[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f57cb0772ff39a00ec578e178e1b8c38@paul-moore.com>
Date: Sat, 03 Feb 2024 17:25:14 -0500
From: Paul Moore <paul@...l-moore.com>
To: Fan Wu <wufan@...ux.microsoft.com>, corbet@....net, zohar@...ux.ibm.com, jmorris@...ei.org, serge@...lyn.com, tytso@....edu, ebiggers@...nel.org, axboe@...nel.dk, agk@...hat.com, snitzer@...nel.org, eparis@...hat.com
Cc: linux-doc@...r.kernel.org, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fscrypt@...r.kernel.org, linux-block@...r.kernel.org, dm-devel@...ts.linux.dev, audit@...r.kernel.org, linux-kernel@...r.kernel.org, Fan Wu <wufan@...ux.microsoft.com>, Deven Bowers <deven.desai@...ux.microsoft.com>
Subject: Re: [PATCH RFC v12 17/20] ipe: enable support for fs-verity as a trust provider
On Jan 30, 2024 Fan Wu <wufan@...ux.microsoft.com> wrote:
>
> Enable IPE policy authors to indicate trust for a singular fsverity
> file, identified by the digest information, through "fsverity_digest"
> and all files using fsverity's builtin signatures via
> "fsverity_signature".
>
> This enables file-level integrity claims to be expressed in IPE,
> allowing individual files to be authorized, giving some flexibility
> for policy authors. Such file-level claims are important to be expressed
> for enforcing the integrity of packages, as well as address some of the
> scalability issues in a sole dm-verity based solution (# of loop back
> devices, etc).
>
> This solution cannot be done in userspace as the minimum threat that
> IPE should mitigate is an attacker downloads malicious payload with
> all required dependencies. These dependencies can lack the userspace
> check, bypassing the protection entirely. A similar attack succeeds if
> the userspace component is replaced with a version that does not
> perform the check. As a result, this can only be done in the common
> entry point - the kernel.
>
> Signed-off-by: Deven Bowers <deven.desai@...ux.microsoft.com>
> Signed-off-by: Fan Wu <wufan@...ux.microsoft.com>
> ---
> v1-v6:
> + Not present
>
> v7:
> Introduced
>
> v8:
> * Undo squash of 08/12, 10/12 - separating drivers/md/ from security/
> * Use common-audit function for fsverity_signature.
> + Change fsverity implementation to use fsverity_get_digest
> + prevent unnecessary copy of fs-verity signature data, instead
> just check for presence of signature data.
> + Remove free_inode_security hook, as the digest is now acquired
> at runtime instead of via LSM blob.
>
> v9:
> + Adapt to the new parser
>
> v10:
> + Update the fsverity get digest call
>
> v11:
> + No changes
>
> v12:
> + Fix audit format
> + Simplify property evaluation
> ---
> security/ipe/Kconfig | 13 +++++
> security/ipe/audit.c | 25 ++++++++
> security/ipe/eval.c | 108 ++++++++++++++++++++++++++++++++++-
> security/ipe/eval.h | 10 ++++
> security/ipe/hooks.c | 30 ++++++++++
> security/ipe/hooks.h | 7 +++
> security/ipe/ipe.c | 13 +++++
> security/ipe/ipe.h | 3 +
> security/ipe/policy.h | 3 +
> security/ipe/policy_parser.c | 8 +++
> 10 files changed, 219 insertions(+), 1 deletion(-)
>
> diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> index 7afb1ce0cb99..9dd5c4769d79 100644
> --- a/security/ipe/Kconfig
> +++ b/security/ipe/Kconfig
> @@ -30,6 +30,19 @@ config IPE_PROP_DM_VERITY
> that was mounted with a signed root-hash or the volume's
> root hash matches the supplied value in the policy.
>
> + If unsure, answer Y.
> +
> +config IPE_PROP_FS_VERITY
> + bool "Enable property for fs-verity files"
> + depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
> + help
> + This option enables the usage of properties "fsverity_signature"
> + and "fsverity_digest". These properties evaluates to TRUE when
> + a file is fsverity enabled and with a signed digest or its
> + diegst matches the supplied value in the policy.
> +
> + if unsure, answer Y.
> +
> endmenu
>
> endif
> diff --git a/security/ipe/audit.c b/security/ipe/audit.c
> index a4ad8e888df0..7e3372be3214 100644
> --- a/security/ipe/audit.c
> +++ b/security/ipe/audit.c
> @@ -60,6 +60,11 @@ static const char *const audit_prop_names[__IPE_PROP_MAX] = {
> "dmverity_signature=FALSE",
> "dmverity_signature=TRUE",
> #endif /* CONFIG_IPE_PROP_DM_VERITY */
> +#ifdef CONFIG_IPE_PROP_FS_VERITY
> + "fsverity_digest=",
> + "fsverity_signature=FALSE",
> + "fsverity_signature=TRUE",
> +#endif /* CONFIG_IPE_PROP_FS_VERITY */
> };
>
> #ifdef CONFIG_IPE_PROP_DM_VERITY
> @@ -79,6 +84,23 @@ static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh)
> }
> #endif /* CONFIG_IPE_PROP_DM_VERITY */
>
> +#ifdef CONFIG_IPE_PROP_FS_VERITY
> +/**
> + * audit_fsv_digest - audit a digest of a fsverity file.
> + * @ab: Supplies a pointer to the audit_buffer to append to.
> + * @d: Supplies a pointer to the digest structure.
> + */
> +static void audit_fsv_digest(struct audit_buffer *ab, const void *d)
> +{
> + audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]);
> + ipe_digest_audit(ab, d);
> +}
> +#else
> +static void audit_fsv_digest(struct audit_buffer *ab, const void *d)
> +{
> +}
> +#endif /* CONFIG_IPE_PROP_FS_VERITY */
The related dm-verify comments also apply here.
--
paul-moore.com
Powered by blists - more mailing lists