From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: corbet@lwn.net, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com
Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, wufan@linux.microsoft.com,
pbrobinson@gmail.com, zbyszek@in.waw.pl, hch@lst.de,
mjg59@srcf.ucam.org, pmatilai@redhat.com, jannh@google.com,
dhowells@redhat.com, jikos@kernel.org, mkoutny@suse.com,
ppavlu@suse.com, petr.vorel@gmail.com,
petrtesarik@huaweicloud.com, mzerqung@0pointer.de,
kgold@linux.ibm.com, Roberto Sassu <roberto.sassu@huawei.com>
Subject: [RFC][PATCH 0/8] ima: Integrate with digest_cache LSM
Date: Wed, 14 Feb 2024 15:35:16 +0100 [thread overview]
Message-ID: <20240214143525.2205481-1-roberto.sassu@huaweicloud.com> (raw)
From: Roberto Sassu <roberto.sassu@huawei.com>
One of the IMA shortcomings over the years has been the availability of
reference digest values for appraisal. Recently, the situation improved
and some Linux distributions are including file signatures.
The digest_cache LSM takes a different approach. Instead of requiring
Linux distributions to include file signatures in their packages, it parses
the digests from signed RPM package headers and exposes an API for
integrity providers to query a digest.
That enables Linux distributions to immediately gain the ability to do
integrity checks with the existing packages, lowering the burden for
software vendors.
In addition, integrating IMA with the digest_cache LSMs has even more
benefits.
First, it allows generating a new-style masurement list including the RPM
package headers and the unknown files, which improves system performance
due to the lower usage of the TPM. The cost is the less accuracy of the
information reported, which might not suitable for everyone.
Second, performance improve for appraisal too. It has been found that
verifying the signatures of only the RPM package headers and doing a digest
lookup is much less computationally expensive than verifying individual
file signatures.
For reference, a preliminary performance evaluation has been published
here:
https://lore.kernel.org/linux-integrity/20240209140917.846878-14-roberto.sassu@huaweicloud.com/
Third, it makes a PCR predictable and suitable for TPM key sealing
policies.
Finally, it allows IMA to maintain a predictable PCR and to perform
appraisal from the very beginning of the boot, in the initial ram disk
(of course, it won't recognize automatically generated files, that don't
exist in the RPM packages).
This patch set has some prerequisites:
- KEYS: Introduce user asymmetric keys and signatures (PGP keys and sigs)
- security: Move IMA and EVM to the LSM infrastructure
- security: digest_cache LSM (+digest_cache_changed(), introduced later)
Integration of IMA with the digest_cache LSM is straightforward.
Patch 1 lets IMA know when the digest_cache LSM is reading a digest list,
to populate a digest cache.
Patch 2 allows nested IMA verification of digest lists read by the
digest_cache LSM.
Patch 3 allows the usage of digest caches with the IMA policy.
Patch 4 introduces new boot-time policies, to use digest caches from the
very beginning (it allows measurement/appraisal from the initial ram disk).
Patch 5 attaches the verification result of the digest list to the digest
cache being populated with that digest list.
Patch 6-7 enable the usage of digest caches respectively for measurement
and appraisal, at the condition that it is authorized with the IMA policy
and that the digest list itself was measured and appraised too.
Patch 8 detects digest cache changes and consequently resets the IMA
cached verification result.
Roberto Sassu (8):
ima: Introduce hook DIGEST_LIST_CHECK
ima: Nest iint mutex for DIGEST_LIST_CHECK hook
ima: Add digest_cache policy keyword
ima: Add digest_cache_measure and digest_cache_appraise boot-time
policies
ima: Record IMA verification result of digest lists in digest cache
ima: Use digest cache for measurement
ima: Use digest cache for appraisal
ima: Detect if digest cache changed since last measurement/appraisal
Documentation/ABI/testing/ima_policy | 6 +-
.../admin-guide/kernel-parameters.txt | 15 ++-
security/integrity/ima/Kconfig | 10 ++
security/integrity/ima/ima.h | 24 +++-
security/integrity/ima/ima_api.c | 21 +++-
security/integrity/ima/ima_appraise.c | 33 +++--
security/integrity/ima/ima_iint.c | 14 ++-
security/integrity/ima/ima_main.c | 81 ++++++++++--
security/integrity/ima/ima_policy.c | 118 +++++++++++++++++-
9 files changed, 285 insertions(+), 37 deletions(-)
--
2.34.1
next reply other threads:[~2024-02-14 14:36 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-14 14:35 Roberto Sassu [this message]
2024-02-14 14:35 ` [RFC][PATCH 1/8] ima: Introduce hook DIGEST_LIST_CHECK Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 2/8] ima: Nest iint mutex for DIGEST_LIST_CHECK hook Roberto Sassu
2024-03-07 19:42 ` Mimi Zohar
2024-03-08 8:00 ` Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 3/8] ima: Add digest_cache policy keyword Roberto Sassu
2024-03-07 19:43 ` Mimi Zohar
2024-03-08 9:05 ` Roberto Sassu
2024-03-08 13:41 ` Mimi Zohar
2024-02-14 14:35 ` [RFC][PATCH 4/8] ima: Add digest_cache_measure and digest_cache_appraise boot-time policies Roberto Sassu
2024-03-07 20:17 ` Mimi Zohar
2024-03-08 10:36 ` Roberto Sassu
2024-03-08 14:23 ` Mimi Zohar
2024-03-11 13:01 ` Mimi Zohar
2024-02-14 14:35 ` [RFC][PATCH 5/8] ima: Record IMA verification result of digest lists in digest cache Roberto Sassu
2024-03-11 14:00 ` Mimi Zohar
2024-02-14 14:35 ` [RFC][PATCH 6/8] ima: Use digest cache for measurement Roberto Sassu
2024-03-08 16:08 ` Mimi Zohar
2024-03-08 16:27 ` Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 7/8] ima: Use digest cache for appraisal Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 8/8] ima: Detect if digest cache changed since last measurement/appraisal Roberto Sassu
2024-03-08 17:35 ` Mimi Zohar
2024-03-11 9:11 ` Roberto Sassu
2024-03-11 12:19 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240214143525.2205481-1-roberto.sassu@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=jikos@kernel.org \
--cc=jmorris@namei.org \
--cc=kgold@linux.ibm.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=mkoutny@suse.com \
--cc=mzerqung@0pointer.de \
--cc=paul@paul-moore.com \
--cc=pbrobinson@gmail.com \
--cc=petr.vorel@gmail.com \
--cc=petrtesarik@huaweicloud.com \
--cc=pmatilai@redhat.com \
--cc=ppavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=wufan@linux.microsoft.com \
--cc=zbyszek@in.waw.pl \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).