Re: [PATCH v2 00/15] ima: digest list feature

On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote: > On 11/17/2017 2:08 AM, Kees Cook wrote: > > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu > > wrote: > >> On 11/7/2017 2:37 PM, Mimi Zohar wrote: > >>> Normally, the protection of kernel memory is out of scope

Re: [PATCH v2 00/15] ima: digest list feature

On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote: > On 11/17/2017 2:08 AM, Kees Cook wrote: > > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu > > wrote: > >> On 11/7/2017 2:37 PM, Mimi Zohar wrote: > >>> Normally, the protection of kernel memory is out of scope for IMA. > >>> This patch

Re: [PATCH v2 00/15] ima: digest list feature

On 11/17/2017 2:08 AM, Kees Cook wrote: On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote: On 11/7/2017 2:37 PM, Mimi Zohar wrote: Normally, the protection of kernel memory is out of scope for IMA. This patch set introduces an in kernel white list, which would be a

Re: [PATCH v2 00/15] ima: digest list feature

On 11/17/2017 2:08 AM, Kees Cook wrote: On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote: On 11/7/2017 2:37 PM, Mimi Zohar wrote: Normally, the protection of kernel memory is out of scope for IMA. This patch set introduces an in kernel white list, which would be a prime target for

Re: [PATCH v2 00/15] ima: digest list feature

On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote: > On 11/7/2017 2:37 PM, Mimi Zohar wrote: >> Normally, the protection of kernel memory is out of scope for IMA. >> This patch set introduces an in kernel white list, which would be a >> prime target for attackers

Re: [PATCH v2 00/15] ima: digest list feature

On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote: > On 11/7/2017 2:37 PM, Mimi Zohar wrote: >> Normally, the protection of kernel memory is out of scope for IMA. >> This patch set introduces an in kernel white list, which would be a >> prime target for attackers looking for ways of by-passing

Re: [PATCH v2 00/15] ima: digest list feature

On 11/9/2017 5:46 PM, Matthew Garrett wrote: On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote: On 11/9/2017 3:47 PM, Matthew Garrett wrote: There's no need to have a policy that measures those files, because they're part of the already-measured initramfs. Just

Re: [PATCH v2 00/15] ima: digest list feature

On 11/9/2017 5:46 PM, Matthew Garrett wrote: On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote: On 11/9/2017 3:47 PM, Matthew Garrett wrote: There's no need to have a policy that measures those files, because they're part of the already-measured initramfs. Just set the IMA policy after

Re: [PATCH v2 00/15] ima: digest list feature

On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote: > On 11/9/2017 3:47 PM, Matthew Garrett wrote: >> There's no need to have a policy that measures those files, because >> they're part of the already-measured initramfs. Just set the IMA >> policy after you've loaded

Re: [PATCH v2 00/15] ima: digest list feature

On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote: > On 11/9/2017 3:47 PM, Matthew Garrett wrote: >> There's no need to have a policy that measures those files, because >> they're part of the already-measured initramfs. Just set the IMA >> policy after you've loaded the digest list. > > > The

Re: [PATCH v2 00/15] ima: digest list feature

On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote: > This seems very over-complicated, and it's unclear why the kernel > needs to open the file itself. You *know* that all of userland is > trustworthy at this point even in the absence of signatures. Assuming the initramfs is signed, then

Re: [PATCH v2 00/15] ima: digest list feature

On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote: > This seems very over-complicated, and it's unclear why the kernel > needs to open the file itself. You *know* that all of userland is > trustworthy at this point even in the absence of signatures. Assuming the initramfs is signed, then

Re: [PATCH v2 00/15] ima: digest list feature

On 11/9/2017 3:47 PM, Matthew Garrett wrote: On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote: On 11/8/2017 4:48 PM, Matthew Garrett wrote: The code doing the parsing is in the initramfs, which has already been measured at boot time. You can guarantee that it's

Re: [PATCH v2 00/15] ima: digest list feature

On 11/9/2017 3:47 PM, Matthew Garrett wrote: On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote: On 11/8/2017 4:48 PM, Matthew Garrett wrote: The code doing the parsing is in the initramfs, which has already been measured at boot time. You can guarantee that it's being done by trusted code.

Re: [PATCH v2 00/15] ima: digest list feature

On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote: > On 11/8/2017 4:48 PM, Matthew Garrett wrote: >> The code doing the parsing is in the initramfs, which has already been >> measured at boot time. You can guarantee that it's being done by >> trusted code. > > > The

Re: [PATCH v2 00/15] ima: digest list feature

On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote: > On 11/8/2017 4:48 PM, Matthew Garrett wrote: >> The code doing the parsing is in the initramfs, which has already been >> measured at boot time. You can guarantee that it's being done by >> trusted code. > > > The parser can be executed in

Re: [PATCH v2 00/15] ima: digest list feature

On 11/8/2017 4:48 PM, Matthew Garrett wrote: On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote: On 11/7/2017 7:06 PM, Matthew Garrett wrote: But we're still left in a state where the kernel has to end up supporting a number of very niche formats, and userland

Re: [PATCH v2 00/15] ima: digest list feature

On 11/8/2017 4:48 PM, Matthew Garrett wrote: On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote: On 11/7/2017 7:06 PM, Matthew Garrett wrote: But we're still left in a state where the kernel has to end up supporting a number of very niche formats, and userland agility is tied to the kernel.

