| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1c686d2b-6b24-46b9-a439-5b696108d88e@canonical.com> Date: Fri, 4 Oct 2024 21:24:06 -0700 From: John Johansen <john.johansen@...onical.com> To: "Dr. Greg" <greg@...ellic.com> Cc: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>, Paul Moore <paul@...l-moore.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Jonathan Corbet <corbet@....net>, LKML <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org Subject: Re: [GIT PULL] tomoyo update for v6.12 On 10/3/24 08:39, Dr. Greg wrote: > On Wed, Oct 02, 2024 at 10:35:27PM -0700, John Johansen wrote: > > Good morning, I hope the day is going well for everyone. > >> On 10/2/24 21:26, Tetsuo Handa wrote: >>> On 2024/10/03 11:45, John Johansen wrote: >>>>> But due to above-mentioned realities, your assertion no longer stands. >>>>> Kernel source itself might be open, but private keys cannot be open. >>>>> The vmlinux cannot be rebuilt without forcing penalties (i.e. having a >>>>> negative impact on the user side, which cannot be a viable solution). >>>>> >>>>> >>>> Yes, and this is an intentional choice on the base of the distro about >>>> what they support and what is required to meet contractual obligations. >>> >>> The reason Fedora cannot enable TOMOYO is lack of bandwidth. > >> which is sadly a very valid argument. Coming from the distro side of >> things it is a very real problem. I tend to advocate for giving the >> user choice where we can but there is more than one occasion where >> Ubuntu has had to declare bug bankruptcy on outstanding kernel bugs >> because the backlog was impossible to handle. > > Understand the concept of lack of bandwidth. > > Had a 40 hour week in as of 0800 yesterday morning and the end of the > week isn't even remotely in sight. yeah I know that one all too well, I hit 40 hours some time Wednesday morning. > >>> You've just said "Bandwidth is a very real issue". Thus, I need a solution >>> that can solve the bandwidth problem. The question is how we can control >>> division of role (share the workload) in a secure manner. > >> I do understand that. The problem is that out of tree doesn't do that. >> From a distro perspective out of tree is more work, and is very problematic >> from a code signing perspective. >> >> Code signing isn't going away, if anything its become a requirement to >> support the majority of users. Loading unsigned modules, code, even >> bpf is a problem. >> >> Sure individual users can disable secure boot etc but at the distro >> level we need to support secure boot out of the box. Out of tree code >> really just isn't compatible with this. > > Not relevant right now but I do remember, personally at a conference, > Stallman railing on about the threat of signed code and what it > represents with respect to software and device freedom. > > And here we are.... > >>>> Users are still free to build their own kernels they just don't get >>>> support or certification when using them. >>> >>> Nobody can provide bandwidth (or infrastructure) for supporting their >>> locally built kernels. > >> right > >>>> Stopping the load of out of >>>> tree modules that aren't signed is in general good security policy. >>> >>> Yes, distributors can prevent load of out-of-tree modules that aren't >>> signed. That is good for security. But building kernels locally cannot >>> utilize signed modules functionality. Also, > >> true. that is a limitation of the cryptography that is being used, and >> I don't see a way to fix that > >>>> Let me be explicitly clear. If Tomoyo is by-passing module signing, and >>>> exporting the LSM interface to loadable modules Ubuntu will be forced >>>> to disable Tomoyo. >>> >>> TOMOYO is one of in-tree modules that can be signed together when building >>> distribution kernels. Fedora can provide tomoyo.ko as a >>> signed-but-unsupported >>> module (i.e. excluded from main kernel package that is supported by >>> distributors but provided as a separate package that is not supported by >>> distributors). > >> yes it can, it has chosen not to. As I have said before that is a >> choice/political reason, not technical. I wish I had a solution to >> this problem for you but I don't. What I can say is Tomoyo adding >> the ability to load out of tree code that isn't signed is going to >> force Ubuntu to do the same and disable it. I really don't want to >> do that, I would rather leave the choice available to our users. >> >> It may be a trade-off worth making for you/Tomoyo if it fixed your >> problem with RHEL/Fedora but I don't see it fixing that problem >> either. > > Not much bandwidth for the rest of the day but I wanted to get this > question/issue out to get some feedback for later tonight, > particularly from your perspective John. > > We saw these issues coming about four years ago, which is why we > decided to take a deep breath and bring TSEM out of private use to a > wider audience, it isn't a 'pet project' as it has been referred to. > Not sure we would do that again but that is an issue for another day. > > TSEM is based on the notion of having a generic modeling architecture > for the LSM. I know that Casey bristles at the notion of us saying > 'model', but we can prosecute that argument in intimate detail at > another time. > > We would best characterize TSEM as a 'swiss army knife' for > interpreting kernel security events. You can run the event > interpretation in the kernel, in userspace, in a hardware device or up > in the cloud. > > After watching Tetsuo's concerns over the last year we dropped the > loadable module support into TSEM for the V4 release: > > https://lore.kernel.org/linux-security-module/20240826103728.3378-1-greg@enjellic.com/T/#t > > This offers the ability to run the interpretation model via code > implemented in a loadable module. BPF is also an option but we are > keeping things simple at this point. > > So we use the standard loadable module architecture. We offer the > ability to lock further model loads or unloads after a set of models > have been loaded and the option to completely disable any loadable > models at boot, independent of the general kernel loadable module > state. > > It doesn't fully fix Tetsuo's problem, given that a distribution could > compile out TSEM, just like it compiles out Tomoyo, I think we all > agree there is no fix to that problem. However, if the security bigs > like CrowdStrike, PaloAlto and others, understand that it allows EDR > telemetry and surveillance to be implemented on Linux without having > to install a high privilege or kernel based agent, it makes not having > it in the kernel less attractive. > > Just for the sake of advancing these conversations, we are throwing > some bandwidth into implementing Tomoyo as a TSEM loadable module to > get some further insight on the tractability of something like this. > > With your distributor hat on does an architecture like this offend > your security sensibilities? > > Like it or agree with it, we seem to be standing at a reasonably > important inflection point for Linux, conversations probably suitable > for a 'Summit' type event. > > Will look forward to your thoughts. > honestly it worries me, but that is more a vague general worry about any generic architecture that you can build on top of. Take BPF, it has a whole host of issues, that make it very challenging, like spectre gadgets, and getting its verifier correct for everything. There is a lot of complexity there making it a challenge to evaluate. I really need to dig into the details of TSEM before I can give a better response. > Have a good day. > > As always, > Dr. Greg > > The Quixote Project - Flailing at the Travails of Cybersecurity > https://github.com/Quixote-Project
Powered by blists - more mailing lists