lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Jun 2019 08:56:53 +0200 From: Roberto Sassu <roberto.sassu@...wei.com> To: <zohar@...ux.ibm.com>, <dmitry.kasatkin@...wei.com>, <mjg59@...gle.com> CC: <linux-integrity@...r.kernel.org>, <linux-security-module@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>, <linux-doc@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com> Subject: Re: [PATCH v4 00/14] ima: introduce IMA Digest Lists extension On 6/14/2019 7:54 PM, Roberto Sassu wrote: > This patch set introduces a new IMA extension called IMA Digest Lists. > > At early boot, the extension preloads in kernel memory reference digest > values, that can be compared with actual file digests when files are > accessed in the system. > > The extension will open for new possibilities: PCR with predictable value, > that can be used for sealing policies associated to data or TPM keys; > appraisal based on reference digests already provided by Linux distribution > vendors in the software packages. > > The first objective can be achieved because the PCR values does not depend > on which and when files are measured: the extension measures digest lists > sequentially and files whose digest is not in the digest list. > > The second objective can be reached because the extension is able to > extract reference measurements from packages (with a user space tool) and > use it as a source for appraisal verification as the reference came from > the security.ima xattr. This approach will also reduce the overhead as only > one signature is verified for many files (as opposed to one signature for > each file with the current implementation). > > This version of the patch set provides a clear separation between current > and new functionality. First, the new functionality must be explicitly > enabled from the kernel command line. Second, results of operations > performed by the extension can be distinguished from those obtained from > the existing code: measurement entries created by the extension have a > different PCR; mutable files appraised with the extension have a different > security.ima type. > > The review of this patch set should start from patch 11 and 12, which > modify the IMA-Measure and IMA-Appraise submodules to use digest lists. > Patch 1 to 5 are prerequisites. Patch 6 to 10 adds support for digest > lists. Finally, patch 13 introduces two new policies to measure/appraise > rootfs and patch 14 adds the documentation (including a flow chart to > show how IMA has been modified). > > The user space tools to configure digest lists are available at: > > https://github.com/euleros/digest-list-tools/releases/tag/v0.3 > > The patch set applies on top of linux-integrity/next-queued-testing > (73589972b987). > > It is necessary to apply also: > https://patchwork.kernel.org/cover/10957495/ Another dependency is: https://patchwork.kernel.org/cover/10979341/ Roberto > To use appraisal, it is necessary to use a modified cpio and a modified > dracut: > > https://github.com/euleros/cpio/tree/xattr-v1 > https://github.com/euleros/dracut/tree/digest-lists > > For now, please use it only in a testing environment. > > > Changelog > > v3: > - move ima_lookup_loaded_digest() and ima_add_digest_data_entry() from > ima_queue.c to ima_digest_list.c > - remove patch that introduces security.ima_algo > - add version number and type modifiers to the compact list header > - remove digest list metadata, all digest lists in the directory are > accessed > - move loading of signing keys to user space > - add violation for both PCRs if they are selected > - introduce two new appraisal modes > > v2: > - add support for multiple hash algorithms > - remove RPM parser from the kernel > - add support for parsing digest lists in user space > > v1: > - add support for immutable/mutable files > - add support for appraisal with digest lists > > > Roberto Sassu (14): > ima: read hash algorithm from security.ima even if appraisal is not > enabled > ima: generalize ima_read_policy() > ima: generalize ima_write_policy() and raise uploaded data size limit > ima: generalize policy file operations > ima: use ima_show_htable_value to show violations and hash table data > ima: add parser of compact digest list > ima: restrict upload of converted digest lists > ima: prevent usage of digest lists that are not measured/appraised > ima: introduce new securityfs files > ima: load parser digests and execute the parser at boot time > ima: add support for measurement with digest lists > ima: add support for appraisal with digest lists > ima: introduce new policies initrd and appraise_initrd > ima: add Documentation/security/IMA-digest-lists.txt > > .../admin-guide/kernel-parameters.txt | 16 +- > Documentation/security/IMA-digest-lists.txt | 226 +++++++++++++ > include/linux/evm.h | 6 + > include/linux/fs.h | 1 + > security/integrity/evm/evm_main.c | 2 +- > security/integrity/iint.c | 1 + > security/integrity/ima/Kconfig | 25 ++ > security/integrity/ima/Makefile | 1 + > security/integrity/ima/ima.h | 32 +- > security/integrity/ima/ima_api.c | 43 ++- > security/integrity/ima/ima_appraise.c | 92 +++--- > security/integrity/ima/ima_digest_list.c | 309 ++++++++++++++++++ > security/integrity/ima/ima_digest_list.h | 69 ++++ > security/integrity/ima/ima_fs.c | 224 ++++++++----- > security/integrity/ima/ima_init.c | 2 +- > security/integrity/ima/ima_main.c | 81 ++++- > security/integrity/ima/ima_policy.c | 29 +- > security/integrity/integrity.h | 22 ++ > 18 files changed, 1018 insertions(+), 163 deletions(-) > create mode 100644 Documentation/security/IMA-digest-lists.txt > create mode 100644 security/integrity/ima/ima_digest_list.c > create mode 100644 security/integrity/ima/ima_digest_list.h > -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI
Powered by blists - more mailing lists