| Message ID | 20190614175513.27097-1-roberto.sassu@huawei.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | ima: introduce IMA Digest Lists extension | expand |
On 6/14/2019 7:54 PM, Roberto Sassu wrote: > This patch set introduces a new IMA extension called IMA Digest Lists. > > At early boot, the extension preloads in kernel memory reference digest > values, that can be compared with actual file digests when files are > accessed in the system. > > The extension will open for new possibilities: PCR with predictable value, > that can be used for sealing policies associated to data or TPM keys; > appraisal based on reference digests already provided by Linux distribution > vendors in the software packages. > > The first objective can be achieved because the PCR values does not depend > on which and when files are measured: the extension measures digest lists > sequentially and files whose digest is not in the digest list. > > The second objective can be reached because the extension is able to > extract reference measurements from packages (with a user space tool) and > use it as a source for appraisal verification as the reference came from > the security.ima xattr. This approach will also reduce the overhead as only > one signature is verified for many files (as opposed to one signature for > each file with the current implementation). > > This version of the patch set provides a clear separation between current > and new functionality. First, the new functionality must be explicitly > enabled from the kernel command line. Second, results of operations > performed by the extension can be distinguished from those obtained from > the existing code: measurement entries created by the extension have a > different PCR; mutable files appraised with the extension have a different > security.ima type. > > The review of this patch set should start from patch 11 and 12, which > modify the IMA-Measure and IMA-Appraise submodules to use digest lists. > Patch 1 to 5 are prerequisites. Patch 6 to 10 adds support for digest > lists. Finally, patch 13 introduces two new policies to measure/appraise > rootfs and patch 14 adds the documentation (including a flow chart to > show how IMA has been modified). > > The user space tools to configure digest lists are available at: > > https://github.com/euleros/digest-list-tools/releases/tag/v0.3 > > The patch set applies on top of linux-integrity/next-queued-testing > (73589972b987). > > It is necessary to apply also: > https://patchwork.kernel.org/cover/10957495/ Another dependency is: https://patchwork.kernel.org/cover/10979341/ Roberto > To use appraisal, it is necessary to use a modified cpio and a modified > dracut: > > https://github.com/euleros/cpio/tree/xattr-v1 > https://github.com/euleros/dracut/tree/digest-lists > > For now, please use it only in a testing environment. > > > Changelog > > v3: > - move ima_lookup_loaded_digest() and ima_add_digest_data_entry() from > ima_queue.c to ima_digest_list.c > - remove patch that introduces security.ima_algo > - add version number and type modifiers to the compact list header > - remove digest list metadata, all digest lists in the directory are > accessed > - move loading of signing keys to user space > - add violation for both PCRs if they are selected > - introduce two new appraisal modes > > v2: > - add support for multiple hash algorithms > - remove RPM parser from the kernel > - add support for parsing digest lists in user space > > v1: > - add support for immutable/mutable files > - add support for appraisal with digest lists > > > Roberto Sassu (14): > ima: read hash algorithm from security.ima even if appraisal is not > enabled > ima: generalize ima_read_policy() > ima: generalize ima_write_policy() and raise uploaded data size limit > ima: generalize policy file operations > ima: use ima_show_htable_value to show violations and hash table data > ima: add parser of compact digest list > ima: restrict upload of converted digest lists > ima: prevent usage of digest lists that are not measured/appraised > ima: introduce new securityfs files > ima: load parser digests and execute the parser at boot time > ima: add support for measurement with digest lists > ima: add support for appraisal with digest lists > ima: introduce new policies initrd and appraise_initrd > ima: add Documentation/security/IMA-digest-lists.txt > > .../admin-guide/kernel-parameters.txt | 16 +- > Documentation/security/IMA-digest-lists.txt | 226 +++++++++++++ > include/linux/evm.h | 6 + > include/linux/fs.h | 1 + > security/integrity/evm/evm_main.c | 2 +- > security/integrity/iint.c | 1 + > security/integrity/ima/Kconfig | 25 ++ > security/integrity/ima/Makefile | 1 + > security/integrity/ima/ima.h | 32 +- > security/integrity/ima/ima_api.c | 43 ++- > security/integrity/ima/ima_appraise.c | 92 +++--- > security/integrity/ima/ima_digest_list.c | 309 ++++++++++++++++++ > security/integrity/ima/ima_digest_list.h | 69 ++++ > security/integrity/ima/ima_fs.c | 224 ++++++++----- > security/integrity/ima/ima_init.c | 2 +- > security/integrity/ima/ima_main.c | 81 ++++- > security/integrity/ima/ima_policy.c | 29 +- > security/integrity/integrity.h | 22 ++ > 18 files changed, 1018 insertions(+), 163 deletions(-) > create mode 100644 Documentation/security/IMA-digest-lists.txt > create mode 100644 security/integrity/ima/ima_digest_list.c > create mode 100644 security/integrity/ima/ima_digest_list.h >
On 6/17/2019 8:56 AM, Roberto Sassu wrote: > On 6/14/2019 7:54 PM, Roberto Sassu wrote: >> This patch set introduces a new IMA extension called IMA Digest Lists. >> >> At early boot, the extension preloads in kernel memory reference digest >> values, that can be compared with actual file digests when files are >> accessed in the system. >> >> The extension will open for new possibilities: PCR with predictable >> value, >> that can be used for sealing policies associated to data or TPM keys; >> appraisal based on reference digests already provided by Linux >> distribution >> vendors in the software packages. >> >> The first objective can be achieved because the PCR values does not >> depend >> on which and when files are measured: the extension measures digest lists >> sequentially and files whose digest is not in the digest list. >> >> The second objective can be reached because the extension is able to >> extract reference measurements from packages (with a user space tool) and >> use it as a source for appraisal verification as the reference came from >> the security.ima xattr. This approach will also reduce the overhead as >> only >> one signature is verified for many files (as opposed to one signature for >> each file with the current implementation). >> >> This version of the patch set provides a clear separation between current >> and new functionality. First, the new functionality must be explicitly >> enabled from the kernel command line. Second, results of operations >> performed by the extension can be distinguished from those obtained from >> the existing code: measurement entries created by the extension have a >> different PCR; mutable files appraised with the extension have a >> different >> security.ima type. >> >> The review of this patch set should start from patch 11 and 12, which >> modify the IMA-Measure and IMA-Appraise submodules to use digest lists. >> Patch 1 to 5 are prerequisites. Patch 6 to 10 adds support for digest >> lists. Finally, patch 13 introduces two new policies to measure/appraise >> rootfs and patch 14 adds the documentation (including a flow chart to >> show how IMA has been modified). >> >> The user space tools to configure digest lists are available at: >> >> https://github.com/euleros/digest-list-tools/releases/tag/v0.3 >> >> The patch set applies on top of linux-integrity/next-queued-testing >> (73589972b987). >> >> It is necessary to apply also: >> https://patchwork.kernel.org/cover/10957495/ > > Another dependency is: > > https://patchwork.kernel.org/cover/10979341/ > > Roberto I uploaded this patch set and all the required dependencies to: https://github.com/euleros/linux/releases/tag/ima-digest-lists-v4 It should be easy to test. Let me know if you have questions about the installation. Mimi, do you have any thoughts on this version? Thanks Roberto
[Cc'ing Rob Landley]
On Tue, 2019-06-25 at 14:57 +0200, Roberto Sassu wrote:
> Mimi, do you have any thoughts on this version?
I need to look closer, but when I first looked these changes seemed to
be really invasive. Let's first work on getting the CPIO xattr
support upstreamed. Rob Landley said he was going to review and test
them. Do you have any documentation on how to set up a test
environment? I'd really appreciate if others would also help with
reviewing the CPIO patches.
thanks!
