lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1579636351.3390.35.camel@HansenPartnership.com>
Date:   Tue, 21 Jan 2020 11:52:31 -0800
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>,
        Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        linux-integrity@...r.kernel.org
Cc:     sashal@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default

On Tue, 2020-01-21 at 14:13 -0500, Mimi Zohar wrote:
> On Tue, 2020-01-21 at 09:34 -0800, James Bottomley wrote:
> > On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote:
> > > Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will
> > > automatically enable the IMA hook to measure asymmetric keys.
> > > Keys created or updated early in the boot process are queued up
> > > whether or not a custom IMA policy is provided. Although the
> > > queued keys will be freed if a custom IMA policy is not loaded
> > > within 5 minutes, it could still cause significant performance
> > > impact on smaller systems.
> > 
> > What exactly do you expect distributions to do with this?  I can
> > tell you that most of them will take the default option, so this
> > gets set to N and you may as well not have got the patches upstream
> > because you won't be able to use them in any distro with this
> > setting.
> > 
> > > This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by
> > > default.  Since a custom IMA policy that defines key measurement
> > > is required to measure keys, systems that require key measurement
> > > can enable this config option in addition to providing a custom
> > > IMA policy.
> > 
> > Well, no they can't ... it's rather rare nowadays for people to
> > build their own kernels.  The vast majority of Linux consumers take
> > what the distros give them.  Think carefully before you decide a
> > config option is the solution to this problem.
> 
> James, up until now IMA could be configured, but there wouldn't be
> any performance penalty for enabling IMA until a policy was loaded.
>  With IMA and asymmetric keys enabled, whether or not an IMA policy
> is loaded, certificates will be queued.
> 
> My concern is:
> - changing the expected behavior

In general config options for this are a really bad idea because if the
tools only cope with one setting, no-one should ever use the other and
if they work with everything there's no need for the option.

> - really small devices/sensors being able to queue certificates

seems like the answer to this one would be don't queue.  I realise it's
after the submit design, but what about measuring when the key is added
if there's a policy otherwise measure the keyring when the policy is
added ... that way no queueing.

> This change permits disabling queueing certificates.  Whether the
> default should be "disabled" is a separate question.  I'm open to
> comments/suggestions.

I'm just giving the general rule of thumb for boolean config options. 
If it's default Y there likely shouldn't be a config option and if it's
default N the feature should likely not be in the kernel at all.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