From patchwork Thu Dec 2 21:55:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 12653517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74877C433EF for ; Thu, 2 Dec 2021 21:55:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377128AbhLBV7H (ORCPT ); Thu, 2 Dec 2021 16:59:07 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39228 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243133AbhLBV7G (ORCPT ); Thu, 2 Dec 2021 16:59:06 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B2Jr1AH029117; Thu, 2 Dec 2021 21:55:41 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=+DeRp858qnInW1elOnLNsw4/TGKd2BJwXQzP9ThUne8=; b=Z4AQH6Bmg4Udr9aXP6K4DvTHCdz8HxO1aTaweEXZHyPPQ/7KK3sr3qmy41/LFmq2i1F4 C4zf3X5nYp401+PnmJtwm6DsZKI/rrDW4JFNneaVQDDaqrDq7VT9SK34gCFHdl2Rw54r 6VUCVLdgYz002IQ5Go4QVy6NznhSR6/Z2+/SnCzVGdKYT0FoX+WAAgCMX62mFKKJ9KfP xhXZdNXUxp0tqXV0Yc15tq851o+XFYrGoBd42Jd3FTD+DErYKQT0iU/6upWk7nL8me2l NJbYX1i3eS2UfgD36Zwt+Oqb5w5ViKP4YURjCWDdzF7WxIDU4cnbmWPNrjowEQ5rEnMy tQ== Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 3cq4pajjkq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:41 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LoEsV008840; Thu, 2 Dec 2021 21:55:39 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma06ams.nl.ibm.com with ESMTP id 3ckbxkrb6g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:39 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1B2Lm6sW20775222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Dec 2021 21:48:06 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 055F852052; Thu, 2 Dec 2021 21:55:37 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com.com (unknown [9.65.72.23]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 4F03F52050; Thu, 2 Dec 2021 21:55:36 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1 1/5] fs-verity: define a function to return the integrity protected file digest Date: Thu, 2 Dec 2021 16:55:03 -0500 Message-Id: <20211202215507.298415-2-zohar@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20211202215507.298415-1-zohar@linux.ibm.com> References: <20211202215507.298415-1-zohar@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 3uCrgem_OIuA4nxWYeCB44FaaiVWJ_i4 X-Proofpoint-ORIG-GUID: 3uCrgem_OIuA4nxWYeCB44FaaiVWJ_i4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-02_14,2021-12-02_01,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 clxscore=1015 adultscore=0 lowpriorityscore=0 impostorscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020133 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org Define a function named fsverity_collect_digest() to return the verity file digest and the associated hash algorithm (enum hash_algo). Signed-off-by: Mimi Zohar --- Changelog v1: - Renamed new function to fsverity_collect_digest(), based on discussion with Eric Biggers and Lakshmi. - Addressed Eric's suggestions: updated kernel doc variable and function description, removed unnecessary include file. fs/verity/Kconfig | 1 + fs/verity/fsverity_private.h | 7 ------ fs/verity/measure.c | 49 ++++++++++++++++++++++++++++++++++++ include/linux/fsverity.h | 18 +++++++++++++ 4 files changed, 68 insertions(+), 7 deletions(-) diff --git a/fs/verity/Kconfig b/fs/verity/Kconfig index 24d1b54de807..54598cd80145 100644 --- a/fs/verity/Kconfig +++ b/fs/verity/Kconfig @@ -3,6 +3,7 @@ config FS_VERITY bool "FS Verity (read-only file-based authenticity protection)" select CRYPTO + select CRYPTO_HASH_INFO # SHA-256 is implied as it's intended to be the default hash algorithm. # To avoid bloat, other wanted algorithms must be selected explicitly. # Note that CRYPTO_SHA256 denotes the generic C implementation, but diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h index a7920434bae5..c6fb62e0ef1a 100644 --- a/fs/verity/fsverity_private.h +++ b/fs/verity/fsverity_private.h @@ -14,7 +14,6 @@ #define pr_fmt(fmt) "fs-verity: " fmt -#include #include #include @@ -26,12 +25,6 @@ struct ahash_request; */ #define FS_VERITY_MAX_LEVELS 8 -/* - * Largest digest size among all hash algorithms supported by fs-verity. - * Currently assumed to be <= size of fsverity_descriptor::root_hash. - */ -#define FS_VERITY_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE - /* A hash algorithm supported by fs-verity */ struct fsverity_hash_alg { struct crypto_ahash *tfm; /* hash tfm, allocated on demand */ diff --git a/fs/verity/measure.c b/fs/verity/measure.c index f0d7b30c62db..64fbfbd408d4 100644 --- a/fs/verity/measure.c +++ b/fs/verity/measure.c @@ -57,3 +57,52 @@ int fsverity_ioctl_measure(struct file *filp, void __user *_uarg) return 0; } EXPORT_SYMBOL_GPL(fsverity_ioctl_measure); + +/** + * fsverity_collect_digest() - get a verity file's digest + * @inode: inode to get digest of + * @digest: (out) pointer to the digest + * @alg: (out) pointer to the hash algorithm enumeration + * + * Return the file hash algorithm and digest of an fsverity protected file. + * + * Return: 0 on success, -errno on failure + */ +int fsverity_collect_digest(struct inode *inode, + u8 digest[FS_VERITY_MAX_DIGEST_SIZE], + enum hash_algo *alg) +{ + const struct fsverity_info *vi; + const struct fsverity_hash_alg *hash_alg; + int i; + + vi = fsverity_get_info(inode); + if (!vi) + return -ENODATA; /* not a verity file */ + + hash_alg = vi->tree_params.hash_alg; + memset(digest, 0, FS_VERITY_MAX_DIGEST_SIZE); + *alg = HASH_ALGO__LAST; + + /* convert hash algorithm to hash_algo_name */ + for (i = 0; i < HASH_ALGO__LAST; i++) { + pr_debug("name %s hash_algo_name[%d] %s\n", + hash_alg->name, i, hash_algo_name[i]); + + if (!strcmp(hash_alg->name, hash_algo_name[i])) { + *alg = i; + break; + } + } + + /* Shouldn't happen */ + if (*alg == HASH_ALGO__LAST) + return -EINVAL; + + memcpy(digest, vi->file_digest, hash_alg->digest_size); + + pr_debug("file digest:%s %*phN\n", hash_algo_name[*alg], + hash_digest_size[*alg], digest); + + return 0; +} diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h index b568b3c7d095..2755e8bd80e5 100644 --- a/include/linux/fsverity.h +++ b/include/linux/fsverity.h @@ -12,8 +12,16 @@ #define _LINUX_FSVERITY_H #include +#include +#include #include +/* + * Largest digest size among all hash algorithms supported by fs-verity. + * Currently assumed to be <= size of fsverity_descriptor::root_hash. + */ +#define FS_VERITY_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE + /* Verity operations for filesystems */ struct fsverity_operations { @@ -131,6 +139,9 @@ int fsverity_ioctl_enable(struct file *filp, const void __user *arg); /* measure.c */ int fsverity_ioctl_measure(struct file *filp, void __user *arg); +int fsverity_collect_digest(struct inode *inode, + u8 digest[FS_VERITY_MAX_DIGEST_SIZE], + enum hash_algo *alg); /* open.c */ @@ -170,6 +181,13 @@ static inline int fsverity_ioctl_measure(struct file *filp, void __user *arg) return -EOPNOTSUPP; } +static inline int fsverity_collect_digest(struct inode *inode, + u8 digest[FS_VERITY_MAX_DIGEST_SIZE], + enum hash_algo *alg) +{ + return -EOPNOTSUPP; +} + /* open.c */ static inline int fsverity_file_open(struct inode *inode, struct file *filp) From patchwork Thu Dec 2 21:55:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 12653519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6024DC433EF for ; Thu, 2 Dec 2021 21:55:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377159AbhLBV7L (ORCPT ); Thu, 2 Dec 2021 16:59:11 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:35132 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243133AbhLBV7K (ORCPT ); Thu, 2 Dec 2021 16:59:10 -0500 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LdABA007282; Thu, 2 Dec 2021 21:55:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=6fG9ayNl7XB4ba0DJUWzHk9XuaS/XZNTIce55PxwIbM=; b=SEFAbPGc7uXONZi8mRIeHWUj6yTKJW7zpRecIQR9TcrPBuoDQdzk1HYtI8GGZ/AVBWGX nBc/lUK7VMVi7C4l/GpB2z8/jFe4ZnyBaDdN6bRy4yl7lDeHAsFfg8a5EMtiZc3dcxCJ GOFS58xV+q2xRPowupqbHipW8+tygu/eyk7JsHLEB4UfmsaKA2ju9tKhV9uh4c+ST6D8 TiVyxX1bDn4D+F3h38O3usby9NwpKGNf8vbeoUa77psMiuePyNeWSF8+iC+D6nbW0rAv VRMCpWGOn2Au079cmNJfAIMCbMO33/HGAWTbPJoJEQaJbv/W5IBakPBJOnaVodcXZJjA 8w== Received: from ppma01fra.de.ibm.com (46.49.7a9f.ip4.static.sl-reverse.com [159.122.73.70]) by mx0a-001b2d01.pphosted.com with ESMTP id 3cq489u56h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:45 +0000 Received: from pps.filterd (ppma01fra.de.ibm.com [127.0.0.1]) by ppma01fra.de.