lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 20 Jun 2024 18:30:31 +0200
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: Paul Moore <paul@...l-moore.com>
Cc: corbet@....net, jmorris@...ei.org, serge@...lyn.com, 
 akpm@...ux-foundation.org, shuah@...nel.org, mcoquelin.stm32@...il.com, 
 alexandre.torgue@...s.st.com, mic@...ikod.net, 
 linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, 
 linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, 
 bpf@...r.kernel.org, zohar@...ux.ibm.com, dmitry.kasatkin@...il.com, 
 linux-integrity@...r.kernel.org, wufan@...ux.microsoft.com,
 pbrobinson@...il.com,  zbyszek@...waw.pl, hch@....de, mjg59@...f.ucam.org,
 pmatilai@...hat.com,  jannh@...gle.com, dhowells@...hat.com,
 jikos@...nel.org, mkoutny@...e.com,  ppavlu@...e.com, petr.vorel@...il.com,
 mzerqung@...inter.de, kgold@...ux.ibm.com,  Roberto Sassu
 <roberto.sassu@...wei.com>
Subject: Re: [PATCH v4 00/14] security: digest_cache LSM

On Thu, 2024-06-20 at 12:08 -0400, Paul Moore wrote:
> On Thu, Jun 20, 2024 at 11:14 AM Roberto Sassu
> <roberto.sassu@...weicloud.com> wrote:
> > On Thu, 2024-06-20 at 10:48 -0400, Paul Moore wrote:
> > > On Thu, Jun 20, 2024 at 5:12 AM Roberto Sassu
> > > <roberto.sassu@...weicloud.com> wrote:
> > > > On Wed, 2024-06-19 at 14:43 -0400, Paul Moore wrote:
> > > > > On Wed, Jun 19, 2024 at 12:38 PM Roberto Sassu
> > > > > <roberto.sassu@...weicloud.com> wrote:
> > > > > > 
> > > > > > Making it a kernel subsystem would likely mean replicating what the LSM
> > > > > > infrastructure is doing, inode (security) blob and being notified about
> > > > > > file/directory changes.
> > > > > 
> > > > > Just because the LSM framework can be used for something, perhaps it
> > > > > even makes the implementation easier, it doesn't mean the framework
> > > > > should be used for everything.
> > > > 
> > > > It is supporting 3 LSMs: IMA, IPE and BPF LSM.
> > > > 
> > > > That makes it a clear target for the security subsystem, and as you
> > > > suggested to start for IMA, if other kernel subsystems require them, we
> > > > can make it as an independent subsystem.
> > > 
> > > Have you discussed the file digest cache functionality with either the
> > > IPE or BPF LSM maintainers?  While digest_cache may support these
> > 
> > Well, yes. I was in a discussion since long time ago with Deven and
> > Fan. The digest_cache LSM is listed in the Use Case section of the IPE
> > cover letter:
> > 
> > https://lore.kernel.org/linux-integrity/1716583609-21790-1-git-send-email-wufan@linux.microsoft.com/
> 
> I would hope to see more than one sentence casually mentioning that
> there might be some integration in the future.

Sure, I can work more with Fan to do a proper integration.

> > I also developed an IPE module back in the DIGLIM days:
> > 
> > https://lore.kernel.org/linux-integrity/a16a628b9e21433198c490500a987121@huawei.com/
> 
> That looks like more of an fs-verity integration to me.  Yes, of
> course there would be IPE changes to accept a signature/digest from a
> digest cache, but that should be minor.

True, but IPE will also benefit from not needing to specify every
digest in the policy.

Also, the design choice of attaching the digest cache to the inode
helps LSMs like IPE that don't have a per inode cache on their own.
Sure, IPE would have to do a digest lookup every time, but at least on
an already populated hash table.

> > As for eBPF, I just need to make the digest_cache LSM API callable by
> > eBPF programs, very likely not requiring any change on the eBPF
> > infrastructure itself.
> 
> That's great, but it would be good to hear from KP and any other BPF
> LSM devs that this would be desirable.

Yes, I would also like to know their opinion. They already support
getting a file digest from IMA. Adding support for the digest_cache LSM
is a nice complement, to make security decisions based on an
authenticated source of reference digests (signature verification was
not shown in the example).

> I still believe that this is something that should live as a service
> outside of the LSM.

It will not cost me too much to plug to IMA rather than the LSM
infrastructure, but I would rather prefer the second.

I'm not aware of equivalent facilities in the kernel that would make
the digest_cache LSM work in the same way, so making it as an
independent kernel subsystem seems a too big jump for me.

Roberto

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