From: Chuck Lever <chuck.lever@oracle.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-integrity@vger.kernel.org,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: IMA metadata format to support fs-verity
Date: Wed, 26 Aug 2020 10:13:43 -0700 (PDT) [thread overview]
Message-ID: <760DF127-CA5F-4E86-9703-596E95CEF12F@oracle.com> (raw)
Hi Eric-
I'm trying to construct a viable IMA metadata format (ie, what
goes into security.ima) to support Merkle trees.
Rather than storing an entire Merkle tree per file, Mimi would
like to have a metadata format that can store the root hash of
a Merkle tree. Instead of reading the whole tree, an NFS client
(for example) would generate the parts of the file's fs-verity
Merkle tree on-demand. The tree itself would not be exposed or
transported by the NFS protocol.
Following up with the recent thread on linux-integrity, starting
here:
https://lore.kernel.org/linux-integrity/1597079586.3966.34.camel@HansenPartnership.com/t/#u
I think the following will be needed.
1. The parameters for (re)constructing the Merkle tree:
- The name of the digest algorithm
- The unit size represented by each leaf in the tree
- The depth of the finished tree
- The size of the file
- Perhaps a salt value
- Perhaps the file's mtime at the time the hash was computed
- The root hash
2. A fingerprint of the signer:
- The name of the digest algorithm
- The digest of the signer's certificate
3. The signature
- The name of the signature algorithm
- The signature, computed over 1.
Does this seem right to you?
There has been some controversy about whether to allow the
metadata to be unsigned. It can't ever be unsigned for NFS files,
but some feel that on a physically secure local-only set up,
signatures could be unnecessary overhead. I'm not convinced, and
believe the metadata should always be signed: that's the only
way to guarantee end-to-end integrity, which includes protection
of the content's provenance, no matter how it is stored.
--
Chuck Lever
next reply other threads:[~2020-08-26 17:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-26 17:13 Chuck Lever [this message]
2020-08-26 18:31 ` IMA metadata format to support fs-verity Eric Biggers
2020-08-26 18:56 ` Chuck Lever
2020-08-26 19:24 ` Eric Biggers
2020-08-26 19:51 ` Chuck Lever
2020-08-26 20:51 ` Eric Biggers
2020-08-27 0:53 ` Mimi Zohar
2020-08-27 1:00 ` Eric Biggers
2020-08-27 13:10 ` Mimi Zohar
2020-08-27 0:50 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=760DF127-CA5F-4E86-9703-596E95CEF12F@oracle.com \
--to=chuck.lever@oracle.com \
--cc=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox