Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp6487506yba; Tue, 14 May 2019 08:21:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqy4nlu48Q1qIC4CvMojxnH0xlW/Ehgd/93QCgPcFmvVpP8ejOo1cwV463CHsYu8HT/1kBzW X-Received: by 2002:a63:5d44:: with SMTP id o4mr38463296pgm.15.1557847293311; Tue, 14 May 2019 08:21:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557847293; cv=none; d=google.com; s=arc-20160816; b=jpM91vTHWMzflJLE4SXkzwjtyQwNnx8/nSSvCmlW/Chxa65GqCc2RuF5rW3VoN3iWH 7o+XCLZ5baIV6jC0vjgbU/E/BsQ1fIBflywdgqLgO0BCWSXm7QYhoZl2vofrrkJG6kiv 9rD0mFrHbxPqWdYkiFhN/T4tM9yW13mXHNf/aLPUTrLnBW+Z2DqJoGAVk1r31dmwrKoo +mnh1tYpBWqdJj3AEpXBfAxkt0l4UqJoEIjD+vTdxbgdoPfzgAVfxs6lmeDcicJqvF7J D/LF/byFdOPsaq1BKxb9V3tkjazmyb3rep/+1HZvytAVQnRgx5rwr17RY0gP8lQrj41V 7qKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=5MLnglKhGM8/VgGtJCzp4ChLBswvM29Wlu0NlXAFkRg=; b=SsM3NWNxZZ7p1n0V2m26t79n80gaN4ST5HV+HTE9/ykEwAVX7vWR6QR+pL4P7GHxPv oi29JIXSBfW5QnvetOPzPWAtnaI0VH111UJDvnjWXm35K765oEexaLy1k19/awrHl1jC sygvy+rFor6N3wud2+oxpGCUqCHqoVLdZ6v7m4dCgS3HgWbDk+f9bhDpuJCuTk8jF8b4 x4eKo3U+0etvuWPT32JJrKVrMSNH1rlG8FfpJlK6JIl9/JQ0jKBIPOJF4xXdDON6tn+S WmXYxmMDhPmoMyhBMBzoZpkvyN03G5CwqffHxbaa9FSsjZ6LpviiX5cXUF1AfK/TrEQD pebg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MllZpyCT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id az5si19779607plb.111.2019.05.14.08.21.18; Tue, 14 May 2019 08:21:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MllZpyCT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726279AbfENPUH (ORCPT + 99 others); Tue, 14 May 2019 11:20:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:49644 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726025AbfENPUH (ORCPT ); Tue, 14 May 2019 11:20:07 -0400 Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 771372166E for ; Tue, 14 May 2019 15:20:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557847205; bh=xQanGgKgajbHtyLgJhLsCWkGAN1PdRL7As5ataJeHr8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=MllZpyCT0BM/1JzBLxYHNTJoWfcB2/SEoCw4IV8RrlHyrb4V9+fS3wxWA9Llt18ZF TUi2m5qWnOXlTfBvBVhy2kNZux5UdUx0eu1WqO26J0L0LpERMgiYFEjRig7XYym/oB ZYgWO1/ePmHcBpJHJTqtaV5xcmvSsgTK5PVDtsqk= Received: by mail-wr1-f47.google.com with SMTP id d12so19649116wrm.8 for ; Tue, 14 May 2019 08:20:05 -0700 (PDT) X-Gm-Message-State: APjAAAV+lHafBdtEzeqnRH017L/7ubHksRYaemNbK2pJlF2Rrd7+9Rd8 dTvyoVYzT/dowIal7LjlRd/iwEJe8kHFYZid6IJvRg== X-Received: by 2002:adf:ef8f:: with SMTP id d15mr22930401wro.330.1557847204088; Tue, 14 May 2019 08:20:04 -0700 (PDT) MIME-Version: 1.0 References: <20190512194322.GA71658@rani.riverdale.lan> <3fe0e74b-19ca-6081-3afe-e05921b1bfe6@huawei.com> <4f522e28-29c8-5930-5d90-e0086b503613@landley.net> In-Reply-To: From: Andy Lutomirski Date: Tue, 14 May 2019 08:19:52 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk To: Roberto Sassu Cc: Rob Landley , Arvind Sankar , LKML , Linux API , Linux FS Devel , linux-integrity , initramfs@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 13, 2019 at 5:47 AM Roberto Sassu wrote: > > On 5/13/2019 11:07 AM, Rob Landley wrote: > > > > > > On 5/13/19 2:49 AM, Roberto Sassu wrote: > >> On 5/12/2019 9:43 PM, Arvind Sankar wrote: > >>> On Sun, May 12, 2019 at 05:05:48PM +0000, Rob Landley wrote: > >>>> On 5/12/19 7:52 AM, Mimi Zohar wrote: > >>>>> On Sun, 2019-05-12 at 11:17 +0200, Dominik Brodowski wrote: > >>>>>> On Thu, May 09, 2019 at 01:24:17PM +0200, Roberto Sassu wrote: > >>>>>>> This proposal consists in marshaling pathnames and xattrs in a file called > >>>>>>> .xattr-list. They are unmarshaled by the CPIO parser after all files have > >>>>>>> been extracted. > >>>>>> > >>>>>> Couldn't this parsing of the .xattr-list file and the setting of the xattrs > >>>>>> be done equivalently by the initramfs' /init? Why is kernel involvement > >>>>>> actually required here? > >>>>> > >>>>> It's too late. The /init itself should be signed and verified. > >>>> > >>>> If the initramfs cpio.gz image was signed and verified by the extractor, how is > >>>> the init in it _not_ verified? > >>>> > >>>> Ro > >>> > >>> Wouldn't the below work even before enforcing signatures on external > >>> initramfs: > >>> 1. Create an embedded initramfs with an /init that does the xattr > >>> parsing/setting. This will be verified as part of the kernel image > >>> signature, so no new code required. > >>> 2. Add a config option/boot parameter to panic the kernel if an external > >>> initramfs attempts to overwrite anything in the embedded initramfs. This > >>> prevents overwriting the embedded /init even if the external initramfs > >>> is unverified. > >> > >> Unfortunately, it wouldn't work. IMA is already initialized and it would > >> verify /init in the embedded initial ram disk. > > > > So you made broken infrastructure that's causing you problems. Sounds unfortunate. > > The idea is to be able to verify anything that is accessed, as soon as > rootfs is available, without distinction between embedded or external > initial ram disk. > > Also, requiring an embedded initramfs for xattrs would be an issue for > systems that use it for other purposes. > > > >> The only reason why > >> opening .xattr-list works is that IMA is not yet initialized > >> (late_initcall vs rootfs_initcall). > > > > Launching init before enabling ima is bad because... you didn't think of it? > > No, because /init can potentially compromise the integrity of the > system. I think Rob is right here. If /init was statically built into the kernel image, it has no more ability to compromise the kernel than anything else in the kernel. What's the problem here?