Re: [PATCH v2 00/15] ima: digest list feature

2017-11-17 Thread Mimi Zohar
On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote: > On 11/17/2017 2:08 AM, Kees Cook wrote: > > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu > > wrote: > >> On 11/7/2017 2:37 PM, Mimi Zohar wrote: > >>> Normally, the protection of kernel memory is out of scope

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-16 Thread Kees Cook
On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote: > On 11/7/2017 2:37 PM, Mimi Zohar wrote: >> Normally, the protection of kernel memory is out of scope for IMA. >> This patch set introduces an in kernel white list, which would be a >> prime target for attackers

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-09 Thread Roberto Sassu
On 11/9/2017 5:46 PM, Matthew Garrett wrote: On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote: On 11/9/2017 3:47 PM, Matthew Garrett wrote: There's no need to have a policy that measures those files, because they're part of the already-measured initramfs. Just

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-09 Thread Mimi Zohar
On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote: > This seems very over-complicated, and it's unclear why the kernel > needs to open the file itself. You *know* that all of userland is > trustworthy at this point even in the absence of signatures. Assuming the initramfs is signed, then

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-09 Thread Roberto Sassu
On 11/9/2017 3:47 PM, Matthew Garrett wrote: On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote: On 11/8/2017 4:48 PM, Matthew Garrett wrote: The code doing the parsing is in the initramfs, which has already been measured at boot time. You can guarantee that it's

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-09 Thread Matthew Garrett
On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote: > On 11/8/2017 4:48 PM, Matthew Garrett wrote: >> The code doing the parsing is in the initramfs, which has already been >> measured at boot time. You can guarantee that it's being done by >> trusted code. > > > The

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-09 Thread Roberto Sassu
On 11/8/2017 4:48 PM, Matthew Garrett wrote: On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote: On 11/7/2017 7:06 PM, Matthew Garrett wrote: But we're still left in a state where the kernel has to end up supporting a number of very niche formats, and userland

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-08 Thread Matthew Garrett
On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote: > On 11/7/2017 7:06 PM, Matthew Garrett wrote: >> But we're still left in a state where the kernel has to end up >> supporting a number of very niche formats, and userland agility is >> tied to the kernel. I think it

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-08 Thread Roberto Sassu
On 11/7/2017 7:06 PM, Matthew Garrett wrote: On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote: On 11/7/2017 3:49 PM, Matthew Garrett wrote: RPM's hardly universal, and distributions are in the process of moving away from using it for distributing non-core

RE: [PATCH v2 00/15] ima: digest list feature

2017-11-07 Thread Safford, David (GE Global Research, US)
el.org; linux-fsde...@vger.kernel.org; > linux-doc@vger.kernel.org; linux-ker...@vger.kernel.org; > silviu.vlasce...@huawei.com; Roberto Sassu <roberto.sa...@huawei.com> > Subject: EXT: [PATCH v2 00/15] ima: digest list feature > > IMA is a security module with the objective of

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-07 Thread Matthew Garrett
On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote: > On 11/7/2017 3:49 PM, Matthew Garrett wrote: >> RPM's hardly universal, and distributions are in the process of moving >> away from using it for distributing non-core applications (Flatpak and >> Snap are becoming

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-07 Thread Roberto Sassu
On 11/7/2017 3:49 PM, Matthew Garrett wrote: On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote: Finally, digest lists address also the third issue because Linux distribution vendors already provide the digests of files included in each RPM package. The digest list

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-07 Thread Roberto Sassu
On 11/7/2017 2:37 PM, Mimi Zohar wrote: Hi Roberto, On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote: IMA is a security module with the objective of reporting or enforcing the integrity of a system, by measuring files accessed with the execve(), mmap() and open() system calls. For

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-07 Thread Matthew Garrett
On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote: > Finally, digest lists address also the third issue because Linux > distribution vendors already provide the digests of files included in each > RPM package. The digest list is stored in the RPM header, signed by the

Re: [PATCH v2 00/15] ima: digest list feature

2017-11-07 Thread Mimi Zohar
Hi Roberto, On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote: > IMA is a security module with the objective of reporting or enforcing the > integrity of a system, by measuring files accessed with the execve(), > mmap() and open() system calls. For reporting, it takes advantage of the > TPM

[PATCH v2 00/15] ima: digest list feature

2017-11-07 Thread Roberto Sassu
IMA is a security module with the objective of reporting or enforcing the integrity of a system, by measuring files accessed with the execve(), mmap() and open() system calls. For reporting, it takes advantage of the TPM and extends a PCR with the digest of an evaluated event. For enforcing, it