linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stefan Berger <stefanb@linux.ibm.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
	Sush Shringarputale <sushring@linux.microsoft.com>,
	linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
	peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
	kgold@linux.ibm.com, bhe@redhat.com, vgoyal@redhat.com,
	dyoung@redhat.com, kexec@lists.infradead.org, jmorris@namei.org,
	Paul Moore <paul@paul-moore.com>,
	serge@hallyn.com
Cc: code@tyhicks.com, nramas@linux.microsoft.com,
	Tushar Sugandhi <tusharsu@linux.microsoft.com>,
	linux-security-module@vger.kernel.org
Subject: Re: [RFC] IMA Log Snapshotting Design Proposal
Date: Tue, 8 Aug 2023 09:31:01 -0400	[thread overview]
Message-ID: <abe53dde-9a83-81fd-422d-babf4587c545@linux.ibm.com> (raw)
In-Reply-To: <8ad131f35c33cf10788344be6c981473971f9c1c.camel@HansenPartnership.com>



On 8/8/23 08:35, James Bottomley wrote:
> On Mon, 2023-08-07 at 18:49 -0400, Stefan Berger wrote:
>>
>>
>> On 8/1/23 17:21, James Bottomley wrote:
>>> On Tue, 2023-08-01 at 12:12 -0700, Sush Shringarputale wrote:
>>> [...]
>>>> Truncating IMA log to reclaim memory is not feasible, since it
>>>> makes the log go out of sync with the TPM PCR quote making remote
>>>> attestation fail.
>>>
>>> This assumption isn't entirely true.  It's perfectly possible to
>>> shard an IMA log using two TPM2_Quote's for the beginning and end
>>> PCR values to validate the shard.  The IMA log could be truncated
>>> in the same way (replace the removed part of the log with a
>>> TPM2_Quote and AK, so the log still validates from the beginning
>>> quote to the end).
>>>
>>> If you use a TPM2_Quote mechanism to save the log, all you need to
>>> do is have the kernel generate the quote with an internal AK.  You
>>> can keep a record of the quote and the AK at the beginning of the
>>> truncated kernel log.  If the truncated entries are saved in a file
>>> shard it
>>
>> The truncation seems dangerous to me. Maybe not all the scenarios
>> with an attestation client (client = reading logs and quoting) are
>> possible then anymore, such as starting an attestation client only
>> after truncation but a verifier must have witnessed the system's PCRs
>> and log state before the truncation occurred.
> 
> That's not exactly correct.  Nothing needs to have "witnessed" the
> starting PCR value because the quote vouches for it (and can vouch for
> it after the fact).  The only thing you need to verify the quote is the
> attestation key and the only thing you need to do to trust the> attestation key is ensure it was TPM created.  All of that can be
> verified after the fact as well.  The only thing that can be done to
> disrupt this is to destroy the TPM (or re-own it).> 
> Remember the assumption is you *also* have the removed log shard to
> present.  From that the PCR state of the starting quote can be

Yes, the whole sequence of old logs needs to be available. IF that's the
case and the logs can be stitched together seamlessly, who then looks at the
kernel AK quote and under what circumstances?

> calculated and checked for matching the quote.  If you lose that, it's
> equivalent to the log being tampered with and all bets are off.  The
> assumption is that because of the impossibility of engineering TPM
> extensions, it should be impossible to come up with a fake log that
> produces the PCRs of the real one.  If that's violated, then IMA itself
> becomes useless.
> 
> James
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

  reply	other threads:[~2023-08-08 18:03 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-01 19:12 [RFC] IMA Log Snapshotting Design Proposal Sush Shringarputale
2023-08-01 21:21 ` James Bottomley
2023-08-07 22:49   ` Stefan Berger
2023-08-08 12:35     ` James Bottomley
2023-08-08 13:31       ` Stefan Berger [this message]
2023-08-08 18:26         ` James Bottomley
2023-08-08 20:09           ` Stefan Berger
2023-08-08 21:41             ` James Bottomley
2023-08-10  4:43               ` Tushar Sugandhi
2023-08-10 11:43                 ` James Bottomley
2023-08-11 15:48                   ` Tushar Sugandhi
2023-08-10  4:31           ` Tushar Sugandhi
2023-08-10  4:29         ` Tushar Sugandhi
2023-08-10  1:23       ` Tushar Sugandhi
2023-08-10  1:15     ` Tushar Sugandhi
2023-08-10 14:12       ` Stefan Berger
2023-08-11 15:57         ` Tushar Sugandhi
2023-08-11 18:16           ` Stefan Berger
2023-08-10  1:03   ` Tushar Sugandhi
2023-08-11 13:14 ` Mimi Zohar
2023-08-14 21:42   ` Sush Shringarputale
2023-08-14 22:02     ` Mimi Zohar
2023-08-21 22:05       ` Sush Shringarputale
2023-08-21 23:07         ` Mimi Zohar
2023-08-29 19:34           ` Paul Moore
2023-08-29 21:03             ` Mimi Zohar
2023-08-29 21:30               ` Paul Moore
2023-08-29 21:54                 ` Mimi Zohar
2023-08-29 23:15                   ` Paul Moore
2023-08-30 20:25                     ` Mimi Zohar
2023-08-30 20:47                       ` Paul Moore
2023-08-30 21:50                         ` Mimi Zohar
2023-08-30 22:21                           ` Paul Moore
2023-08-30 22:23                             ` Paul Moore
2023-08-30 23:06                               ` Mimi Zohar
2023-08-30 23:22                                 ` Paul Moore
2023-08-31 14:01                                   ` Mimi Zohar
2023-08-31 14:43                                     ` Paul Moore
2023-08-31 16:46                                   ` Dr. Greg
2023-08-31 17:56                                     ` Paul Moore
2023-08-30 18:06 ` [RFC] IMA Log Snapshotting Design Proposal - network bandwidth Ken Goldman
2023-09-01 21:20   ` Tushar Sugandhi
2023-09-06 20:20     ` Ken Goldman
2023-09-07 20:40       ` Paul Moore
2023-08-30 18:12 ` [RFC] IMA Log Snapshotting Design Proposal - aggregate Ken Goldman
2023-09-01 22:06   ` Tushar Sugandhi
2023-09-06 20:49     ` Ken Goldman
2023-09-07 21:02       ` Paul Moore
2023-08-30 19:12 ` [RFC] IMA Log Snapshotting Design Proposal - unseal Ken Goldman
2023-08-31 15:54   ` Dr. Greg
2023-09-01 21:22   ` Tushar Sugandhi
2023-09-06 20:13     ` Ken Goldman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=abe53dde-9a83-81fd-422d-babf4587c545@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=bhe@redhat.com \
    --cc=code@tyhicks.com \
    --cc=dyoung@redhat.com \
    --cc=jarkko@kernel.org \
    --cc=jgg@ziepe.ca \
    --cc=jmorris@namei.org \
    --cc=kexec@lists.infradead.org \
    --cc=kgold@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=peterhuewe@gmx.de \
    --cc=serge@hallyn.com \
    --cc=sushring@linux.microsoft.com \
    --cc=tusharsu@linux.microsoft.com \
    --cc=vgoyal@redhat.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).