From: Mimi Zohar <zohar@linux.ibm.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Tushar Sugandhi <tusharsu@linux.microsoft.com>,
linux-integrity@vger.kernel.org, peterhuewe@gmx.de,
Jarkko Sakkinen <jarkko@kernel.org>,
jgg@ziepe.ca, Ken Goldman <kgold@linux.ibm.com>,
bhe@redhat.com, vgoyal@redhat.com, Dave Young <dyoung@redhat.com>,
"kexec@lists.infradead.org" <kexec@lists.infradead.org>,
jmorris@namei.org, serge@hallyn.com,
James Bottomley <James.Bottomley@hansenpartnership.com>,
linux-security-module@vger.kernel.org,
Tyler Hicks <tyhicks@linux.microsoft.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Sush Shringarputale <sushring@linux.microsoft.com>
Subject: Re: [RFC V2] IMA Log Snapshotting Design Proposal
Date: Tue, 28 Nov 2023 21:07:04 -0500 [thread overview]
Message-ID: <d9975a7949ca49f404adc981e942f42b6f19d022.camel@linux.ibm.com> (raw)
In-Reply-To: <CAHC9VhRNLzbW++rW3Hep+3yyJZRRvZ4h7LuKcSbRRn-wqh-PAQ@mail.gmail.com>
On Tue, 2023-11-28 at 20:06 -0500, Paul Moore wrote:
> On Tue, Nov 28, 2023 at 7:09 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > On Mon, 2023-11-27 at 17:16 -0500, Paul Moore wrote:
> > > On Mon, Nov 27, 2023 at 12:08 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > > On Wed, 2023-11-22 at 09:22 -0500, Paul Moore wrote:
>
> ...
>
> > > If we are going to have a record count, I imagine it would also be
> > > helpful to maintain a securityfs file with the total size (in bytes)
> > > of the in-memory measurement log. In fact, I suspect this will
> > > probably be more useful for those who wish to manage the size of the
> > > measurement log.
> >
> > A running number of bytes needed for carrying the measurement list
> > across kexec already exists. This value would be affected when the
> > measurement list is trimmed.
>
> There we go, it should be trivial to export that information via securityfs.
>
> > > > Defining other IMA securityfs files like
> > > > how many times the measurement list has been trimmed might be
> > > > beneficial as well.
> > >
> > > I have no objection to that. Would a total record count, i.e. a value
> > > that doesn't reset on a snapshot event, be more useful here?
> >
> > <securityfs>/ima/runtime_measurements_count already exports the total
> > number of measurement records.
>
> I guess the question is would you want 'runtime_measurements_count' to
> reflect the current/trimmed log size or would you want it to reflect
> hthe measurements since the initial cold boot? Presumably we would
> want to add another securityfs file to handle the case not covered by
> 'runtime_measurements_count'.
Right. <securityfs>/ima/runtime_measurements_count is defined as the
total number of measurements since boot. When the measurement list is
carried across kexec, it is the number of measurements since cold boot.
A new securityfs file should be defined for the current number of in
kernel memory records. Unless the measurement list has been trimmed,
this should be the same as the runtime_measurements_count.
>
> > > > Before defining a new critical-data record, we need to decide whether
> > > > it is really necessary or if it is redundant. If we define a new
> > > > "critical-data" record, can it be defined such that it doesn't require
> > > > pausing extending the measurement list? For example, a new simple
> > > > visual critical-data record could contain the number of records (e.g.
> > > > <securityfs>/ima/runtime_measurements_count) up to that point.
> > >
> > > What if the snapshot_aggregate was a hash of the measurement log
> > > starting with either the boot_aggregate or the latest
> > > snapshot_aggregate and ending on the record before the new
> > > snapshot_aggregate? The performance impact at snapshot time should be
> > > minimal as the hash can be incrementally updated as new records are
> > > added to the measurement list. While the hash wouldn't capture the
> > > TPM state, it would allow some crude verification when reassembling
> > > the log. If one could bear the cost of a TPM signing operation, the
> > > log digest could be signed by the TPM.
> >
> > Other critical data is calculated, before calling
> > ima_measure_critical_data(), which adds the record to the measurement
> > list and extends the TPM PCR.
> >
> > Signing the hash shouldn't be an issue if it behaves like other
> > critical data.
> >
> > In addition to the hash, consider including other information in the
> > new critical data record (e.g. total number of measurement records, the
> > number of measurements included in the hash, the number of times the
> > measurement list was trimmed, etc).
>
> It would be nice if you could provide an explicit list of what you
> would want hashed into a snapshot_aggregate record; the above is
> close, but it is still a little hand-wavy. I'm just trying to reduce
> the back-n-forth :)
What is being defined here is the first IMA critical-data record, which
really requires some thought. For ease of review, this new critical-
data record should be a separate patch set from trimming the
measurement list.
As I'm sure you're aware, SElinux defines two critical-data records.
From security/selinux/ima.c:
ima_measure_critical_data("selinux", "selinux-state",
state_str, strlen(state_str), false,
NULL, 0);
ima_measure_critical_data("selinux", "selinux-policy-hash",
policy, policy_len, true,
NULL, 0);
--
thanks,
Mimi
next prev parent reply other threads:[~2023-11-29 2:07 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-19 18:49 [RFC V2] IMA Log Snapshotting Design Proposal Tushar Sugandhi
2023-10-31 18:37 ` Ken Goldman
2023-11-13 18:14 ` Sush Shringarputale
2023-10-31 19:15 ` Mimi Zohar
2023-11-16 22:28 ` Paul Moore
2023-11-22 1:01 ` Tushar Sugandhi
2023-11-22 1:18 ` Mimi Zohar
2023-11-22 4:27 ` Paul Moore
2023-11-22 13:18 ` Mimi Zohar
2023-11-22 14:22 ` Paul Moore
2023-11-27 17:07 ` Mimi Zohar
2023-11-27 22:16 ` Paul Moore
2023-11-28 12:09 ` Mimi Zohar
2023-11-29 1:06 ` Paul Moore
2023-11-29 2:07 ` Mimi Zohar [this message]
2024-01-06 23:27 ` Paul Moore
2024-01-07 12:58 ` Mimi Zohar
2024-01-08 2:58 ` Paul Moore
2024-01-08 11:48 ` Mimi Zohar
2024-01-08 17:15 ` Paul Moore
2023-12-20 22:13 ` Ken Goldman
2024-01-06 23:44 ` Paul Moore
2023-11-13 18:59 ` Stefan Berger
2023-11-14 18:36 ` Sush Shringarputale
2023-11-14 18:58 ` Stefan Berger
2023-11-16 22:07 ` Paul Moore
2023-11-16 22:41 ` Stefan Berger
2023-11-16 22:56 ` Paul Moore
2023-11-17 22:41 ` Sush Shringarputale
2023-11-20 20:03 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d9975a7949ca49f404adc981e942f42b6f19d022.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=bhe@redhat.com \
--cc=dyoung@redhat.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=serge@hallyn.com \
--cc=sushring@linux.microsoft.com \
--cc=tusharsu@linux.microsoft.com \
--cc=tyhicks@linux.microsoft.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).