From: Ken Goldman <kgold@linux.ibm.com>
To: Tushar Sugandhi <tusharsu@linux.microsoft.com>,
Sush Shringarputale <sushring@linux.microsoft.com>,
linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
bhe@redhat.com, vgoyal@redhat.com, dyoung@redhat.com,
kexec@lists.infradead.org, jmorris@namei.org,
Paul Moore <paul@paul-moore.com>,
serge@hallyn.com
Cc: code@tyhicks.com, nramas@linux.microsoft.com,
linux-security-module@vger.kernel.org
Subject: Re: [RFC] IMA Log Snapshotting Design Proposal - aggregate
Date: Wed, 6 Sep 2023 16:49:16 -0400 [thread overview]
Message-ID: <0cfdad7c-8cb9-20d3-7986-c1d3d58a33db@linux.ibm.com> (raw)
In-Reply-To: <c83e13f8-4b7d-9489-37cc-53936b24343c@linux.microsoft.com>
On 9/1/2023 6:06 PM, Tushar Sugandhi wrote:
>
>
> On 8/30/23 11:12, Ken Goldman wrote:
>> On 8/1/2023 3:12 PM, Sush Shringarputale wrote:
>>> - A user-mode process will trigger the snapshot by opening a file in
>>> SysFS
>>> say /sys/kernel/security/ima/snapshot (referred to as
>>> sysk_ima_snapshot_file
>>> here onwards).
>>> - The Kernel will get the current TPM PCR values and PCR update
>>> counter [2]
>>> and store them as template data in a new IMA event
>>> "snapshot_aggregate".
>>
>> If this is relying on a user-mode process, is there a concern that the
>> process doesn't run. Might it be safer to have the kernel trigger the
>> snapshot.
>>
> The UM process here would be typically an attestation client
> which passes on the IMA log to the remote service for attestation.
> If the process doesn't run, the client will operate the same way as it
> does currently.
I see.
1. Ensure that the attestation client stores the snapshot in a
well-known and widely readable location. There can be more than one
attestation client, and all need access to the snapshot.
There is a privacy concern around making the snapshot world-read.
2. Is there a concern that, if the client doesn't run, it doesn't solve
the kernel memory issue? Is this relying on a UM process to solve a
kernel issue?
>
>> PCR reads are not atomic, with each other and with event log appends.
>> Is this an issue?
>>
> In this design, reading the PCR plus adding the snapshot_aggregate
> has to be an atomic operation. Other IMA events shouldn't interfere
> with this operation. Just like IMA ensures adding an entry to the log
> plus PCR extension happens in an atomic way by holding the
> ima_extend_list_mutex [2], we intend to use a similar mechanism to
> ensure reading the PCR plus adding the snapshot_aggregate remains an
> atomic operation. And since taking a snapshot would be a rare event
> compared to adding a generic event to IMA log - overall we expect a low
> overhead in case of snapshotting.
How would that work? The PCR read is UM, but IMA events are kernel. The
UM operation cannot block the kernel or there can be a deadlock, right?
(UM) PCR reads can take multiple TPM commands, and they should not block
an (kernel) extend.
>> What is the purpose of the snapshot aggregate? Since the entire event
>> log has to be retained and sent to the verifier, is the aggregate
>> redundant?
>
> The goals of snapshot_aggregate marker are:
> 1. To allow the IMA log to be divided into multiple chunks and
> provide attestation service the ability to verify and use the
> latest chunk (i.e. snapshot ) for attestation.
I believe that the verifier needs the entire log the first time, whether
there is a snapshot or not. Shouldn't the snapshot process be opaque to
the verifier?
>
> 2. To indicate to the attestation service that the client device has
> IMA log snapshotting feature enabled, and at least one snapshot
> is taken. So that the service can ask for previous snapshots
> as needed.
Why does the verifier need this? The first time, it asks for events
starting at #0. Next time, it asks for what's new. It's independent of
__where__ the log comes from.
>
> 3. In the event of multiple snapshots, the snapshot_aggregate
> marker has sufficient information to verify the integrity
> of latest subset of isolated snapshots (with the help of PCR
> quote of course)
A new verifier needs the entire log, no matter how many snapshots have
been taken.
