[00/14] Implement Trusted Security Event Modeling.

Message ID	20230204050954.11583-1-greg@enjellic.com (mailing list archive)
Headers	show Return-Path: <linux-security-module-owner@vger.kernel.org> From: "Dr. Greg" <greg@enjellic.com> To: linux-security-module@vger.kernel.org Subject: [PATCH 00/14] Implement Trusted Security Event Modeling. Date: Fri, 3 Feb 2023 23:09:40 -0600 Message-Id: <20230204050954.11583-1-greg@enjellic.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Implement Trusted Security Event Modeling. \| expand [00/14] Implement Trusted Security Event Modeling. [01/14] Update MAINTAINERS file. [02/14] Add TSEM specific documentation. [03/14] Add magic number for tsemfs. [04/14] Implement CAP_TRUST capability. [05/14] Add TSEM master header file. [06/14] Add primary TSEM implementation file. [07/14] Add root domain trust implementation. [08/14] Implement TSEM control plane. [09/14] Add namespace implementation. [10/14] Add security event description export facility. [11/14] Add event description implementation. [12/14] Implement security event mapping. [13/14] Implement an internal Trusted Modeling Agent. [14/14] Activate the configuration and build of the TSEM LSM.

Message ID

20230204050954.11583-1-greg@enjellic.com (mailing list archive)

Headers

From: "Dr. Greg" <greg@enjellic.com>
To: linux-security-module@vger.kernel.org
Subject: [PATCH 00/14] Implement Trusted Security Event Modeling.
Date: Fri,  3 Feb 2023 23:09:40 -0600
Message-Id: <20230204050954.11583-1-greg@enjellic.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Implement Trusted Security Event Modeling. | expand

Message

Dr. Greg Feb. 4, 2023, 5:09 a.m. UTC

This patch series implements Trusted Security Event Modeling (TSEM) as
a new Linux Security Module (LSM) architecture.

At a conceptual level, TSEM can be thought of as an integration of
integrity measurement and mandatory access controls.  TSEM brings to
Linux security, a new model for implementing security controls that is
unique among current operating system platforms.

TSEM is designed to support the concept of a Trust Orchestration
System (TOS).  Trust orchestration involves the process of modeling
the security behavior of a workload, or a platform at large, and
defining whether or not a process is to be trusted, based on whether
or not the security events that it produces are consistent with a
security model that has been designed for a workload or platform.

TSEM operates under the premise, that security, like all other
physical phenomena in science and engineering, can be mathematically
modeled.  TSEM notionally treats the LSM security event hooks as a
basis set that is capable of generating a functional value for a
security model.

To support this notion, TSEM implements, entirely within the context
of the LSM architecture, the notion of security modeling domains which
are akin to resource namespaces.  A modeling domain is designed to be
paired with a Trusted Modeling Agent (TMA) that implements the root of
trust for a security domain/namespace.

A TMA implementation uses the descriptive parameters of a security
event hook to compute task specific coefficients for each security
event that occurs in a modeling domain.  The sum of these
coefficients, represents the security 'state' of the model.  These
coefficients, nee state points, for a security model are designed to
be developed by unit testing of an application stack.

TSEM thus represents a security architecture designed to support
modern software development strategies that are embracing
resource containerization and continuous integration and
development practices.  The objective of TSEM, along with
Quixote, it's userspace TOS implementation, is to bring to Linux
integrity and mandatory what Docker brought to Linux resource
namespaces.

The Quixote TOS has implementations of trust orchestrator's for the
following TMA trust roots:

Kernel.

Userspace process.

SGX enclave.

Xen Hypervisor domain.

Hardware based security coprocessors.

One of the objectives for Quixote/TSEM is to provide a framework for
developing next generation security co-processor technology that
extends beyond what is currently represented in the form of Trusted
Platform Modules.

