| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 May 2019 12:37:03 -0700
From: Lakshmi <nramas@...ux.microsoft.com>
To: Ken Goldman <kgold@...ux.ibm.com>,
Linux Integrity <linux-integrity@...r.kernel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
David Howells <dhowells@...hat.com>,
James Morris <jamorris@...ux.microsoft.com>,
Linux Kernel <linux-kernel@...r.kernel.org>
Cc: Balaji Balasubramanyan <balajib@...ux.microsoft.com>,
Prakhar Srivastava <prsriva@...ux.microsoft.com>,
jorhand@...ux.microsoft.com
Subject: Re: [PATCH 0/2] public key: IMA signer logging: Log public key of IMA
Signature signer in IMA log
On 5/22/19 11:57 AM, Ken Goldman wrote:
>
> 1 - How is your solution - including a public key with each event -
> related to this issue?
This a change from my earlier proposal. In the new proposal I am making
the public key is not included with each event. The data included in
each IMA event does not change. For instance, when IMA signature
validation is selected (ima-sig template, for instance), each event will
have the IMA signature (which includes the 4 Byte Key Identifier and the
Signature)
> 2 - I don't understand how a large cloud affects scale. Wouldn't the
> verifier would typically be checking known machines - those of their
> enterprise - not every machine on the cloud?
>
> Can't we assume a typical attestation use case has a fairly locked down
> OS with a limited number of applications.
Yes - the attestation service (verifier) will be attesting only client
machines known to the enterprise. But such clients could be running
different versions of the OS and the kernel modules.
We cannot assume that this would be a limited set. Therefore,
maintaining the hash\signature of all such components, for all versions
of the components, and re-validating that in the service is not a
scalable solution.
Instead, we want the IMA sub-system on the clients to do the signature
validation (As it is done today). In addition to that, the clients will
log the public keys from keyrings such as IMA, Platform, and BuiltIn
Trusted Keys - this will be done only once and not in each IMA event
(This is a change from my earlier proposal).
Using this data the service will verify that the clients used only
trusted key(s) for signature validation.
>
> Like I said, it should be rare. In the worst case, can't the service
> tell by trying both keys?If the service is validating the signature again it can try all the
keys. But we don't want to take that approach - instead we want to
verify the keys used by the client.
>
> I thought your solution was to change the IMA measurements, adding the
> public key to each entry with a new template? Did I misunderstand, or
> do you have a new proposal?
I have a new proposal as described above. Sorry if I had confused you.
> How does this solve the collision issue? If there are two keys with the
> same key ID, isn't there still a collision?
Like I have said above, the client will log all the keys from the
relevant keyrings (IMA, Platform, etc.) The service will verify that
they are all known\trusted keys - which gives the assurance that the IMA
signature validation done by the client was performed using trusted
signing key(s).
> I understand how the client keyring is used in IMA to check file
> signatures, but how is that related to the attestation service?
In my new proposal, the keys in the client keyrings will be logged in
the IMA log. The attestation service will verify that they are
known\trusted keys.
Thanks,
-lakshmi
Powered by blists - more mailing lists