[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e879759b-d866-e3e3-b070-3025baf3454d@huawei.com>
Date: Wed, 8 Nov 2017 13:00:37 +0100
From: Roberto Sassu <roberto.sassu@...wei.com>
To: Matthew Garrett <mjg59@...gle.com>
CC: linux-integrity <linux-integrity@...r.kernel.org>,
<linux-security-module@...r.kernel.org>,
<linux-fsdevel@...r.kernel.org>, <linux-doc@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com>
Subject: Re: [PATCH v2 00/15] ima: digest list feature
On 11/7/2017 7:06 PM, Matthew Garrett wrote:
> On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu <roberto.sassu@...wei.com> wrote:
>> On 11/7/2017 3:49 PM, Matthew Garrett wrote:
>>> RPM's hardly universal, and distributions are in the process of moving
>>> away from using it for distributing non-core applications (Flatpak and
>>> Snap are becoming increasingly popular here). I think this needs to be
>>> a generic solution rather than having the kernel tied to a specific
>>> package format.
>>
>>
>> Support for new digest list formats can be easily added. Digest list
>> metadata includes the digest list type, so that the appropriate parser
>> is selected.
>
> But we're still left in a state where the kernel has to end up
> supporting a number of very niche formats, and userland agility is
> tied to the kernel. I think it makes significantly more sense to push
> the problem out to userland.
At least for appraisal, digest lists must be parsed by the kernel. If
the parser is moved to userspace, I don't know if we are able to provide
the same guarantee, that the correct set of digests has been uploaded to
IMA. A new measurement can be added, when IMA receives the digests, but
a verifier has to verify the signature of the original file, perform
format conversion, calculate the digest and compare it with that in the
new IMA measurement. If digest lists are parsed directly by the kernel,
then the signature can be verified directly.
>> Digest lists should be parsed directly by the kernel, because processing
>> the lists in userspace would increase the chances that a compromised
>> tool does not upload to the kernel the expected digests. Also, digest
>> lists must be processed before init, otherwise appraisal will deny the
>> execution. Lastly, the mechanism of parsing files from the kernel is
>> already used to parse the IMA policy.
>
> Isn't failing to upload the expected digest list just a DoS? We
> already expect to load keys from initramfs, so it seems fine to parse
> stuff there - what's the problem with extracting information from
> RPMs, translating them to the generic format and pushing that into the
> kernel?
The main problem is that the digest list measurement, performed when the
parser accesses the file containing the RPM header, might not reflect
what IMA uses for digest lookup.
Roberto
--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Qiuen PENG, Shengli WANG
Powered by blists - more mailing lists