From: Mimi Zohar <zohar@linux.ibm.com>
To: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"containers@lists.linux-foundation.org"
<containers@lists.linux-foundation.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Cc: "mkayaalp@cs.binghamton.edu" <mkayaalp@cs.binghamton.edu>,
"sunyuqiong1988@gmail.com" <sunyuqiong1988@gmail.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>
Subject: Re: [RFC PATCH 00/30] ima: Introduce IMA namespace
Date: Wed, 02 Sep 2020 14:53:17 -0400 [thread overview]
Message-ID: <5331e60b5a1afb55e2bc778db1b95998466b687d.camel@linux.ibm.com> (raw)
In-Reply-To: <401a2f36149f450291d1742aeb6c2260@huawei.com>
On Fri, 2020-08-21 at 15:13 +0000, Krzysztof Struczynski wrote:
> > From: James Bottomley [mailto:James.Bottomley@HansenPartnership.com]
> > On Tue, 2020-08-18 at 17:20 +0200, krzysztof.struczynski@huawei.com
> > wrote:
> > > The measurement list remains global, with the assumption that there
> > > is only one TPM in the system. Each IMA namespace has a unique ID,
> > > that allows to track measurements per IMA namespace. Processes in one
> > > namespace, have access only to the measurements from that namespace.
> > > The exception is made for the initial IMA namespace, whose processes
> > > have access to all entries.
> >
> > So I think this can work in the use case where the system owner is
> > responsible for doing the logging and attestation and the tenants just
> > trust the owner without requiring an attestation. However, in a multi-
> > tenant system you need a way for the attestation to be per-container
> > (because the combined list of who executed what would be a security
> > leak between tenants). Since we can't virtualise the PCRs without
> > introducing a vtpm this is going to require a vtpm infrastructure like
> > that used for virtual machines and then we can do IMA logging per
> > container.
>
> I agree and wonder if we should decouple the attestation trust model,
> which depends on the specific use case (e.g. multi/single tenant,
> public/private cloud), from the IMA logic of linking the measurements to
> the container. Indeed, attestation from within the container might require
> anchoring to a vTPM/vPCR and the current measurement tagging mechanism can
> support several ways of anchoring them to a (virtual) root of trust.
>
> > I don't think the above has to be in your first patch set, we just have
> > to have an idea of how it could be done to show that nothing in this
> > patch set precludes a follow on from doing this.
>
> Given that virtualizing trust anchors seems like a separate problem in
> which industry consensus is not easy to reach for all use cases, an
> anchoring mechanism should probably be a separate IMA feature.
Other trust anchors for "trusted keys" has been discussed, but I wasn't
aware of any discussion about other trust anchors for the IMA
measurement list. The IMA measurement list is very much tied to a TPM.
Including container measurements in the host measurement list, will
unnecessarily cause the host measurement list to grow. The decision of
what should and shouldn't be included in the host measurement list
shouldn't be defined by the container.
Mimi
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
next parent reply other threads:[~2020-09-02 18:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <N>
[not found] ` <20200818152037.11869-1-krzysztof.struczynski@huawei.com>
[not found] ` <1597767571.3898.15.camel@HansenPartnership.com>
[not found] ` <401a2f36149f450291d1742aeb6c2260@huawei.com>
2020-09-02 18:53 ` Mimi Zohar [this message]
2020-09-04 14:06 ` [RFC PATCH 00/30] ima: Introduce IMA namespace Dr. Greg
2020-09-14 12:05 ` Krzysztof Struczynski
[not found] ` <20200818164943.va3um7toztazcfud@wittgenstein>
2020-09-02 19:54 ` Mimi Zohar
2020-09-06 17:14 ` Dr. Greg
2020-09-07 11:50 ` Luke Hinds
2020-09-08 14:03 ` Mimi Zohar
2020-09-14 12:07 ` Krzysztof Struczynski
2020-10-19 9:30 ` Krzysztof Struczynski
2020-10-25 15:00 ` Dr. Greg
2020-09-09 10:11 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5331e60b5a1afb55e2bc778db1b95998466b687d.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=Silviu.Vlasceanu@huawei.com \
--cc=containers@lists.linux-foundation.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mkayaalp@cs.binghamton.edu \
--cc=roberto.sassu@huawei.com \
--cc=sunyuqiong1988@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).