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LoDSg005227; Thu, 2 Dec 2021 21:55:43 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma01fra.de.ibm.com with ESMTP id 3ckcaadrn8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:43 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1B2LteIp28443028 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Dec 2021 21:55:41 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D17EF52052; Thu, 2 Dec 2021 21:55:40 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com.com (unknown [9.65.72.23]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id CCF7052059; Thu, 2 Dec 2021 21:55:39 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1 2/5] ima: define a new signature type named IMA_VERITY_DIGSIG Date: Thu, 2 Dec 2021 16:55:04 -0500 Message-Id: <20211202215507.298415-3-zohar@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20211202215507.298415-1-zohar@linux.ibm.com> References: <20211202215507.298415-1-zohar@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: So5DpT1roc2uJbBRelwhXm8a956duiwS X-Proofpoint-GUID: So5DpT1roc2uJbBRelwhXm8a956duiwS X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-02_14,2021-12-02_01,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 malwarescore=0 impostorscore=0 priorityscore=1501 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020133 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org To differentiate between a regular file hash and an fs-verity file digest based signature stored as security.ima xattr, define a new signature type named IMA_VERITY_DIGSIG. Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 6 ++++++ security/integrity/integrity.h | 1 + 2 files changed, 7 insertions(+) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index dbba51583e7c..d43a27a9a9b6 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -13,7 +13,9 @@ #include #include #include +#include #include +#include #include "ima.h" @@ -183,6 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, return ima_hash_algo; switch (xattr_value->type) { + case IMA_VERITY_DIGSIG: + fallthrough; case EVM_IMA_XATTR_DIGSIG: sig = (typeof(sig))xattr_value; if (sig->version != 2 || xattr_len <= sizeof(*sig) @@ -272,6 +276,8 @@ static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint, } *status = INTEGRITY_PASS; break; + case IMA_VERITY_DIGSIG: + fallthrough; case EVM_IMA_XATTR_DIGSIG: set_bit(IMA_DIGSIG, &iint->atomic_flags); rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..94f9ba55e840 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -77,6 +77,7 @@ enum evm_ima_xattr_type { EVM_IMA_XATTR_DIGSIG, IMA_XATTR_DIGEST_NG, EVM_XATTR_PORTABLE_DIGSIG, + IMA_VERITY_DIGSIG, IMA_XATTR_LAST }; From patchwork Thu Dec 2 21:55:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 12653521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 733CDC433EF for ; Thu, 2 Dec 2021 21:55:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377185AbhLBV7N (ORCPT ); Thu, 2 Dec 2021 16:59:13 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60978 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1377162AbhLBV7L (ORCPT ); Thu, 2 Dec 2021 16:59:11 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LHekP006217; Thu, 2 Dec 2021 21:55:47 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=a3ulnL1eGQ5GGqvFiwrxTdTgYbAoXQdQEXbOeUXaoHc=; b=WCCqvFUBWj1j0ajzq12yMmbm4KuJSaLsP+tqXhUqdXFa+JPFX24dULv9BfrB0z90kYAA 4i8od8SLgpWlZp8cnrfMBgu+hwV7QJ7OL+m+TOrI2MBK5ggLcfohnTLMaJ99PBnPyXS9 WCMlcSr6gPOhdtSa3jG4scgQ8ZgAHaGPqtXr/bmprwC0STB+ya833mMO8Es7qDAsO7XX gwREHf2HUlNhhCzCDNJzE1b4BinEPqsYwbpLWNk5+7z+ieQ/dEm/rBu9otP771Seo8dF uodvscz/zQtlgly/Z1RMzRAGvU3kAv1q7cfaO6AR4tvEh9+QnoFTUnpOb8e2ibBPCjeV kQ== Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0b-001b2d01.pphosted.com with ESMTP id 3cq5xcs0xg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:46 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LoEx8008841; Thu, 2 Dec 2021 21:55:45 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma06ams.nl.ibm.com