Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2638244yba; Fri, 10 May 2019 15:41:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqylXWeNbBSs7mYM0JHgFE10DoRtSolHVSxNea3T2TFPKlxB9M0g/aA4mtEa2lKlKq2JwQct X-Received: by 2002:a65:6282:: with SMTP id f2mr16654512pgv.152.1557528090606; Fri, 10 May 2019 15:41:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557528090; cv=none; d=google.com; s=arc-20160816; b=BOCN0bNs9jfZtjkZv7okRMQm9lL7Nysns3thdPROl9ENvOzye9ZPsRhV4tE7iyanBK PPlooMBEqJ9BxNBJDP1jPw4cQbdQfEDL2sugnAdeFAsrV888evubApSIBiHyDNKch9Xe EzRvU1d67rDKDHb/LQiGBG5YTAjeKQoZ/8DRCOwRnts9u7Ib6n+ePHnPWHsazGhCnMpu 41dEVujYrMfBS08ysVnXXOD0NDoHLD6bC25OVsD6WM/7Aivjm+O35BXFOKqTGdkeY0Ji Yq6xgnvAEs6Kl0X5og0sDnYw+3PZBQTnnG/KV+FojZUBI+zL1wyN2qN0qovoK/RCMzrZ ZNMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=i9A7Y5GJys5XmHT/oOa3AuCqClqQccQ5qZ69BLeYLvU=; b=RyGdpg0DcbsHdVSD77U91WX52fRbbyG47NkhRsjFFlweqvx/vebc5fXMW6bcckzq5S wLngu99OhYaVL+pl5Gw1sSJGgtzgTjvHYiKZ3ZuI4HGqsuiwcxYJoAerRfIS4meCj8no bNMOYMBY2i4o/UMdT+G7/+suh4O/PKHAIV3A8Cwj7OkNWl8uxOszyagpg1AokoyWjTl4 OFFH/cv4UCx8nXeZLA6wyzYNQghOkL1FH73XyKFuLntIsuuNv2B4BGA3V9Di54SqoB4K OonDa5eF7JGphsTtRtJfHzX+IeXFsx0fg8MkGVNqu+mLElbJgPj/mjcVSCY0s0blSOhw JYnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k75si8532066pgc.515.2019.05.10.15.41.14; Fri, 10 May 2019 15:41:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728190AbfEJWjJ (ORCPT + 99 others); Fri, 10 May 2019 18:39:09 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:42342 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728014AbfEJWjI (ORCPT ); Fri, 10 May 2019 18:39:08 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x4AMae1P051978 for ; Fri, 10 May 2019 18:39:07 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2sde89064t-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 10 May 2019 18:39:07 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 10 May 2019 23:39:05 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Fri, 10 May 2019 23:38:58 +0100 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x4AMcvKk47251620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 May 2019 22:38:57 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B7DA052076; Fri, 10 May 2019 22:38:57 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.110.96]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id E99D752077; Fri, 10 May 2019 22:38:54 +0000 (GMT) Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk From: Mimi Zohar To: Rob Landley , Roberto Sassu , viro@zeniv.linux.org.uk Cc: linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, initramfs@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com, silviu.vlasceanu@huawei.com, dmitry.kasatkin@huawei.com, takondra@cisco.com, kamensky@cisco.com, hpa@zytor.com, arnd@arndb.de, james.w.mcmechan@gmail.com Date: Fri, 10 May 2019 18:38:44 -0400 In-Reply-To: <3a9d717e-0e12-9d62-a3cf-afb7a5dbf166@landley.net> References: <20190509112420.15671-1-roberto.sassu@huawei.com> <1557488971.10635.102.camel@linux.ibm.com> <3a9d717e-0e12-9d62-a3cf-afb7a5dbf166@landley.net> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19051022-0008-0000-0000-000002E570DA X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19051022-0009-0000-0000-00002251FEE0 Message-Id: <1557527924.10635.157.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-10_15:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=902 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905100143 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2019-05-10 at 15:46 -0500, Rob Landley wrote: > On 5/10/19 6:49 AM, Mimi Zohar wrote: > > On Fri, 2019-05-10 at 08:56 +0200, Roberto Sassu wrote: > >> On 5/9/2019 8:34 PM, Rob Landley wrote: > >>> On 5/9/19 6:24 AM, Roberto Sassu wrote: > > > >>>> The difference with another proposal > >>>> (https://lore.kernel.org/patchwork/cover/888071/) is that xattrs can be > >>>> included in an image without changing the image format, as opposed to > >>>> defining a new one. As seen from the discussion, if a new format has to be > >>>> defined, it should fix the issues of the existing format, which requires > >>>> more time. > >>> > >>> So you've explicitly chosen _not_ to address Y2038 while you're there. > >> > >> Can you be more specific? > > > > Right, this patch set avoids incrementing the CPIO magic number and > > the resulting changes required (eg. increasing the timestamp field > > size), by including a file with the security xattrs in the CPIO.  In > > either case, including the security xattrs in the initramfs header or > > as a separate file, the initramfs, itself, needs to be signed. > > The /init binary in the initramfs runs as root and launches all other processes > on the system. Presumably it can write any xattrs it wants to, and doesn't need > any extra permissions granted to it to do so. But as soon as you start putting > xattrs on _other_ files within the initramfs that are _not_ necessarily running > as PID 1, _that's_ when the need to sign the initramfs comes in? > > Presumably the signing occurs on the gzipped file. How does that affect the cpio > parsing _after_ it's decompressed? Why would that be part of _this_ patch? The signing and verification of the initramfs is a separate issue, not part of this patch set.  The only reason for mentioning it here was to say that both methods of including the security xattrs require the initramfs be signed.  Just as the kernel image needs to be signed and verified, the initramfs should be too. Mimi