Included with the Quixote TOS is an implementation of a security
co-processor based on the Nordic NRF52840-DONGLE micro-controller.
This is a USB form factor device that is currently being used for
projects such as GOOGLE's OpenSK security key initiative and 3mdeb's
Fobnail attestation server project.

Included in the patch series is an extensive documentation file that
can be found in the following location after the series is applied:

Documentation/admin-guide/LSM/tsem.rst

Reviewers, and other who are interested, are referred to this
document for a more extensive discussion into the rationale,
design and implementation of the TSEM architecture.

Control of TSEM is surfaced entirely through the tsemfs filesystem
that has the following mountpoint:

/sys/fs/tsem

TSEM is designed to be largely self-contained and independent of the
kernel at large and other LSM's.  It operates without the need for
filesystem labeling or cryptographic integrity protection of
filesystem metadata.

Source code for the userspace trust orchestration system and
pre-compiled binariesare available at the following location:

ftp://ftp.enjellic.com/pub/Quixote

The Quixote/TSEM TMA currently implements a very simple deterministic
security model.  The architecture is designed to provide a flexible
framework to support the potential implementation of more advanced
models that use stochastics, inference or other machine learning
methodologies.

Dr. Greg (14):
  Update MAINTAINERS file.
  Add TSEM specific documentation.
  Add magic number for tsemfs.
  Implement CAP_TRUST capability.
  Add TSEM master header file.
  Add primary TSEM implementation file.
  Add root domain trust implementation.
  Implement TSEM control plane.
  Add namespace implementation.
  Add security event description export facility.
  Add event description implementation.
  Implement security event mapping.
  Implement an internal Trusted Modeling Agent.
  Activate the configuration and build of the TSEM LSM.

 Documentation/ABI/testing/tsemfs              |  576 ++++++
 Documentation/admin-guide/LSM/index.rst       |    1 +
 Documentation/admin-guide/LSM/tsem.rst        | 1240 ++++++++++++
 .../admin-guide/kernel-parameters.txt         |    5 +
 MAINTAINERS                                   |    8 +
 include/uapi/linux/capability.h               |    6 +-
 include/uapi/linux/magic.h                    |    1 +
 security/Kconfig                              |   11 +-
 security/Makefile                             |    1 +
 security/selinux/include/classmap.h           |    2 +-
 security/tsem/Kconfig                         |   22 +
 security/tsem/Makefile                        |    2 +
 security/tsem/event.c                         |  474 +++++
 security/tsem/export.c                        |  388 ++++
 security/tsem/fs.c                            |  894 ++++++++
 security/tsem/map.c                           |  497 +++++
 security/tsem/model.c                         |  598 ++++++
 security/tsem/namespace.c                     |  226 +++
 security/tsem/trust.c                         |  134 ++
 security/tsem/tsem.c                          | 1801 +++++++++++++++++
 security/tsem/tsem.h                          |  388 ++++
 21 files changed, 7268 insertions(+), 7 deletions(-)
 create mode 100644 Documentation/ABI/testing/tsemfs
 create mode 100644 Documentation/admin-guide/LSM/tsem.rst
 create mode 100644 security/tsem/Kconfig
 create mode 100644 security/tsem/Makefile
 create mode 100644 security/tsem/event.c
 create mode 100644 security/tsem/export.c
 create mode 100644 security/tsem/fs.c
 create mode 100644 security/tsem/map.c
 create mode 100644 security/tsem/model.c
 create mode 100644 security/tsem/namespace.c
 create mode 100644 security/tsem/trust.c
 create mode 100644 security/tsem/tsem.c
 create mode 100644 security/tsem/tsem.h

Comments

Dr. Greg Feb. 23, 2023, 6:41 p.m. UTC | #1

On Sat, Feb 04, 2023 at 07:59:17PM +0800, Hillf Danton wrote:

Good afternoon Hillf, I hope this note finds your week going well.

Sorry for the delay in getting back to you on this, had some travel
and we are now in the process of readying the second spin of the
patches.