with ESMTP id 3ckbxkrb6t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:44 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1B2LtgxN28967242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Dec 2021 21:55:42 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 980CF52052; Thu, 2 Dec 2021 21:55:42 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com.com (unknown [9.65.72.23]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id DE2CF5204E; Thu, 2 Dec 2021 21:55:41 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list Date: Thu, 2 Dec 2021 16:55:05 -0500 Message-Id: <20211202215507.298415-4-zohar@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20211202215507.298415-1-zohar@linux.ibm.com> References: <20211202215507.298415-1-zohar@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: aDJQP93ZKOmBjDKWv5gQdnTK_WcNa1rn X-Proofpoint-GUID: aDJQP93ZKOmBjDKWv5gQdnTK_WcNa1rn X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-02_14,2021-12-02_01,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 phishscore=0 spamscore=0 priorityscore=1501 adultscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020133 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org Without the file signature included in the IMA measurement list, the type of file digest is unclear. Set up the plumbing to limit including fs-verity's file digest in the IMA measurement list based on whether the template name is ima-sig. In the future, this could be relaxed to include any template format that includes the file signature. Signed-off-by: Mimi Zohar --- Changelog v1: - Updated patch description to indicate this is a prepartory patch. - Addressed Eric's comment: use lowercase 'true'/'false'. - Fixed patch description based on Lakshmi's review. Documentation/security/IMA-templates.rst | 9 +++++++-- security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_api.c | 3 ++- security/integrity/ima/ima_appraise.c | 3 ++- security/integrity/ima/ima_main.c | 7 ++++++- security/integrity/ima/ima_template_lib.c | 3 ++- 6 files changed, 21 insertions(+), 7 deletions(-) diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index 1a91d92950a7..28640b543340 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -70,8 +70,8 @@ descriptors by adding their identifier to the format string prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'd-modsig': the digest of the event without the appended modsig; - 'n-ng': the name of the event, without size limitations; - - 'sig': the file signature, or the EVM portable signature if the file - signature is not found; + - 'sig': the file signature, based on either the file's/fsverity's digest[1], + or the EVM portable signature if the file signature is not found; - 'modsig' the appended file signature; - 'buf': the buffer data that was used to generate the hash without size limitations; - 'evmsig': the EVM portable signature; @@ -106,3 +106,8 @@ currently the following methods are supported: the ``ima_template=`` parameter; - register a new template descriptor with custom format through the kernel command line parameter ``ima_template_fmt=``. + + +References +========== +[1] Documentation/filesystems/fsverity.rst diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index be965a8715e4..ab257e404f8e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -262,7 +262,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, - enum hash_algo algo, struct modsig *modsig); + enum hash_algo algo, struct modsig *modsig, + bool veritysig); void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index a64fb0130b01..7505563315cb 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -212,7 +212,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, */ int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, - enum hash_algo algo, struct modsig *modsig) + enum hash_algo algo, struct modsig *modsig, + bool veritysig) { const char *audit_cause = "failed"; struct inode *inode = file_inode(file); diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index d43a27a9a9b6..549fe051269a 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -510,7 +510,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) !(iint->flags & IMA_HASH)) return; - rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, + NULL, false); if (rc < 0) return; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 465865412100..4b6b13becb16 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -216,6 +216,7 @@ static int process_measurement(struct file *file, const struct cred *cred, bool violation_check; enum hash_algo hash_algo; unsigned int allowed_algos = 0; + int veritysig = false; if (!ima_policy_flag || !S_ISREG(inode->i_mode)) return 0; @@ -333,8 +334,12 @@ static int process_measurement(struct file *file, const struct cred *cred, } hash_algo = ima_get_hash_algo(xattr_value, xattr_len); + if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG && + strcmp(template_desc->name, "ima-sig") == 0) + veritysig = true; - rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); + rc = ima_collect_measurement(iint, file, buf, size, hash_algo, + modsig, veritysig); if (rc != 0 && rc != -EBADF && rc != -EINVAL) goto out_locked; diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index ca017cae73eb..5bad251f3b07 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -478,7 +478,8 @@ int ima_eventsig_init(struct ima_event_data *event_data, { struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; - if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) + if ((!xattr_value) || !(xattr_value->type == EVM_IMA_XATTR_DIGSIG || + xattr_value->type == IMA_VERITY_DIGSIG)) return ima_eventevmsig_init(event_data, field_data); return ima_write_template_field_data(xattr_value, event_data->xattr_len, From patchwork Thu Dec 2 21:55:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 12653523 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8378AC43217 for ; Thu, 2 Dec 2021 21:55:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377195AbhLBV7P (ORCPT ); Thu, 2 Dec 2021 16:59:15 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:28514 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243133AbhLBV7O (ORCPT ); Thu, 2 Dec 2021 16:59:14 -0500 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LrTU7007410; Thu, 2 Dec 2021 21:55:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=99lf/4mNYjONbemwVu4aG12hSpqub1w/eY5dW67leSE=; b=ouiimTMzkYTdPcoBYy3EbXUu1uDg3PN7eY+Vc3stjOcsEIoj7mPzrbJS1qiVIQywJs1L +G+xH3gAaaV913tj2PrYnRCk9lq39LJIrKhtbBlN6b627V5mgMLGOsmRw03Q6OgtGjkO H+9fE4T2n/64+o3n3Rs4TXRS+Qsv8Spd4BMvyY4MYxAf1YPErBthDMegnK875kMPJETg U0N29vPBDmR/144YCz3bPD4/ZLYIATDjGt3VrkBrd871lm+VVsgsnxhrPuCQ2tL0+8SF NHVkL8uCl0xQvCN8E/3MgGh83A1O8YQvg8ZPvXa65Y7WrgzWpDuYNREjAuyk8bAPYn6d jg== Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 3cq489u57x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:49 +0000 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LnbdU031196; Thu, 2 Dec 2021 21:55:47 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma03ams.nl.ibm.com with ESMTP id 3ckcaa89dq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:47 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1B2Ltjm323593370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Dec 2021 21:55:45 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1FBF452051; Thu, 2 Dec 2021 21:55:45 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com.com (unknown [9.65.72.23]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 1E75F52050; Thu, 2 Dec 2021 21:55:44 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1 4/5] ima: support fs-verity file digest based signatures Date: Thu, 2 Dec 2021 16:55:06 -0500 Message-Id: <20211202215507.298415-5-zohar@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20211202215507.298415-1-zohar@linux.ibm.com> References: <20211202215507.298415-1-zohar@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 0avv4h6rzYJEsiA-Baj_7wB_btp7qSiI X-Proofpoint-GUID: 0avv4h6rzYJEsiA-Baj_7wB_btp7qSiI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-02_14,2021-12-02_01,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 malwarescore=0 impostorscore=0 priorityscore=1501 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020133 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org Instead of calculating a file hash and verifying the signature stored in the security.ima xattr against the calculated file hash, verify the signature based on the fs-verity's file digest and other metadata. The fs-verity file digest is a hash that includes the Merkle tree root hash. Signed-off-by: Mimi Zohar Signed-off-by: Stefan Berger --- Changelog v1: - Based on Eric Bigger's review, instead of verifying the fsverity's file digest directly, sign a hash of it with other file metadata. security/integrity/ima/ima_api.c | 20 ++++++++++++ security/integrity/ima/ima_appraise.c | 45 ++++++++++++++++++++++++++- 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 7505563315cb..4fe7bc99378a 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -14,6 +14,7 @@ #include #include #include +#include #include "ima.h" @@ -200,6 +201,23 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, allowed_algos); } +static int ima_collect_verity_digest(struct integrity_iint_cache *iint, + struct ima_digest_data *hash) +{ + u8 verity_digest[FS_VERITY_MAX_DIGEST_SIZE]; + enum hash_algo verity_alg; + int rc; + + rc = fsverity_collect_digest(iint->inode, verity_digest, &verity_alg); + if (rc) + return -EINVAL; + if (hash->algo != verity_alg) + return -EINVAL; + hash->length = hash_digest_size[verity_alg]; + memcpy(hash->digest, verity_digest, hash->length); + return 0; +} + /* * ima_collect_measurement - collect file measurement * @@ -251,6 +269,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, if (buf) result = ima_calc_buffer_hash(buf, size, &hash.hdr); + else if (veritysig) + result = ima_collect_verity_digest(iint, &hash.hdr); else result = ima_calc_file_hash(file, &hash.hdr); diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 549fe051269a..53938aa0497a 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -240,6 +240,11 @@ static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint, struct evm_ima_xattr_data *xattr_value, int xattr_len, enum integrity_status *status, const char **cause) { + u8 verity_digest[IMA_MAX_DIGEST_SIZE + 1]; + struct { + struct ima_digest_data hdr; + char digest[IMA_MAX_DIGEST_SIZE]; + } hash; int rc = -EINVAL, hash_start = 0; switch (xattr_value->type) { @@ -277,7 +282,45 @@ static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint, *status = INTEGRITY_PASS; break; case IMA_VERITY_DIGSIG: - fallthrough; + set_bit(IMA_DIGSIG, &iint->atomic_flags); + + /* + * The IMA signature is based on a hash of IMA_VERITY_DIGSIG + * and the fs-verity file digest, not directly on the + * fs-verity file digest. Both digests should probably be + * included in the IMA measurement list, but for now this + * digest is only used for verifying the IMA signature. + */ + verity_digest[0] = IMA_VERITY_DIGSIG; + memcpy(verity_digest + 1, iint->ima_hash->digest, + iint->ima_hash->length); + + hash.hdr.algo = iint->ima_hash->algo; + hash.hdr.length = iint->ima_hash->length; + + rc = ima_calc_buffer_hash(verity_digest, + iint->ima_hash->length + 1, + &hash.hdr); + if (rc) { + *cause = "verity-hashing-error"; + *status = INTEGRITY_FAIL; + break; + } + + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, + (const char *)xattr_value, + xattr_len, + hash.hdr.digest, + hash.hdr.length); + + if (rc) { + *cause = "invalid-verity-signature"; + *status = INTEGRITY_FAIL; + } else { + *status = INTEGRITY_PASS; + } + + break; case EVM_IMA_XATTR_DIGSIG: set_bit(IMA_DIGSIG, &iint->atomic_flags); rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, From patchwork Thu Dec 2 21:55:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 12653525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3E76C433F5 for ; Thu, 2 Dec 2021 21:55:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377183AbhLBV7S (ORCPT ); Thu, 2 Dec 2021 16:59:18 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46308 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1377196AbhLBV7Q (ORCPT ); Thu, 2 Dec 2021 16:59:16 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LmFq0008337; Thu, 2 Dec 2021 21:55:51 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=PeO0/hc3erG3X51IVBgR1vS4QW4jYCIERfbZMYRZViw=; b=G760Z2+pDNHhLje9uO85fn9pJ2AaG9WKBARfIC168Pl9Jv6cx0/Bnxxse8dvrUAc6mEl jT0hYdYd6FJAIzOpE4UdWAupWbOohGEHe55ZbyGvsM3HYTBV+WyyxtJlRlYRMmCIh3dT heYOVtCcMeCnon3l6J9hNUXN4myuxEBI9iz6XoeXVMtQ1id84wDD0pUnEmpuhgWCOBns m5DL9kLJD9RTYhDmj/W+Cu+SaNGMpmuC5hJicT/eymMmzr1wi9EL14niz5waSm/zUdHZ +qqCP6maCwXHgbQKtE6IoeX/F5Q4SEg4Ok8SJf8AvWr1eyOZCB5aiuG6gqfzC8taOuEg oQ== Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0b-001b2d01.pphosted.com with ESMTP id 3cq6ccg68j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:51 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1B2LoM68008897; Thu, 2 Dec 2021 21:55:49 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma06ams.nl.ibm.com with ESMTP id 3ckbxkrb72-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Dec 2021 21:55:49 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1B2Ltl0N26149130 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Dec 2021 21:55:47 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0CE9152059; Thu, 2 Dec 2021 21:55:47 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com.com (unknown [9.65.72.23]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 56C915204E; Thu, 2 Dec 2021 21:55:46 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1 5/5] fsverity: update the documentation Date: Thu, 2 Dec 2021 16:55:07 -0500 Message-Id: <20211202215507.298415-6-zohar@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20211202215507.298415-1-zohar@linux.ibm.com> References: <20211202215507.298415-1-zohar@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: c8JL2WTN8MOCgCK-YTxRD0r5SYXOvor8 X-Proofpoint-ORIG-GUID: c8JL2WTN8MOCgCK-YTxRD0r5SYXOvor8 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-02_14,2021-12-02_01,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 mlxlogscore=999 impostorscore=0 clxscore=1015 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2112020133 Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org Update the fsverity documentation related to IMA signature support. Signed-off-by: Mimi Zohar --- Documentation/filesystems/fsverity.rst | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst index 1d831e3cbcb3..c71f6e365df5 100644 --- a/Documentation/filesystems/fsverity.rst +++ b/Documentation/filesystems/fsverity.rst @@ -74,8 +74,12 @@ authenticating the files is up to userspace. However, to meet some users' needs, fs-verity optionally supports a simple signature verification mechanism where users can configure the kernel to require that all fs-verity files be signed by a key loaded into a keyring; see -`Built-in signature verification`_. Support for fs-verity file hashes -in IMA (Integrity Measurement Architecture) policies is also planned. +`Built-in signature verification`_. + +IMA (Integrity Measurement Architecture) supports fs-verity file +digests based signatures stored as security.ima xattrs, which are +identified by the signature type IMA_VERITY_DIGSIG. + User API ======== @@ -653,13 +657,13 @@ weren't already directly answered in other parts of this document. hashed and what to do with those hashes, such as log them, authenticate them, or add them to a measurement list. - IMA is planned to support the fs-verity hashing mechanism as an - alternative to doing full file hashes, for people who want the - performance and security benefits of the Merkle tree based hash. - But it doesn't make sense to force all uses of fs-verity to be - through IMA. As a standalone filesystem feature, fs-verity - already meets many users' needs, and it's testable like other - filesystem features e.g. with xfstests. + IMA supports the fs-verity hashing mechanism as an alternative + to doing full file hashes, for people who want the performance + and security benefits of the Merkle tree based hash. But it + doesn't make sense to force all uses of fs-verity to be through + IMA. As a standalone filesystem feature, fs-verity already meets + many users' needs, and it's testable like other filesystem + features e.g. with xfstests. :Q: Isn't fs-verity useless because the attacker can just modify the hashes in the Merkle tree, which is stored on-disk?