| Message ID | 20220208014140.483447-1-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | ima: support fs-verity digests and signatures | expand |
On Mon, Feb 07, 2022 at 08:41:32PM -0500, Mimi Zohar wrote: > Support for including fs-verity file digests and signatures in the IMA > measurement list as well as verifying the fs-verity file digest based > signatures, both based on IMA policy rules, was discussed prior to > fs-verity being upstreamed[1,2]. > > Support for including fs-verity file digests in the 'd-ng' template field > is based on a new policy rule option named 'digest_type=verity'. A new > template field named 'd-type' as well as a new template named 'ima-ngv2' > are defined to differentiate between the regular IMA file hashes from the > fs-verity file digests (tree-hash based file hashes) stored in the 'd-ng' > template field. > > Support for verifying fs-verity based file signatures stored in the > 'security.ima' xattr is similarly based on the policy rule option > 'digest_type=verity'. > > To differentiate IMA from fs-verity file signatures a new xattr_type > named IMA_VERITY_DIGSIG is defined. Signature version 3, which is a hash > of the ima_file_id struct, disambiguates the signatures stored as > 'security.ima' xattr. fs-verity only supports the new signature format > (version 3). To prevent abuse of the different signature formats, policy > rules must be limited to a specific signature version. > > [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf > [2] Documentation/filesystems/fsverity.rst What does this patchset apply to? I'm no longer able to apply it. I tried both v5.17-rc3, and the next-integrity branch of https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git. - Eric
On Mon, 2022-02-07 at 21:50 -0800, Eric Biggers wrote: > On Mon, Feb 07, 2022 at 08:41:32PM -0500, Mimi Zohar wrote: > > Support for including fs-verity file digests and signatures in the IMA > > measurement list as well as verifying the fs-verity file digest based > > signatures, both based on IMA policy rules, was discussed prior to > > fs-verity being upstreamed[1,2]. > > > > Support for including fs-verity file digests in the 'd-ng' template field > > is based on a new policy rule option named 'digest_type=verity'. A new > > template field named 'd-type' as well as a new template named 'ima-ngv2' > > are defined to differentiate between the regular IMA file hashes from the > > fs-verity file digests (tree-hash based file hashes) stored in the 'd-ng' > > template field. > > > > Support for verifying fs-verity based file signatures stored in the > > 'security.ima' xattr is similarly based on the policy rule option > > 'digest_type=verity'. > > > > To differentiate IMA from fs-verity file signatures a new xattr_type > > named IMA_VERITY_DIGSIG is defined. Signature version 3, which is a hash > > of the ima_file_id struct, disambiguates the signatures stored as > > 'security.ima' xattr. fs-verity only supports the new signature format > > (version 3). To prevent abuse of the different signature formats, policy > > rules must be limited to a specific signature version. > > > > [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf > > [2] Documentation/filesystems/fsverity.rst > > What does this patchset apply to? I'm no longer able to apply it. I tried > both v5.17-rc3, and the next-integrity branch of > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git. Just refreshed 'next-integrity' now.
Support for including fs-verity file digests and signatures in the IMA measurement list as well as verifying the fs-verity file digest based signatures, both based on IMA policy rules, was discussed prior to fs-verity being upstreamed[1,2]. Support for including fs-verity file digests in the 'd-ng' template field is based on a new policy rule option named 'digest_type=verity'. A new template field named 'd-type' as well as a new template named 'ima-ngv2' are defined to differentiate between the regular IMA file hashes from the fs-verity file digests (tree-hash based file hashes) stored in the 'd-ng' template field. Support for verifying fs-verity based file signatures stored in the 'security.ima' xattr is similarly based on the policy rule option 'digest_type=verity'. To differentiate IMA from fs-verity file signatures a new xattr_type named IMA_VERITY_DIGSIG is defined. Signature version 3, which is a hash of the ima_file_id struct, disambiguates the signatures stored as 'security.ima' xattr. fs-verity only supports the new signature format (version 3). To prevent abuse of the different signature formats, policy rules must be limited to a specific signature version. [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf [2] Documentation/filesystems/fsverity.rst Changelog v4: - Based on Eric Bigger's signature verification concerns of replacing the contents of a file with the ima_file_id struct hash, require per policy rule signature versions. - Addressed Eric Bigger's other comments. - Added new audit messages "causes". - Updated patch descriptions. Changelog v3: - Addressed Eric Bigger's comments: included Ack, incremented the signature format version, the crypto issues are generic and will be addressed by him separately. - Addressed Vitaly Chikunov's comments: hard coded maximum digest size rather than using a flexible array, removed unnecessary assignment, and fixed comment to match variable name. - Defined new "ima_max_digest_size" struct to avoid wrapping the "ima_digest_data" struct inside a function local structure or having to dynamically allocate it with enough memory for the specific hash algo size. Changelog v2: - Addressed Eric Bigger's comments: sign the hash of fsverity's digest and the digest's metadata, use match_string, use preferred function name fsverity_get_digest(), support including unsigned fs-verity's digests in the IMA measurement list. - Remove signatures requirement for including fs-verity's file digests in the 'd-ng' field of the measurement list. Changelog v1: - Updated both fsverity and IMA documentation. - Addressed both Eric Bigger's and Lakshmi's comments. Mimi Zohar (8): ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS ima: define ima_max_digest_data struct without a flexible array variable fs-verity: define a function to return the integrity protected file digest ima: define a new template field 'd-type' and a new template 'ima-ngv2' ima: permit fsverity's file digests in the IMA measurement list ima: define signature version 3 ima: support fs-verity file digest based version 3 signatures fsverity: update the documentation Documentation/ABI/testing/ima_policy | 22 +++++ Documentation/filesystems/fsverity.rst | 22 +++-- Documentation/security/IMA-templates.rst | 11 ++- fs/verity/Kconfig | 1 + fs/verity/fsverity_private.h | 7 -- fs/verity/measure.c | 41 ++++++++ include/linux/fsverity.h | 18 ++++ security/integrity/digsig.c | 3 +- security/integrity/ima/ima_api.c | 59 ++++++++--- security/integrity/ima/ima_appraise.c | 113 +++++++++++++++++++++- security/integrity/ima/ima_init.c | 10 +- security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 45 ++++++++- security/integrity/ima/ima_template.c | 3 + security/integrity/ima/ima_template_lib.c | 23 ++++- security/integrity/ima/ima_template_lib.h | 2 + security/integrity/integrity.h | 53 +++++++++- 17 files changed, 385 insertions(+), 50 deletions(-)