Thank you, up front, for taking the time to comment on the series.

> [with lkml Cced]

Noted.

> On Fri, 3 Feb 2023 23:09:49 -0600 Dr. Greg <greg@enjellic.com>
> > +/**
> > + * tsem_ns_free() - Releases the namespace model infrastructure.
> > + * @kref: A pointer to the reference counting structure for the namespace.
> > + *
> > + * This function is called when the last reference to a kernel
> > + * based TMA model structure is released.
> > + */
> > +void tsem_ns_free(struct kref *kref)
> > +{
> > +	struct tsem_TMA_context *ctx;
> > +
> > +	ctx = container_of(kref, struct tsem_TMA_context, kref);
> > +
> > +	if (ctx->external) {
> > +		tsem_fs_remove_external(ctx->external->dentry);
> > +		kfree(ctx->external);
> > +	} else
> > +		tsem_model_free(ctx);
> > +
> > +	kfree(ctx);
> > +}
> > +
> > +static void wq_put(struct work_struct *work)
> > +{
> > +	struct tsem_TMA_work *tsem_work;
> > +	struct tsem_TMA_context *ctx;
> > +
> > +	tsem_work = container_of(work, struct tsem_TMA_work, work);
> > +	ctx = tsem_work->ctx;
> > +	kref_put(&ctx->kref, tsem_ns_free);
> > +}
> > +
> > +/**
> > + * tsem_ns_get() - Obtain a reference on a TSEM TMA namespace.
> > + * @ctx: A pointer to the TMA modeling context for which a reference is
> > + *	 to be released.
> > + *
> > + * This function is called to release a reference to a TMA modeling
> > + * domain.
> > + */
> > +void tsem_ns_put(struct tsem_TMA_context *ctx)
> > +{
> > +	if (kref_read(&ctx->kref) > 1) {
> > +		kref_put(&ctx->kref, tsem_ns_free);
> > +		return;
> > +	}

> Given ctx->kref is 2, in the below scenario
> 
> 	cpu 0		cpu 2
> 	---		---
> 	ctx->kref > 1
> 			ctx->kref > 1
> 			kref_put
> 	kref_put
> 
> no work will be scheduled, so it makes sense to move scheduling work to
> tsem_ns_free() by making tsem_ns_put() only a wrapper of kref_put(), if
> ctx has to be released in workqueue.
> 
> void tsem_ns_put(struct tsem_TMA_context *ctx)
> {
> 	kref_put(&ctx->kref, tsem_ns_free);
> }

Missed this issue, thank you for pointing it out.

Based on your observations we re-worked the handling of the modeling
context reference handling and release and we should have the issue
addressed.

In the process we managed to clean up and simplify the implementation
as well, always good.

The changes will be in the second version of the patch series.

> > +
> > +	INIT_WORK(&ctx->work.work, wq_put);
> > +	ctx->work.ctx = ctx;
> > +	if (!queue_work(release_wq, &ctx->work.work))
> > +		WARN_ON_ONCE(1);
> > +}

> PS given system_unbound_wq and system_wq for instance, release_wq looks
> not mandatory if kfree is the major job.

Based on this observation, we also dropped the TSEM specific workqueue
and the code is now scheduling the modeling domain release work onto
the system_wq queue, given that there is nothing sophisticated about
the work that is being scheduled.

This work includes the freeing of the memory for the structure that
defines the external modeling context, or in the case of an internally
modeled domain, the internal model description state.

In addition, in the case of an externally modeled domain, the
workqueue also handles the removal of the securityfs based pseudo-file
that surfaces the event descriptions to the trust orchestrator.

The use of the workqueue silences a series of lock debugging
complaints about the release of the modeling domain/namespace
infrastructure.

Thanks again for your comments, have a good day.

As always,
Dr. Greg

The Quixote Project - Flailing at the Travails of Cybersecurity