From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: corbet@lwn.net, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, shuah@kernel.org, mcoquelin.stm32@gmail.com,
alexandre.torgue@foss.st.com, mic@digikod.net
Cc: linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
bpf@vger.kernel.org, zohar@linux.ibm.com,
dmitry.kasatkin@gmail.com, linux-integrity@vger.kernel.org,
wufan@linux.microsoft.com, pbrobinson@gmail.com,
zbyszek@in.waw.pl, hch@lst.de, mjg59@srcf.ucam.org,
pmatilai@redhat.com, jannh@google.com, dhowells@redhat.com,
jikos@kernel.org, mkoutny@suse.com, ppavlu@suse.com,
petr.vorel@gmail.com, petrtesarik@huaweicloud.com,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [PATCH v3 00/13] security: digest_cache LSM
Date: Wed, 28 Feb 2024 18:46:43 +0100 [thread overview]
Message-ID: <e6d1314d46dc4befd78bfa33e2cf3d8572a16009.camel@huaweicloud.com> (raw)
In-Reply-To: <20240209140917.846878-1-roberto.sassu@huaweicloud.com>
On Fri, 2024-02-09 at 15:09 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Introduce the digest_cache LSM, whose purpose is to deliver reference
> digest values to integrity providers, such as IMA and IPE, abstracting to
> them how those digests where extracted from the respective data source.
>
> The major benefit is the ability to use the vaste amount of digests already
> provided (and likely signed) by software vendors, without needing them to
> adapt their format to the one understood by the integrity provider.
>
> IMA and IPE can immediately interface with the digest_cache LSM and query
> the digest of an accessed file. If the digest is found, it means that the
> file is coming from the software vendor and not modified. If not, the file
> might have been corrupted. Each integrity provider decides how to handle
> this situation.
>
> The second major benefit is performance improvement. Since the digest_cache
> LSM has the ability to extract many digests from a single data source, it
> means that it has less signatures to verify compared to the approach of
> verifying individual file signatures (IMA appraisal). Preliminary tests
> have shown a speedup of IMA appraisal of about 65% for sequential read, and
> 45% for parallel read.
>
> This patch set has as prerequisites the file_release LSM hook (to be
> introduced with the move of IMA/EVM to the LSM infrastructure), and
> support for PGP keys, which is still unclear how it should be done.
>
> The IMA integration patch set will be introduced separately. Also a PoC
> based on the current version of IPE can be provided.
Hi everyone
I still hope to receive some comments on this and on the IMA
integration patch set.
Meanwhile, I built openSUSE Tumbleweed packages with both those patch
sets (with few changes) and the PGP one (with the parser in kernel
space).
I also published the first preliminary version of digest-cache-tools
which contains the tools to manage the digest_cache LSM.
https://github.com/linux-integrity/digest-cache-tools
The README should give a pretty good idea on how to configure the
digest_cache LSM correctly, to do IMA measurement (with predictable
PCR) and IMA appraisal.
That basically requires to install only the kernel and the digest-
cache-tools packages (plus dracut, to enable IMA measurement/appraisal
from the initial ram disk).
Other than that, openSUSE Tumbleweed with these three packages (and no
other modifications, even in the build infrastructure) is basically
offering the integrity features that IMA supports.