>
> 4. snapshot_aggregate helps both kernel and UM define clear
> boundaries between multiple snapshots.
> (each new snapshot starts with either the first boot_aggregate
> or a snapshot_aggregate event)
>
> The overall goals of IMA log snapshotting feature are:
> a. to relieve memory pressure on the client device.
>
> b. to make attestation service side processing more efficient
> They don't have to deal with the entire log since boot,
> as you mentioned on
I don't think snapshotting affects the verifier at all. The attestor is
a bit more complicated, but not significantly.
next prev parent reply other threads:[~2023-09-06 20:49 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 19:12 [RFC] IMA Log Snapshotting Design Proposal Sush Shringarputale
2023-08-01 21:21 ` James Bottomley
2023-08-07 22:49 ` Stefan Berger
2023-08-08 12:35 ` James Bottomley
2023-08-08 13:31 ` Stefan Berger
2023-08-08 18:26 ` James Bottomley
2023-08-08 20:09 ` Stefan Berger
2023-08-08 21:41 ` James Bottomley
2023-08-10 4:43 ` Tushar Sugandhi
2023-08-10 11:43 ` James Bottomley
2023-08-11 15:48 ` Tushar Sugandhi
2023-08-10 4:31 ` Tushar Sugandhi
2023-08-10 4:29 ` Tushar Sugandhi
2023-08-10 1:23 ` Tushar Sugandhi
2023-08-10 1:15 ` Tushar Sugandhi
2023-08-10 14:12 ` Stefan Berger
2023-08-11 15:57 ` Tushar Sugandhi
2023-08-11 18:16 ` Stefan Berger
2023-08-10 1:03 ` Tushar Sugandhi
2023-08-11 13:14 ` Mimi Zohar
2023-08-14 21:42 ` Sush Shringarputale
2023-08-14 22:02 ` Mimi Zohar
2023-08-21 22:05 ` Sush Shringarputale
2023-08-21 23:07 ` Mimi Zohar
2023-08-29 19:34 ` Paul Moore
2023-08-29 21:03 ` Mimi Zohar
2023-08-29 21:30 ` Paul Moore
2023-08-29 21:54 ` Mimi Zohar
2023-08-29 23:15 ` Paul Moore
2023-08-30 20:25 ` Mimi Zohar
2023-08-30 20:47 ` Paul Moore
2023-08-30 21:50 ` Mimi Zohar
2023-08-30 22:21 ` Paul Moore
2023-08-30 22:23 ` Paul Moore
2023-08-30 23:06 ` Mimi Zohar
2023-08-30 23:22 ` Paul Moore
2023-08-31 14:01 ` Mimi Zohar
2023-08-31 14:43 ` Paul Moore
2023-08-31 16:46 ` Dr. Greg
2023-08-31 17:56 ` Paul Moore
2023-08-30 18:06 ` [RFC] IMA Log Snapshotting Design Proposal - network bandwidth Ken Goldman
2023-09-01 21:20 ` Tushar Sugandhi
2023-09-06 20:20 ` Ken Goldman
2023-09-07 20:40 ` Paul Moore
2023-08-30 18:12 ` [RFC] IMA Log Snapshotting Design Proposal - aggregate Ken Goldman
2023-09-01 22:06 ` Tushar Sugandhi
2023-09-06 20:49 ` Ken Goldman [this message]
2023-09-07 21:02 ` Paul Moore
2023-08-30 19:12 ` [RFC] IMA Log Snapshotting Design Proposal - unseal Ken Goldman
2023-08-31 15:54 ` Dr. Greg
2023-09-01 21:22 ` Tushar Sugandhi
2023-09-06 20:13 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0cfdad7c-8cb9-20d3-7986-c1d3d58a33db@linux.ibm.com \
--to=kgold@linux.ibm.com \
--cc=bhe@redhat.com \
--cc=code@tyhicks.com \
--cc=dyoung@redhat.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=serge@hallyn.com \
--cc=sushring@linux.microsoft.com \
--cc=tusharsu@linux.microsoft.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).