| Message ID | 20211129170057.243127-5-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ima: support fs-verity signatures stored as | expand |
Hi Mimi, On 11/29/2021 9:00 AM, Mimi Zohar wrote: > Instead of calculating a file hash and verifying the signature stored > in the security.ima xattr against the calculated file hash, verify the > signature of the fs-verity's file digest. The fs-verity file digest is > a hash that includes the Merkle tree root hash. This patch is reading the fs-verity signature for the given file using the new function fsverity_measure() that was defined in [Patch 1/4]. Is it also verifying the fs-verity signature here? > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_api.c | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > index 179c7f0364c2..ee1701f8c0f3 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -16,6 +16,7 @@ > #include <linux/xattr.h> > #include <linux/evm.h> > #include <linux/iversion.h> > +#include <linux/fsverity.h> > > #include "ima.h" > > @@ -205,6 +206,23 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > allowed_algos); > } > > +static int ima_collect_verity_measurement(struct integrity_iint_cache *iint, > + struct ima_digest_data *hash) > +{ > + u8 verity_digest[FS_VERITY_MAX_DIGEST_SIZE]; > + enum hash_algo verity_alg; > + int rc; > + > + rc = fsverity_measure(iint->inode, verity_digest, &verity_alg); nit: fsverity_collect_measurement() may be more appropriate for this function (defined in [PATCH 1/4]). thanks, -lakshmi > + if (rc) > + return -EINVAL; > + if (hash->algo != verity_alg) > + return -EINVAL; > + hash->length = hash_digest_size[verity_alg]; > + memcpy(hash->digest, verity_digest, hash->length); > + return 0; > +} > + > /* > * ima_collect_measurement - collect file measurement > * > @@ -256,6 +274,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, > > if (buf) > result = ima_calc_buffer_hash(buf, size, &hash.hdr); > + else if (veritysig) > + result = ima_collect_verity_measurement(iint, &hash.hdr); > else > result = ima_calc_file_hash(file, &hash.hdr); > >
Hi Lakshmi, Eric, On Mon, 2021-11-29 at 21:56 -0800, Lakshmi Ramasubramanian wrote: > Hi Mimi, > > On 11/29/2021 9:00 AM, Mimi Zohar wrote: > > Instead of calculating a file hash and verifying the signature stored > > in the security.ima xattr against the calculated file hash, verify the > > signature of the fs-verity's file digest. The fs-verity file digest is > > a hash that includes the Merkle tree root hash. > This patch is reading the fs-verity signature for the given file using > the new function fsverity_measure() that was defined in [Patch 1/4]. Is > it also verifying the fs-verity signature here? Yes, the signature stored in the security.ima xattr may be a file hash, a regular file signature, or a signature of the fs-verity file digest. The signature is verified like any other signature stored as an xattr. > > > +static int ima_collect_verity_measurement(struct integrity_iint_cache *iint, > > + struct ima_digest_data *hash) > > +{ > > + u8 verity_digest[FS_VERITY_MAX_DIGEST_SIZE]; > > + enum hash_algo verity_alg; > > + int rc; > > + > > + rc = fsverity_measure(iint->inode, verity_digest, &verity_alg); > nit: fsverity_collect_measurement() may be more appropriate for this > function (defined in [PATCH 1/4]). From an IMA perspective it certainly would be a better function name, but this function may be used by other kernel subsystems. Eric suggested renaming the function as fsverity_get_digest(), as opposed to fsverity_read_digest(). get/put are normally used to bump a reference count or to get/release a lock. Perhaps a combination like fsverity_collect_digest() would be acceptable. thanks, Mimi
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 179c7f0364c2..ee1701f8c0f3 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -16,6 +16,7 @@ #include <linux/xattr.h> #include <linux/evm.h> #include <linux/iversion.h> +#include <linux/fsverity.h> #include "ima.h" @@ -205,6 +206,23 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, allowed_algos); } +static int ima_collect_verity_measurement(struct integrity_iint_cache *iint, + struct ima_digest_data *hash) +{ + u8 verity_digest[FS_VERITY_MAX_DIGEST_SIZE]; + enum hash_algo verity_alg; + int rc; + + rc = fsverity_measure(iint->inode, verity_digest, &verity_alg); + if (rc) + return -EINVAL; + if (hash->algo != verity_alg) + return -EINVAL; + hash->length = hash_digest_size[verity_alg]; + memcpy(hash->digest, verity_digest, hash->length); + return 0; +} + /* * ima_collect_measurement - collect file measurement * @@ -256,6 +274,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, if (buf) result = ima_calc_buffer_hash(buf, size, &hash.hdr); + else if (veritysig) + result = ima_collect_verity_measurement(iint, &hash.hdr); else result = ima_calc_file_hash(file, &hash.hdr);
Instead of calculating a file hash and verifying the signature stored in the security.ima xattr against the calculated file hash, verify the signature of the fs-verity's file digest. The fs-verity file digest is a hash that includes the Merkle tree root hash. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima_api.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)