Roberto
> v2:
> - Include the TLV parser in this patch set (from user asymmetric keys and
> signatures)
> - Move from IMA and make an independent LSM
> - Remove IMA-specific stuff from this patch set
> - Add per algorithm hash table
> - Expect all digest lists to be in the same directory and allow changing
> the default directory
> - Support digest lookup on directories, when there is no
> security.digest_list xattr
> - Add seq num to digest list file name, to impose ordering on directory
> iteration
> - Add a new data type DIGEST_LIST_ENTRY_DATA for the nested data in the
> tlv digest list format
> - Add the concept of verification data attached to digest caches
> - Add the reset mechanism to track changes on digest lists and directory
> containing the digest lists
> - Add kernel selftests
>
> v1:
> - Add documentation in Documentation/security/integrity-digest-cache.rst
> - Pass the mask of IMA actions to digest_cache_alloc()
> - Add a reference count to the digest cache
> - Remove the path parameter from digest_cache_get(), and rely on the
> reference count to avoid the digest cache disappearing while being used
> - Rename the dentry_to_check parameter of digest_cache_get() to dentry
> - Rename digest_cache_get() to digest_cache_new() and add
> digest_cache_get() to set the digest cache in the iint of the inode for
> which the digest cache was requested
> - Add dig_owner and dig_user to the iint, to distinguish from which inode
> the digest cache was created from, and which is using it; consequently it
> makes the digest cache usable to measure/appraise other digest caches
> (support not yet enabled)
> - Add dig_owner_mutex and dig_user_mutex to serialize accesses to dig_owner
> and dig_user until they are initialized
> - Enforce strong synchronization and make the contenders wait until
> dig_owner and dig_user are assigned to the iint the first time
> - Move checking IMA actions on the digest list earlier, and fail if no
> action were performed (digest cache not usable)
> - Remove digest_cache_put(), not needed anymore with the introduction of
> the reference count
> - Fail immediately in digest_cache_lookup() if the digest algorithm is
> not set in the digest cache
> - Use 64 bit mask for IMA actions on the digest list instead of 8 bit
> - Return NULL in the inline version of digest_cache_get()
> - Use list_add_tail() instead of list_add() in the iterator
> - Copy the digest list path to a separate buffer in digest_cache_iter_dir()
> - Use digest list parsers verified with Frama-C
> - Explicitly disable (for now) the possibility in the IMA policy to use the
> digest cache to measure/appraise other digest lists
> - Replace exit(<value>) with return <value> in manage_digest_lists.c
>
> Roberto Sassu (13):
> lib: Add TLV parser
> security: Introduce the digest_cache LSM
> digest_cache: Add securityfs interface
> digest_cache: Add hash tables and operations
> digest_cache: Populate the digest cache from a digest list
> digest_cache: Parse tlv digest lists
> digest_cache: Parse rpm digest lists
> digest_cache: Add management of verification data
> digest_cache: Add support for directories
> digest cache: Prefetch digest lists if requested
> digest_cache: Reset digest cache on file/directory change
> selftests/digest_cache: Add selftests for digest_cache LSM
> docs: Add documentation of the digest_cache LSM
>
> Documentation/security/digest_cache.rst | 900 ++++++++++++++++++
> Documentation/security/index.rst | 1 +
> MAINTAINERS | 16 +
> include/linux/digest_cache.h | 89 ++
> include/linux/kernel_read_file.h | 1 +
> include/linux/tlv_parser.h | 28 +
> include/uapi/linux/lsm.h | 1 +
> include/uapi/linux/tlv_digest_list.h | 72 ++
> include/uapi/linux/tlv_parser.h | 59 ++
> include/uapi/linux/xattr.h | 6 +
> lib/Kconfig | 3 +
> lib/Makefile | 3 +
> lib/tlv_parser.c | 214 +++++
> lib/tlv_parser.h | 17 +
> security/Kconfig | 11 +-
> security/Makefile | 1 +
> security/digest_cache/Kconfig | 34 +
> security/digest_cache/Makefile | 11 +
> security/digest_cache/dir.c | 245 +++++
> security/digest_cache/htable.c | 268 ++++++
> security/digest_cache/internal.h | 259 +++++
> security/digest_cache/main.c | 545 +++++++++++
> security/digest_cache/modsig.c | 66 ++
> security/digest_cache/parsers/parsers.h | 15 +
> security/digest_cache/parsers/rpm.c | 223 +++++
> security/digest_cache/parsers/tlv.c | 299 ++++++
> security/digest_cache/populate.c | 163 ++++
> security/digest_cache/reset.c | 168 ++++
> security/digest_cache/secfs.c | 87 ++
> security/digest_cache/verif.c | 119 +++
> security/security.c | 3 +-
> tools/testing/selftests/Makefile | 1 +
> .../testing/selftests/digest_cache/.gitignore | 3 +
> tools/testing/selftests/digest_cache/Makefile | 23 +
> .../testing/selftests/digest_cache/all_test.c | 706 ++++++++++++++
