From patchwork Mon Jul 26 16:36:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 12400143 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D67FAC4320E for ; Mon, 26 Jul 2021 16:41:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C24D26044F for ; Mon, 26 Jul 2021 16:41:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239910AbhGZQAo (ORCPT ); Mon, 26 Jul 2021 12:00:44 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]:3495 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239732AbhGZQAW (ORCPT ); Mon, 26 Jul 2021 12:00:22 -0400 Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4GYQNY3pz9z6LB2P; Tue, 27 Jul 2021 00:29:01 +0800 (CST) Received: from roberto-ThinkStation-P620.huawei.com (10.204.63.22) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Mon, 26 Jul 2021 18:40:47 +0200 From: Roberto Sassu To: , , CC: , , , , , Roberto Sassu Subject: [RFC][PATCH v2 11/12] diglim: Remote Attestation Date: Mon, 26 Jul 2021 18:36:59 +0200 Message-ID: <20210726163700.2092768-12-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210726163700.2092768-1-roberto.sassu@huawei.com> References: <20210726163700.2092768-1-roberto.sassu@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.204.63.22] X-ClientProxiedBy: lhreml754-chm.china.huawei.com (10.201.108.204) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected Precedence: bulk List-ID: Add more information about remote attestation with IMA and DIGLIM in Documentation/security/diglim/remote_attestation.rst. Signed-off-by: Roberto Sassu --- Documentation/security/diglim/index.rst | 1 + .../security/diglim/remote_attestation.rst | 87 +++++++++++++++++++ MAINTAINERS | 1 + 3 files changed, 89 insertions(+) create mode 100644 Documentation/security/diglim/remote_attestation.rst diff --git a/Documentation/security/diglim/index.rst b/Documentation/security/diglim/index.rst index 4771134c2f0d..0f28c5ad71c0 100644 --- a/Documentation/security/diglim/index.rst +++ b/Documentation/security/diglim/index.rst @@ -10,3 +10,4 @@ Digest Lists Integrity Module (DIGLIM) introduction architecture implementation + remote_attestation diff --git a/Documentation/security/diglim/remote_attestation.rst b/Documentation/security/diglim/remote_attestation.rst new file mode 100644 index 000000000000..83fd7581c460 --- /dev/null +++ b/Documentation/security/diglim/remote_attestation.rst @@ -0,0 +1,87 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Remote Attestation +================== + +When a digest list is added or deleted through the ``digest_list_add`` or +``digest_list_del`` interfaces, its buffer is sent to the IMA function +``ima_measure_critical_data()``. The primary reason for it is to calculate +the buffer digest, so that the digest list itself is searchable in the hash +table. + +``ima_measure_critical_data()`` can be also used to create a new +measurement entry each time this function is called, if there is an +appropriate rule in the IMA policy. Given that this function is called +during an addition or deletion of a digest list, a remote verifier can +infer from the measurement list precise information about what has been +uploaded to the kernel. + +To enable this functionality, the following rule must be added to the IMA +policy: + +:: + + measure func=CRITICAL_DATA label=diglim + + +When a file is uploaded, the workflow and the resulting IMA measurement +list are: + +.. code-block:: bash + + # echo $PWD/0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_add + # echo $PWD/0-file_list-compact-cat > /sys/kernel/security/integrity/diglim/digest_list_del + # cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements + ... + 10