diff mbox series

[v6,5/5] fsverity: update the documentation

Message ID 20220318182151.100847-6-zohar@linux.ibm.com (mailing list archive)
State Superseded
Headers show
Series ima: support fs-verity digests and signatures | expand

Commit Message

Mimi Zohar March 18, 2022, 6:21 p.m. UTC
Update the fsverity documentation related to IMA signature support.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 Documentation/filesystems/fsverity.rst | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

Comments

Stefan Berger March 18, 2022, 8:55 p.m. UTC | #1
On 3/18/22 14:21, Mimi Zohar wrote:
> Update the fsverity documentation related to IMA signature support.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   Documentation/filesystems/fsverity.rst | 22 +++++++++++++---------
>   1 file changed, 13 insertions(+), 9 deletions(-)
> 
> diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
> index 1d831e3cbcb3..28a47488848e 100644
> --- a/Documentation/filesystems/fsverity.rst
> +++ b/Documentation/filesystems/fsverity.rst
> @@ -74,8 +74,12 @@ authenticating the files is up to userspace.  However, to meet some
>   users' needs, fs-verity optionally supports a simple signature
>   verification mechanism where users can configure the kernel to require
>   that all fs-verity files be signed by a key loaded into a keyring; see
> -`Built-in signature verification`_.  Support for fs-verity file hashes
> -in IMA (Integrity Measurement Architecture) policies is also planned.
> +`Built-in signature verification`_.
> +
> +IMA supports including fs-verity file digests and signatures in the
> +IMA (Integrity Measurement Architecture) measurement list and

The Integrity Measurement Architecture (IMA) supports including ...

> +verifying fs-verity based file signatures stored as security.ima
> +xattrs, based on policy.
>   
>   User API
>   ========
> @@ -653,13 +657,13 @@ weren't already directly answered in other parts of this document.
>       hashed and what to do with those hashes, such as log them,
>       authenticate them, or add them to a measurement list.
>   
> -    IMA is planned to support the fs-verity hashing mechanism as an
> -    alternative to doing full file hashes, for people who want the
> -    performance and security benefits of the Merkle tree based hash.
> -    But it doesn't make sense to force all uses of fs-verity to be
> -    through IMA.  As a standalone filesystem feature, fs-verity
> -    already meets many users' needs, and it's testable like other
> -    filesystem features e.g. with xfstests.
> +    IMA supports the fs-verity hashing mechanism as an alternative
> +    to doing full file hashes, for people who want the performance

IMA supports the fs-verity hashing mechanism as an alternative to full 
file hashes for those who want the performance and security benefits ...

> +    and security benefits of the Merkle tree based hash.  But it
> +    doesn't make sense to force all uses of fs-verity to be through

However, it doesn't make sense ...

> +    IMA.  As a standalone filesystem feature, fs-verity already meets
> +    many users' needs, and it's testable like other filesystem
> +    features e.g. with xfstests.

Fs-verity already meets many user' needs even as a standalone filesystem 
feature and it is testable like other ...