> tools/testing/selftests/digest_cache/common.c | 79 ++
> tools/testing/selftests/digest_cache/common.h | 131 +++
> .../selftests/digest_cache/common_user.c | 47 +
> .../selftests/digest_cache/common_user.h | 17 +
> tools/testing/selftests/digest_cache/config | 1 +
> .../selftests/digest_cache/generators.c | 248 +++++
> .../selftests/digest_cache/generators.h | 19 +
> .../selftests/digest_cache/testmod/Makefile | 16 +
> .../selftests/digest_cache/testmod/kern.c | 499 ++++++++++
> .../selftests/lsm/lsm_list_modules_test.c | 3 +
> 45 files changed, 5714 insertions(+), 6 deletions(-)
> create mode 100644 Documentation/security/digest_cache.rst
> create mode 100644 include/linux/digest_cache.h
> create mode 100644 include/linux/tlv_parser.h
> create mode 100644 include/uapi/linux/tlv_digest_list.h
> create mode 100644 include/uapi/linux/tlv_parser.h
> create mode 100644 lib/tlv_parser.c
> create mode 100644 lib/tlv_parser.h
> create mode 100644 security/digest_cache/Kconfig
> create mode 100644 security/digest_cache/Makefile
> create mode 100644 security/digest_cache/dir.c
> create mode 100644 security/digest_cache/htable.c
> create mode 100644 security/digest_cache/internal.h
> create mode 100644 security/digest_cache/main.c
> create mode 100644 security/digest_cache/modsig.c
> create mode 100644 security/digest_cache/parsers/parsers.h
> create mode 100644 security/digest_cache/parsers/rpm.c
> create mode 100644 security/digest_cache/parsers/tlv.c
> create mode 100644 security/digest_cache/populate.c
> create mode 100644 security/digest_cache/reset.c
> create mode 100644 security/digest_cache/secfs.c
> create mode 100644 security/digest_cache/verif.c
> create mode 100644 tools/testing/selftests/digest_cache/.gitignore
> create mode 100644 tools/testing/selftests/digest_cache/Makefile
> create mode 100644 tools/testing/selftests/digest_cache/all_test.c
> create mode 100644 tools/testing/selftests/digest_cache/common.c
> create mode 100644 tools/testing/selftests/digest_cache/common.h
> create mode 100644 tools/testing/selftests/digest_cache/common_user.c
> create mode 100644 tools/testing/selftests/digest_cache/common_user.h
> create mode 100644 tools/testing/selftests/digest_cache/config
> create mode 100644 tools/testing/selftests/digest_cache/generators.c
> create mode 100644 tools/testing/selftests/digest_cache/generators.h
> create mode 100644 tools/testing/selftests/digest_cache/testmod/Makefile
> create mode 100644 tools/testing/selftests/digest_cache/testmod/kern.c
>
prev parent reply other threads:[~2024-02-28 17:47 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-09 14:09 [PATCH v3 00/13] security: digest_cache LSM Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 01/13] lib: Add TLV parser Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 02/13] security: Introduce the digest_cache LSM Roberto Sassu
2024-02-09 23:00 ` Randy Dunlap
2024-02-12 8:02 ` Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 03/13] digest_cache: Add securityfs interface Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 04/13] digest_cache: Add hash tables and operations Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 05/13] digest_cache: Populate the digest cache from a digest list Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 06/13] digest_cache: Parse tlv digest lists Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 07/13] digest_cache: Parse rpm " Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 08/13] digest_cache: Add management of verification data Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 09/13] digest_cache: Add support for directories Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 10/13] digest cache: Prefetch digest lists if requested Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 11/13] digest_cache: Reset digest cache on file/directory change Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 12/13] selftests/digest_cache: Add selftests for digest_cache LSM Roberto Sassu
2024-02-09 14:09 ` [PATCH v3 13/13] docs: Add documentation of the " Roberto Sassu
2024-02-28 17:46 ` Roberto Sassu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e6d1314d46dc4befd78bfa33e2cf3d8572a16009.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=alexandre.torgue@foss.st.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=jikos@kernel.org \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcoquelin.stm32@gmail.com \
--cc=mic@digikod.net \
--cc=mjg59@srcf.ucam.org \
--cc=mkoutny@suse.com \
--cc=paul@paul-moore.com \
--cc=pbrobinson@gmail.com \
--cc=petr.vorel@gmail.com \
--cc=petrtesarik@huaweicloud.com \
--cc=pmatilai@redhat.com \
--cc=ppavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=wufan@linux.microsoft.com \
--cc=zbyszek@in.waw.pl \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).