Mimi
On 6/25/2019 7:35 PM, Mimi Zohar wrote: > [Cc'ing Rob Landley] > > On Tue, 2019-06-25 at 14:57 +0200, Roberto Sassu wrote: >> Mimi, do you have any thoughts on this version? > > I need to look closer, but when I first looked these changes seemed to > be really invasive. Let's first work on getting the CPIO xattr If you can provide early comments, that would be great. I'll have a look at the problems and when the xattr support for the ram disk is upstreamed I will be ready to send a new version. Thanks Roberto
This patch set introduces a new IMA extension called IMA Digest Lists. At early boot, the extension preloads in kernel memory reference digest values, that can be compared with actual file digests when files are accessed in the system. The extension will open for new possibilities: PCR with predictable value, that can be used for sealing policies associated to data or TPM keys; appraisal based on reference digests already provided by Linux distribution vendors in the software packages. The first objective can be achieved because the PCR values does not depend on which and when files are measured: the extension measures digest lists sequentially and files whose digest is not in the digest list. The second objective can be reached because the extension is able to extract reference measurements from packages (with a user space tool) and use it as a source for appraisal verification as the reference came from the security.ima xattr. This approach will also reduce the overhead as only one signature is verified for many files (as opposed to one signature for each file with the current implementation). This version of the patch set provides a clear separation between current and new functionality. First, the new functionality must be explicitly enabled from the kernel command line. Second, results of operations performed by the extension can be distinguished from those obtained from the existing code: measurement entries created by the extension have a different PCR; mutable files appraised with the extension have a different security.ima type. The review of this patch set should start from patch 11 and 12, which modify the IMA-Measure and IMA-Appraise submodules to use digest lists. Patch 1 to 5 are prerequisites. Patch 6 to 10 adds support for digest lists. Finally, patch 13 introduces two new policies to measure/appraise rootfs and patch 14 adds the documentation (including a flow chart to show how IMA has been modified). The user space tools to configure digest lists are available at: https://github.com/euleros/digest-list-tools/releases/tag/v0.3 The patch set applies on top of linux-integrity/next-queued-testing (73589972b987). It is necessary to apply also: https://patchwork.kernel.org/cover/10957495/ To use appraisal, it is necessary to use a modified cpio and a modified dracut: https://github.com/euleros/cpio/tree/xattr-v1 https://github.com/euleros/dracut/tree/digest-lists For now, please use it only in a testing environment. Changelog v3: - move ima_lookup_loaded_digest() and ima_add_digest_data_entry() from ima_queue.c to ima_digest_list.c - remove patch that introduces security.ima_algo - add version number and type modifiers to the compact list header - remove digest list metadata, all digest lists in the directory are accessed - move loading of signing keys to user space - add violation for both PCRs if they are selected - introduce two new appraisal modes v2: - add support for multiple hash algorithms - remove RPM parser from the kernel - add support for parsing digest lists in user space v1: - add support for immutable/mutable files - add support for appraisal with digest lists Roberto Sassu (14): ima: read hash algorithm from security.ima even if appraisal is not enabled ima: generalize ima_read_policy() ima: generalize ima_write_policy() and raise uploaded data size limit ima: generalize policy file operations ima: use ima_show_htable_value to show violations and hash table data ima: add parser of compact digest list ima: restrict upload of converted digest lists ima: prevent usage of digest lists that are not measured/appraised ima: introduce new securityfs files ima: load parser digests and execute the parser at boot time ima: add support for measurement with digest lists ima: add support for appraisal with digest lists ima: introduce new policies initrd and appraise_initrd ima: add Documentation/security/IMA-digest-lists.txt .../admin-guide/kernel-parameters.txt | 16 +- Documentation/security/IMA-digest-lists.txt | 226 +++++++++++++ include/linux/evm.h | 6 + include/linux/fs.h | 1 + security/integrity/evm/evm_main.c | 2 +- security/integrity/iint.c | 1 + security/integrity/ima/Kconfig | 25 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 32 +- security/integrity/ima/ima_api.c | 43 ++- security/integrity/ima/ima_appraise.c | 92 +++--- security/integrity/ima/ima_digest_list.c | 309 ++++++++++++++++++ security/integrity/ima/ima_digest_list.h | 69 ++++ security/integrity/ima/ima_fs.c | 224 ++++++++----- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 81 ++++- security/integrity/ima/ima_policy.c | 29 +- security/integrity/integrity.h | 22 ++ 18 files changed, 1018 insertions(+), 163 deletions(-) create mode 100644 Documentation/security/IMA-digest-lists.txt create mode 100644 security/integrity/ima/ima_digest_list.c create mode 100644 security/integrity/ima/ima_digest_list.h