lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C3D76AE.6090509@polito.it>
Date:	Wed, 14 Jul 2010 10:34:54 +0200
From:	Roberto Sassu <roberto.sassu@...ito.it>
To:	Seiji Munetoh <seiji.munetoh@...il.com>
CC:	Shaz <shazalive@...il.com>, linux-ima-user@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org, Eric Paris <eparis@...hat.com>,
	linux-security-module@...r.kernel.org
Subject: Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfs
 files

On 07/14/2010 08:29 AM, Seiji Munetoh wrote:
> On Wed, Jul 14, 2010 at 2:42 PM, Shaz<shazalive@...il.com>  wrote:
>    
>>
>> On Wed, Jul 14, 2010 at 3:08 AM, Seiji Munetoh<seiji.munetoh@...il.com>
>> wrote:
>>      
>>> On Thu, Jul 8, 2010 at 10:14 PM, Mimi Zohar<zohar@...ux.vnet.ibm.com>
>>> wrote:
>>>        
>>>> On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote:
>>>>          
>>>>> This patch modifies the default policy shipped with IMA, in order to
>>>>> avoid measurements
>>>>> of files in the initial ramdisk. Those files can be measured early in
>>>>> the boot process
>>>>> by the bootloader.
>>>>> The patch applies to latest version of the mainline kernel 2.6.35-rc4.
>>>>>            
>>>> Yes, the initramfs measurements are therefore redundant, as they're
>>>> already included in the initramfs measurement, but perhaps, as the
>>>> number of initramfs is very limited and the individual file measurements
>>>> supplies additional information, it wouldn't hurt to keep the individual
>>>> file measurements as well.  These measurements could potentially help in
>>>> identifying initramfs changes.
>>>>
>>>> Would appreciate other opinions before accepting this change.
>>>>          
>>> The hash value of the initramfs is unstable since it was generated
>>> at the time of kernel installation.
>>> So still I want to check  the individual used file in initramfs.
>>>        
>> If initrd is measured by boot loader then changes to individual files should
>> not be measured as this IS redundant. Use the new hash of the initrd as an
>> integrity metric. Why would this not be enough?
>>      
> This depends on remote verifier.
> Creating the initramfs is client side task and  the hash value of initramfs
> will vary each clients.
>
> For me, validation of  current measurements is easier than validation of
> initramfs. And it seems the overhead of this redundancy is less painful.
>
> But some system can validate (or trust) the initramfs measured by IPL.
> So, I would suggest that add Kconfig option to change the default policy.
>
> IMHO, if the eventlog contains fsmagic information for each measurements.
> Verifier can skip the validation of RAMFS measurement easily.
>
>    
This is true, the initramfs's digest cannot be validated by a remote 
verifier. But in my opinion there are three main reasons for don't 
include those files in the measurement list.
First, this is a readonly system and measures don't change in time; so 
if you create the image under a controlled environment and its digest 
doesn't change you can assert it will behave correctly.
Second, including those measurements may be very confusing for a 
verifier since there may be multiple versions of the same object (the 
initramfs changes very rarely in respect to other files).
Lastly, a pratical use of IMA is to load a custom policy. The better 
place to do that is the initramfs but measurements cannot be taken until 
the policy is loaded. The only way, as Shaz mentioned in a previous 
email, to keep track of all actions made during the boot process is that 
you have the initramfs image measured early by the boot loader.


Roberto

> --
> Seiji
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Linux-ima-user mailing list
> Linux-ima-user@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>    



Download attachment "smime.p7s" of type "application/pkcs7-signature" (6564 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