Re: [PATCH v2 00/15] ima: digest list feature

On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote: > On 11/7/2017 7:06 PM, Matthew Garrett wrote: >> But we're still left in a state where the kernel has to end up >> supporting a number of very niche formats, and userland agility is >> tied to the kernel. I think it

Re: [PATCH v2 00/15] ima: digest list feature

On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote: > On 11/7/2017 7:06 PM, Matthew Garrett wrote: >> But we're still left in a state where the kernel has to end up >> supporting a number of very niche formats, and userland agility is >> tied to the kernel. I think it makes significantly more

Re: [PATCH v2 00/15] ima: digest list feature

On 11/7/2017 7:06 PM, Matthew Garrett wrote: On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote: On 11/7/2017 3:49 PM, Matthew Garrett wrote: RPM's hardly universal, and distributions are in the process of moving away from using it for distributing non-core

Re: [PATCH v2 00/15] ima: digest list feature

On 11/7/2017 7:06 PM, Matthew Garrett wrote: On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote: On 11/7/2017 3:49 PM, Matthew Garrett wrote: RPM's hardly universal, and distributions are in the process of moving away from using it for distributing non-core applications (Flatpak and Snap

Re: [PATCH v2 00/15] ima: digest list feature

: linux-security-mod...@vger.kernel.org; linux-fsde...@vger.kernel.org; linux-...@vger.kernel.org; linux-kernel@vger.kernel.org; silviu.vlasce...@huawei.com; Roberto Sassu <roberto.sa...@huawei.com> Subject: EXT: [PATCH v2 00/15] ima: digest list feature IMA is a security module with the obj

Re: [PATCH v2 00/15] ima: digest list feature

: linux-security-mod...@vger.kernel.org; linux-fsde...@vger.kernel.org; linux-...@vger.kernel.org; linux-kernel@vger.kernel.org; silviu.vlasce...@huawei.com; Roberto Sassu Subject: EXT: [PATCH v2 00/15] ima: digest list feature IMA is a security module with the objective of reporting or enforcing

RE: [PATCH v2 00/15] ima: digest list feature

el.org; linux-fsde...@vger.kernel.org; > linux-...@vger.kernel.org; linux-kernel@vger.kernel.org; > silviu.vlasce...@huawei.com; Roberto Sassu <roberto.sa...@huawei.com> > Subject: EXT: [PATCH v2 00/15] ima: digest list feature > > IMA is a security module with the objective of

RE: [PATCH v2 00/15] ima: digest list feature

el.org; linux-fsde...@vger.kernel.org; > linux-...@vger.kernel.org; linux-kernel@vger.kernel.org; > silviu.vlasce...@huawei.com; Roberto Sassu > Subject: EXT: [PATCH v2 00/15] ima: digest list feature > > IMA is a security module with the objective of reporting or enforcing the > integ

Re: [PATCH v2 00/15] ima: digest list feature

On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote: > On 11/7/2017 3:49 PM, Matthew Garrett wrote: >> RPM's hardly universal, and distributions are in the process of moving >> away from using it for distributing non-core applications (Flatpak and >> Snap are becoming

Re: [PATCH v2 00/15] ima: digest list feature

On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote: > On 11/7/2017 3:49 PM, Matthew Garrett wrote: >> RPM's hardly universal, and distributions are in the process of moving >> away from using it for distributing non-core applications (Flatpak and >> Snap are becoming increasingly popular here).

Re: [PATCH v2 00/15] ima: digest list feature

On 11/7/2017 3:49 PM, Matthew Garrett wrote: On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote: Finally, digest lists address also the third issue because Linux distribution vendors already provide the digests of files included in each RPM package. The digest list

Re: [PATCH v2 00/15] ima: digest list feature

On 11/7/2017 3:49 PM, Matthew Garrett wrote: On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote: Finally, digest lists address also the third issue because Linux distribution vendors already provide the digests of files included in each RPM package. The digest list is stored in the RPM

Re: [PATCH v2 00/15] ima: digest list feature

On 11/7/2017 2:37 PM, Mimi Zohar wrote: Hi Roberto, On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote: IMA is a security module with the objective of reporting or enforcing the integrity of a system, by measuring files accessed with the execve(), mmap() and open() system calls. For

Re: [PATCH v2 00/15] ima: digest list feature

On 11/7/2017 2:37 PM, Mimi Zohar wrote: Hi Roberto, On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote: IMA is a security module with the objective of reporting or enforcing the integrity of a system, by measuring files accessed with the execve(), mmap() and open() system calls. For

Re: [PATCH v2 00/15] ima: digest list feature

On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote: > Finally, digest lists address also the third issue because Linux > distribution vendors already provide the digests of files included in each > RPM package. The digest list is stored in the RPM header, signed by the

Re: [PATCH v2 00/15] ima: digest list feature

On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote: > Finally, digest lists address also the third issue because Linux > distribution vendors already provide the digests of files included in each > RPM package. The digest list is stored in the RPM header, signed by the > vendor. RPM's hardly

Re: [PATCH v2 00/15] ima: digest list feature

Hi Roberto, On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote: > IMA is a security module with the objective of reporting or enforcing the > integrity of a system, by measuring files accessed with the execve(), > mmap() and open() system calls. For reporting, it takes advantage of the > TPM

Re: [PATCH v2 00/15] ima: digest list feature

Hi Roberto, On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote: > IMA is a security module with the objective of reporting or enforcing the > integrity of a system, by measuring files accessed with the execve(), > mmap() and open() system calls. For reporting, it takes advantage of the > TPM

[PATCH v2 00/15] ima: digest list feature

IMA is a security module with the objective of reporting or enforcing the integrity of a system, by measuring files accessed with the execve(), mmap() and open() system calls. For reporting, it takes advantage of the TPM and extends a PCR with the digest of an evaluated event. For enforcing, it

[PATCH v2 00/15] ima: digest list feature

IMA is a security module with the objective of reporting or enforcing the integrity of a system, by measuring files accessed with the execve(), mmap() and open() system calls. For reporting, it takes advantage of the TPM and extends a PCR with the digest of an evaluated event. For enforcing, it