[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhR+Sukfi+-7TTxK2Paxon6i+zDxaELzXUZ=eBOUMf9nwA@mail.gmail.com>
Date: Mon, 5 Feb 2024 11:09:28 -0500
From: Paul Moore <paul@...l-moore.com>
To: "Dr. Greg" <greg@...ellic.com>
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
corbet@....net
Subject: Re: [PATCH 2/13] Add TSEM specific documentation.
On Mon, Jan 8, 2024 at 6:43 AM Dr. Greg <greg@...ellic.com> wrote:
> On Wed, Jan 03, 2024 at 11:00:33PM -0500, Paul Moore wrote:
> > On Jul 10, 2023 "Dr. Greg" <greg@...ellic.com> wrote:
> > >
> > > An entry was added to the ABI testing documentation to document
> > > the files in the TSEM management filesystem.
> > >
> > > The file documenting the kernel command-line parameters was
> > > updated to document the TSEM specific command-line parameters
> > >
> > > The primary TSEM documentation file was added to the LSM
> > > administration guide and the file was linked to the index of LSM
> > > documentation.
> > >
> > > Signed-off-by: Greg Wettstein <greg@...ellic.com>
> > > ---
> > > Documentation/ABI/testing/tsem | 828 +++++++++
> > > Documentation/admin-guide/LSM/index.rst | 1 +
> > > Documentation/admin-guide/LSM/tsem.rst | 1526 +++++++++++++++++
> > > .../admin-guide/kernel-parameters.txt | 18 +
> > > 4 files changed, 2373 insertions(+)
> > > create mode 100644 Documentation/ABI/testing/tsem
> > > create mode 100644 Documentation/admin-guide/LSM/tsem.rst
..
> > I don't want to assume too much about the TSEM design, but I'm
> > guessing the aggregate is intended to be a deterministic value based
> > on the PCRs and therefore it seems like there is value in providing
> > a clear explanation of how it is calculated.
>
> The aggregate is the linear extension sum over PCR registers 0 through
> 8 using the namespace hash function, we will cook up a generic
> description, although it should be a common enough concept for anyone
> working on trusted system implementations.
The Linux kernel documentation is used by a wide variety of
administrators, users, and developers with varying backgrounds, I
would recommend assuming very little about the documentation's
audience. This is not to say that you need to explain everything
yourself, referring interested readers to established, publicly
available sources of background information can be acceptable.
> > > + trusted pid=PID key=HEXID
> > > + The trusted keyword is used by a trust
> > > + orchestrator to indicate that the process
> > > + identified by the PID argument should be
> > > + allowed to run in trusted status after the
> > > + modeling of a security event.
>
> > I mentioned this quite a few times in my review of the previous
> > patchset, PIDs are not a safe way to identify a process in the
> > system. PID reuse/recycling is a real danger and you need to
> > account for this risk.
>
> We will defer that discussion to our previous e-mail where we
> discussed how this is addressed.
Adding a secret key/token/etc. may provide some additional
authentication benefits, but it doesn't entirely solve the PID
identification issue, it only reduces the likelihood of a process
misidentification. We need to do better for new
designs/implementations; look at the pidfd work as an example of work
that has gone into reducing/eliminating the use of PIDs to identify
processes.
--
paul-moore.com
Powered by blists - more mailing lists