Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752859AbdGYPrj (ORCPT ); Tue, 25 Jul 2017 11:47:39 -0400 Received: from lhrrgout.huawei.com ([194.213.3.17]:32200 "EHLO lhrrgout.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752277AbdGYPrf (ORCPT ); Tue, 25 Jul 2017 11:47:35 -0400 From: Roberto Sassu To: CC: , , , , Roberto Sassu Subject: [PATCH 00/12] ima: measure digest lists instead of individual files Date: Tue, 25 Jul 2017 17:44:11 +0200 Message-ID: <20170725154423.24845-1-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.9.3 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.204.65.245] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.59776814.016B,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 191b02ccd982edf4cfbd408cd56b7038 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4901 Lines: 98 This patch set applies on top of kernel v4.13-rc2. IMA, for each file matching policy rules, calculates a digest, creates a new entry in the measurement list and extends a TPM PCR with the digest of entry data. The last step causes a noticeable performance reduction. Since systems likely access the same files, repeating the above tasks at every boot can be avoided by replacing individual measurements of likely accessed files with only one measurement of their digests: the advantage is that the system performance significantly improves due to less PCR extend operations; on the other hand, the information about which files have exactly been accessed and in which sequence is lost. If this new measurement reports only good digests (e.g. those of files included in a Linux distribution), and if verifiers only check that a system executed good software and didn't access malicious data, the disadvantages reported earlier would be acceptable. The Trusted Computing paradigm measure & load is still respected by IMA with the proposed optimization. If a file being accessed is not in a measured digest list, a measurement will be recorded as before. If it is, the list has already been measured, and the verifier must assume that files with digest in the list have been accessed. Measuring digest lists gives the following benefits: - boot time reduction For a minimal Linux installation with 1400 measurements, the boot time decreases from 1 minute 30 seconds to 15 seconds, after loading to IMA the digest of all files packaged by the distribution (32000). The new list contains 92 entries. Without IMA, the boot time is 8.5 seconds. - lower network and CPU requirements for remote attestation With the IMA optimization, both the measurement and digest lists must be verified for a complete evaluation. However, since the lists are fixed, they could be sent to and checked by the verifier only once. Then, during a remote attestation, the only remaining task is to verify the short measurement list. - signature-based remote attestation Digest list signature can be used as a proof of the provenance for the files whose digest is in the list. Then, if verifiers trust the signer and only check provenance, remote attestation verification would simply consist on checking digest lists signatures and that the measurement list only contain list metadata digests (reference measurement databases would be no longer required). An example of a signed digest list, that can be parsed with this patch set, is the RPM package header. Digest lists are loaded in two stages by IMA through the new securityfs interface called 'digest_lists'. Users supply metadata, for the digest lists they want to load: path, format, digest, signature and algorithm of the digest. Then, after the metadata digest is added to the measurement list, IMA reads the digest lists at the path specified and loads the digests in a hash table (digest lists are not measured, since their digest is already included in the metadata). With metadata measurement instead of digest list measurement, it is possible to avoid a performance reduction that would occur by measuring many digest lists (e.g. RPM headers) individually. If, alternatively, digest lists are loaded together, their signature cannot be verified. Lastly, when a file is accessed, IMA searches the calculated digest in the hash table. Only if the digest is not found a new entry is added to the measurement list. Roberto Sassu (12): ima: generalize ima_read_policy() ima: generalize ima_write_policy() ima: generalize policy file operations ima: use ima_show_htable_value to show hash table data ima: add functions to manage digest lists ima: added parser of digest lists metadata ima: added parser for compact digest list ima: added parser for RPM data type ima: introduce securityfs interfaces for digest lists ima: disable digest lookup if digest lists are not measured ima: don't report measurements if digests are included in the loaded lists ima: added Documentation/security/IMA-digest-lists.txt Documentation/security/IMA-digest-lists.txt | 150 +++++++++++++++++ include/linux/fs.h | 1 + security/integrity/ima/Kconfig | 11 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 17 ++ security/integrity/ima/ima_digest_list.c | 247 ++++++++++++++++++++++++++++ security/integrity/ima/ima_fs.c | 178 ++++++++++++-------- security/integrity/ima/ima_main.c | 23 ++- security/integrity/ima/ima_policy.c | 1 + security/integrity/ima/ima_queue.c | 39 +++++ 10 files changed, 602 insertions(+), 66 deletions(-) create mode 100644 Documentation/security/IMA-digest-lists.txt create mode 100644 security/integrity/ima/ima_digest_list.c -- 2.9.3