lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1323090236.2061.63.camel@falcor>
Date:	Mon, 05 Dec 2011 08:03:55 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Roberto Sassu <roberto.sassu@...ito.it>
Cc:	Rajiv Andrade <srajiv@...ux.vnet.ibm.com>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH 1/2] ima: split ima_add_digest_entry() function

On Mon, 2011-12-05 at 11:04 +0100, Roberto Sassu wrote:

> Hi Mimi
> 
> i think moving this logic to the TPM driver (or in general, delaying
> the action after the list mutex is unlocked) is not safe, because in
> this way you are relying on the kernel trustworthiness to protect
> itself and IMA against unmeasured potential attacks. So, the verifier
> is unable to detect a kernel tampering that removed the limitation
> on the TPM Quote operation.
> 
> What i'm proposing in the patch:
> 
> https://lkml.org/lkml/2011/11/21/202
> 
> is in fact a new extension, which is triggered by a new kernel
> parameter, so that the behaviour of the base IMA is not modified.

How/why the TPM fails is important.  If the TPM fails because of an
intermittent problem, then your solution of denying read/execute could
work, but what would happen if it was persistent?  Would you be able to
quiesce the system?

As there is no way of differentiating a persistent from intermittent
failure, both need to be addressed in the same manor.  For persistent
TPM failure, we can not access the TPM to modify the PCR.  So what
options do we have left?  My suggestion, though not optimal, prevents
the IMA PCR from being quoted.

>From ima_queue.c: ima_add_template_entry()

        result = ima_pcr_extend(digest);
        if (result != 0) {
                audit_cause = "TPM error";
                audit_info = 0;
        }
out:
        mutex_unlock(&ima_extend_list_mutex);

Either in ima_pcr_extend() itself or as a new call, set a flag of some
sort to prevent the TPM dd from quoting the IMA PCR.

I'm open to other suggestions.

> Instead, regardless of this patch, we should fix the memory leaks and
> the memory reference errors as it has been proposed in the patch 2/2 of 
> this set.
> 
> Roberto Sassu

Please separate bug fixes from any other changes.

thanks,

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