Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5173776yba; Mon, 13 May 2019 06:38:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqxRz3XG89c1IePMlEfBekh0KotVJPozxKZDmiu6mOgwY5/9x5bqc80Tnw4QRUdAD0f/slKu X-Received: by 2002:a63:1f04:: with SMTP id f4mr31191604pgf.423.1557754734979; Mon, 13 May 2019 06:38:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557754734; cv=none; d=google.com; s=arc-20160816; b=asVszd/dFMRHqdWiq/Iu1sMC1JgLKEJFRSNvFi+5vqgz07hYcK5Mea3mHeYZlPJpku lAp5lbzgwqDepkYjgHsdL9+vodAWNJ89TlqIAxu+Gp8p2CCc6yyMVGt+q6w+AcfLfSEQ pm+ohxvKO2qyYAy1TWd8IIhiDQOrDT0nBOkRVOiLyXZ3ngG54XqgVCeC9fcFREw4A7zS DAekNI+OaAy16//STz+hKYVXY9RFatJCltX4g7I21oXf0+dTjNpgLrjz2Gx0BlJfCAyx kJrE7NBqqPr4lXEOeGfbd0x8RXADkj0qdb15Eiij65ANncfNGleHvtn8dIO+WoZCAujY fTaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=BnpEI35ZcgR6J6tQ2433t5QlBFiD0qtofFunzcp2aio=; b=SY4lrvU4YH6JzFdit8BsG6LbBIXvLgCW1JD/z0/by1rI9mL0kC0ZB+qxFVO//0etWB GM4pv30+APERWxfHthwyqfxpS958eSSWV9oO7eZkAQP4gmsRkqgJfFSVqJN+V0D4nawK JAXe/RmJqEpGSbyhiwafewqnnNZuBI1zEbHh517k3slTJRaQiivGJCeQ5lpj1JecOVV1 xgdOaL9ez4ChES1bSQNQj4+17DQQ0Y2uyI8vd/ByJgEg3MU1DoWH/ol85gEmxr2ClaJE vLejonji3ABgak0wqOWkMCr6Xt1mByiEZjZ70AhqQyiUUOVrRU9R0hL5cE3to3vrQeey BeOg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b32si17380423pla.294.2019.05.13.06.38.39; Mon, 13 May 2019 06:38:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729665AbfEMMJK (ORCPT + 99 others); Mon, 13 May 2019 08:09:10 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33050 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728580AbfEMMJJ (ORCPT ); Mon, 13 May 2019 08:09:09 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x4DC7OoO032479 for ; Mon, 13 May 2019 08:09:08 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0b-001b2d01.pphosted.com with ESMTP id 2sf7ux19ky-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 13 May 2019 08:09:07 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 13 May 2019 13:08:49 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 13 May 2019 13:08:45 +0100 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x4DC8iT146268554 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 13 May 2019 12:08:44 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B0727A405B; Mon, 13 May 2019 12:08:44 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A9BA3A4054; Mon, 13 May 2019 12:08:43 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.80.35]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 13 May 2019 12:08:43 +0000 (GMT) Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk From: Mimi Zohar To: Rob Landley , Roberto Sassu , Arvind Sankar Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, initramfs@vger.kernel.org Date: Mon, 13 May 2019 08:08:33 -0400 In-Reply-To: <4f522e28-29c8-5930-5d90-e0086b503613@landley.net> References: <20190512194322.GA71658@rani.riverdale.lan> <3fe0e74b-19ca-6081-3afe-e05921b1bfe6@huawei.com> <4f522e28-29c8-5930-5d90-e0086b503613@landley.net> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19051312-4275-0000-0000-0000033434AC X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19051312-4276-0000-0000-00003843B06F Message-Id: <1557749313.10635.309.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-13_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905130086 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2019-05-13 at 04:07 -0500, Rob Landley wrote: > > Allowing a kernel with integrity enforcement to parse the CPIO image > > without verifying it first is the weak point. > > If you don't verify the CPIO image then in theory it could have anything in it, > yes. You seem to believe that signing individual files is more secure than > signing the archive. This is certainly a point of view. Nobody is claiming that signing and verifying individual files is more secure.  We are saying that in some environments BOTH are needed.  In many environments today the initramfs IS being signed and verified. Unfortunately not all environments can sign the initramfs today, because the initramfs is not distributed with the kernel image, but generated on the target system. Mimi