2 (default),
> >             where 'modsig' is an appended signature,
> >             where 'sigv3' is the signature format v3.
> > 
> > The policy rule must also indicate the type of digest, if not the IMA
> > default, by first specifying the digest type:
> > 
> > 	digest_type:= [verity]
> > 
> > The following policy rule requires fsverity signatures.  The rule may be
> > constrained, for example based on a fsuuid or LSM label.
> > 
> >        appraise func=BPRM_CHECK digest_type=verity appraise_type=sigv3
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Acked-by: Stefan Berger <stefanb@linux.ibm.com>

Thanks, Stefan!

This patch set is now queued in the next-integrity-testing branch,
waiting additional review/tags. 

thanks,

Mimi

next prev parent reply	other threads:[~2022-05-06 11:36 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-05 12:31 [PATCH v9 0/7] ima: support fs-verity digests and signatures Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 1/7] ima: fix 'd-ng' comments and documentation Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 2/7] ima: use IMA default hash algorithm for integrity violations Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 3/7] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 4/7] ima: define a new template field named 'd-ngv2' and templates Mimi Zohar
2022-05-05 20:34   ` [PATCH v9 4/7] ima: define a new template field named 'd-ngv2' and templates (repost) Mimi Zohar
2022-05-05 20:39   ` [PATCH v9 4/7] ima: define a new template field named 'd-ngv2' and templates (repost with fix) Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 5/7] ima: permit fsverity's file digests in the IMA measurement list Mimi Zohar
2022-05-05 12:31 ` [PATCH v9 6/7] ima: support fs-verity file digest based version 3 signatures Mimi Zohar
2022-05-05 17:12   ` Stefan Berger
2022-05-06 11:34     ` Mimi Zohar [this message]
2022-05-05 12:31 ` [PATCH v9 7/7] fsverity: update the documentation Mimi Zohar
2022-05-12  6:19   ` Eric Biggers
2022-05-12 22:48     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e223929f4fbbfcba51b8cc9dda6a07ace12f5dd8.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=ebiggers@kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stefanb@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox