Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfs files

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Mimi Zohar

Subject: Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfs files

Date: Wednesday, July 14, 2010 - 5:47 am

On Wed, 2010-07-14 at 10:34 +0200, Roberto Sassu wrote:
quoted text> On 07/14/2010 08:29 AM, Seiji Munetoh wrote:
> > On Wed, Jul 14, 2010 at 2:42 PM, Shaz<shazalive@gmail.com>  wrote:
> >    
> >>
> >> On Wed, Jul 14, 2010 at 3:08 AM, Seiji Munetoh<seiji.munetoh@gmail.com>
> >> wrote:
> >>      
> >>> On Thu, Jul 8, 2010 at 10:14 PM, Mimi Zohar<zohar@linux.vnet.ibm.com>
> >>> wrote:
> >>>        
> >>>> On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote:
> >>>>          
> >>>>> This patch modifies the default policy shipped with IMA, in order to
> >>>>> avoid measurements
> >>>>> of files in the initial ramdisk. Those files can be measured early in
> >>>>> the boot process
> >>>>> by the bootloader.
> >>>>> The patch applies to latest version of the mainline kernel 2.6.35-rc4.
> >>>>>            
> >>>> Yes, the initramfs measurements are therefore redundant, as they're
> >>>> already included in the initramfs measurement, but perhaps, as the
> >>>> number of initramfs is very limited and the individual file measurements
> >>>> supplies additional information, it wouldn't hurt to keep the individual
> >>>> file measurements as well.  These measurements could potentially help in
> >>>> identifying initramfs changes.
> >>>>
> >>>> Would appreciate other opinions before accepting this change.
> >>>>          
> >>> The hash value of the initramfs is unstable since it was generated
> >>> at the time of kernel installation.
> >>> So still I want to check  the individual used file in initramfs.
> >>>        
> >> If initrd is measured by boot loader then changes to individual files should
> >> not be measured as this IS redundant. Use the new hash of the initrd as an
> >> integrity metric. Why would this not be enough?
> >>      
> > This depends on remote verifier.
> > Creating the initramfs is client side task and  the hash value of initramfs
> > will vary each clients.
> >
> > For me, validation of  current measurements is easier than validation of
> > initramfs. And it seems the overhead of this redundancy is less painful.
> >
> > But some system can validate (or trust) the initramfs measured by IPL.
> > So, I would suggest that add Kconfig option to change the default policy.

If your other suggestion, below, of adding fsmagic info to the
measurement list doesn't suffice, then defining a new command line
option, in addition to 'ima_tcb', shouldn't be a problem.

quoted text> > IMHO, if the eventlog contains fsmagic information for each measurements.
> > Verifier can skip the validation of RAMFS measurement easily.

Ok, so this takes us back to the discussion on what should be included
in the ima-nglong template. So far we have the hash algorithm(sha1,
sha256, sha512), the hash digest, filename, uid/gid, and LSM obj/subj
labels.  We can add the fsmagic after the uid/gid.  Before upstreaming
the template patches, is there anything else?  (Remember, the more info
we add, the larger the measurement list becomes, so we shouldn't add
anything superfluously.)
    
quoted text> This is true, the initramfs's digest cannot be validated by a remote 
> verifier. But in my opinion there are three main reasons for don't 
> include those files in the measurement list.
> First, this is a readonly system and measures don't change in time; so 
> if you create the image under a controlled environment and its digest 
> doesn't change you can assert it will behave correctly.

A 'controlled environment' might exist for some device types, but not
for others.

quoted text> Second, including those measurements may be very confusing for a 
> verifier since there may be multiple versions of the same object (the 
> initramfs changes very rarely in respect to other files).

Extending the ima-nglong template to include fsmagic, as Seiji
suggested, should resolve this problem.

quoted text> Lastly, a pratical use of IMA is to load a custom policy. The better 
> place to do that is the initramfs but measurements cannot be taken until 
> the policy is loaded. The only way, as Shaz mentioned in a previous 
> email, to keep track of all actions made during the boot process is that 
> you have the initramfs image measured early by the boot loader.

Yes, nobody is suggesting otherwise.  If adding fsmagic doesn't suffice,
then in addition to 'ima_tcb', another command line option could be
defined which doesn't measure initramfs files.

Mimi

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[RFC][PATCH] ima: add default rule for initramfs files, Roberto Sassu, (Tue Jul 6, 8:08 am)

Re: [RFC][PATCH] ima: add default rule for initramfs files, Mimi Zohar, (Thu Jul 8, 6:14 am)

Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule fo ..., Seiji Munetoh, (Tue Jul 13, 3:08 pm)

Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule fo ..., Seiji Munetoh, (Tue Jul 13, 11:29 pm)

Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule fo ..., Roberto Sassu, (Wed Jul 14, 1:34 am)

Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule fo ..., Mimi Zohar, (Wed Jul 14, 5:47 am)

Navigation

Popular discussions


linux-kernel:
Takashi Iwai	Re: [PATCH] usb: usbmixer error path fix
Jakub Narebski	Re: [PATCH] gitweb: Fix shortlog only showing HEAD revision.
Rafael J. Wysocki	[Bug #16136] Linux 2.6.34 causes system lockup on Compaq Presario 2200 Laptop
Trent Waddington	Re: Gaming Interface
Paul E. McKenney	Re: [PATCH, RFC] v4 scalable classic RCU implementation
git:
Christian Stimming	git-gui: Fix broken revert confirmation.
Stephen R. van den Berg	Re: [RFC] origin link for cherry-pick and revert
Junio C Hamano	Re: git-svnimport
Mark Burton	Re: [PATCH] builtin-branch: highlight current remote branches with an asterisk
Johannes Schindelin	Re: [PATCH] Fix approxidate("never") to always return 0
git-commits-head:
Linux Kernel Mailing List	ath9k_htc: Allocate URBs properly
Linux Kernel Mailing List	bnx2x: Fan failure mechanism on additional design
Linux Kernel Mailing List	cpumask: make irq_set_affinity() take a const struct cpumask
Linux Kernel Mailing List	ARM: 5670/1: bcmring: add default configuration for bcmring arch
Linux Kernel Mailing List	ahci: Workaround HW bug for SB600/700 SATA controller PMP support
linux-netdev:
Nick Piggin	Re: Kernel WARNING: at net/core/dev.c:1330 __netif_schedule+0x2c/0x98()
Daniel Lezcano	getsockopt(TCP_DEFER_ACCEPT) value change
David Miller	Re: 2.6.27.18: bnx2/tg3: BUG: "scheduling while atomic" trying to ifenslave a seco...
Amit Kumar Salecha	[PATCH NEXT 10/10] qlcnic: add cksum flag
Patrick McHardy	Re: [PATCH RESEND 1/3] netfilter: xtables: inclusion of xt_condition
openbsd-misc:
James Hozier	Re: DVD burn error: No space left on device
Christophe Rioux	Implementation example of snmp
Ryan McBride	Re: Packets Per Second Limit?
Nick Holland	Re: booting openbsd on eee without cd-rom
Very Fashion.com	Very-fashion.com -Novo! Brendirana garderoba po najpovoljnijim cenama.Bisou Bisou ...

Colocation donated by:

Syndicate