>   
>   :Q: Isn't fs-verity useless because the attacker can just modify the
>       hashes in the Merkle tree, which is stored on-disk?
Mimi Zohar March 21, 2022, 12:55 p.m. UTC | #2
On Fri, 2022-03-18 at 16:55 -0400, Stefan Berger wrote:
> 
> On 3/18/22 14:21, Mimi Zohar wrote:
> > Update the fsverity documentation related to IMA signature support.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >   Documentation/filesystems/fsverity.rst | 22 +++++++++++++---------
> >   1 file changed, 13 insertions(+), 9 deletions(-)
> > 
> > diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
> > index 1d831e3cbcb3..28a47488848e 100644
> > --- a/Documentation/filesystems/fsverity.rst
> > +++ b/Documentation/filesystems/fsverity.rst
> > @@ -74,8 +74,12 @@ authenticating the files is up to userspace.  However, to meet some
> >   users' needs, fs-verity optionally supports a simple signature
> >   verification mechanism where users can configure the kernel to require
> >   that all fs-verity files be signed by a key loaded into a keyring; see
> > -`Built-in signature verification`_.  Support for fs-verity file hashes
> > -in IMA (Integrity Measurement Architecture) policies is also planned.
> > +`Built-in signature verification`_.
> > +
> > +IMA supports including fs-verity file digests and signatures in the
> > +IMA (Integrity Measurement Architecture) measurement list and
> 
> The Integrity Measurement Architecture (IMA) supports including ...
> 
> > +verifying fs-verity based file signatures stored as security.ima
> > +xattrs, based on policy.
> >   
> >   User API
> >   ========
> > @@ -653,13 +657,13 @@ weren't already directly answered in other parts of this document.
> >       hashed and what to do with those hashes, such as log them,
> >       authenticate them, or add them to a measurement list.
> >   
> > -    IMA is planned to support the fs-verity hashing mechanism as an
> > -    alternative to doing full file hashes, for people who want the
> > -    performance and security benefits of the Merkle tree based hash.
> > -    But it doesn't make sense to force all uses of fs-verity to be
> > -    through IMA.  As a standalone filesystem feature, fs-verity
> > -    already meets many users' needs, and it's testable like other
> > -    filesystem features e.g. with xfstests.
> > +    IMA supports the fs-verity hashing mechanism as an alternative
> > +    to doing full file hashes, for people who want the performance
> 
> IMA supports the fs-verity hashing mechanism as an alternative to full 
> file hashes for those who want the performance and security benefits ...
> 
> > +    and security benefits of the Merkle tree based hash.  But it
> > +    doesn't make sense to force all uses of fs-verity to be through
> 
> However, it doesn't make sense ...
> 
> > +    IMA.  As a standalone filesystem feature, fs-verity already meets
> > +    many users' needs, and it's testable like other filesystem
> > +    features e.g. with xfstests.
> 
> Fs-verity already meets many user' needs even as a standalone filesystem 
> feature and it is testable like other ...
> 
> >   
> >   :Q: Isn't fs-verity useless because the attacker can just modify the
> >       hashes in the Merkle tree, which is stored on-disk?

Thanks, Stefan, for the suggestions.  I tried to minimize the changes
as much as possible.  Based on another thread, the documentation should
be updated, but I'm not going to be presumptuous and make those
changes.  Eric, should I drop this patch and let you update the fs-
verity documentation as you want?
diff mbox series

Patch

diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
index 1d831e3cbcb3..28a47488848e 100644
--- a/Documentation/filesystems/fsverity.rst
+++ b/Documentation/filesystems/fsverity.rst
@@ -74,8 +74,12 @@  authenticating the files is up to userspace.  However, to meet some
 users' needs, fs-verity optionally supports a simple signature
 verification mechanism where users can configure the kernel to require
 that all fs-verity files be signed by a key loaded into a keyring; see
-`Built-in signature verification`_.  Support for fs-verity file hashes
-in IMA (Integrity Measurement Architecture) policies is also planned.
+`Built-in signature verification`_.
+
+IMA supports including fs-verity file digests and signatures in the
+IMA (Integrity Measurement Architecture) measurement list and
+verifying fs-verity based file signatures stored as security.ima
+xattrs, based on policy.
 
 User API
 ========
@@ -653,13 +657,13 @@  weren't already directly answered in other parts of this document.
     hashed and what to do with those hashes, such as log them,
     authenticate them, or add them to a measurement list.
 
-    IMA is planned to support the fs-verity hashing mechanism as an
-    alternative to doing full file hashes, for people who want the
-    performance and security benefits of the Merkle tree based hash.
-    But it doesn't make sense to force all uses of fs-verity to be
-    through IMA.  As a standalone filesystem feature, fs-verity
-    already meets many users' needs, and it's testable like other
-    filesystem features e.g. with xfstests.
+    IMA supports the fs-verity hashing mechanism as an alternative
+    to doing full file hashes, for people who want the performance
+    and security benefits of the Merkle tree based hash.  But it
+    doesn't make sense to force all uses of fs-verity to be through
+    IMA.  As a standalone filesystem feature, fs-verity already meets
+    many users' needs, and it's testable like other filesystem
+    features e.g. with xfstests.
 
 :Q: Isn't fs-verity useless because the attacker can just modify the
     hashes in the Merkle tree, which is stored on-disk?