Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp511110yba; Thu, 16 May 2019 04:44:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqyv/R4SMl6xtkh0OvT7qqexO0ZHlfLeNWsyiS6h3vKaA7tXE08P7uB90Z/iqh2qWIrZw4sl X-Received: by 2002:a63:ff23:: with SMTP id k35mr19608126pgi.139.1558007091548; Thu, 16 May 2019 04:44:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558007091; cv=none; d=google.com; s=arc-20160816; b=yj8FGGOC959MDTYmgWEGulnUJRRvZP+M2N3wMizecvrMzZN4qMY0X0xOLdO+WSD2wn NDSr9iuXDB6HcpuwGAyjtNwhqaTj1z07rmESDJDjgDwCGNxNr6dDJfHMPTz7vbEEu1lc R/XbaF0wQg+FkbCJHMM0850Gpnboy+6as/szDS3IDXVV07ghdPTiubV8g2s3i62B6eiL 3asihnjGjn3RCA5MiQuuMiiIobE+bbaZxwNhuqN9iG3xCapq+XbPmbfuOHZYbr9TC0uw KdbsUUMAnHCVzPebTKtVaJbDa7h9r5JrFyGZVGHrNxLZsGAN22tPDeF+GiFBtCnt8JhB i3fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=GDqQXS28Ilw+qUJC0HqOeMG6iTYgC7ZPQ3gh7/fq2fA=; b=Axe/VRMtLELaYt4gQVjZmEpaZjxkWN6iUacjeHRwLYmYK6ylcEY43js7NzYHMTi98c +nh/OrkmqGEgJDzyTJm3wgPsOy+73Xd6bgdkoxvXeH6eTTwzLeU+tUE+EzXt73/qpGFC weXvUNn1Kx7r2+GDWYeGvC3sn5qJ4aMEkRcGaNYhXc4hVSsAb2Ph+3cuBric4qE6U0mY LTybmr6lqTLM3UAZ47lxxpNpWqQh0aCHYLYsoS1jNrkdzzlh2JN+A9vbJSMefUD0iCWZ 5QCU9TaIPbvrqwGCSjIe4jIJcg3jywYJHlbWl1gDICNg1ncDY61TV0XaByHT6j1d64HW +DFw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c11si4544495pll.205.2019.05.16.04.44.36; Thu, 16 May 2019 04:44:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728548AbfEPLmw (ORCPT + 99 others); Thu, 16 May 2019 07:42:52 -0400 Received: from lhrrgout.huawei.com ([185.176.76.210]:32944 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727973AbfEPLmv (ORCPT ); Thu, 16 May 2019 07:42:51 -0400 Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id A54C148E50E23ECD1918; Thu, 16 May 2019 12:42:48 +0100 (IST) Received: from [10.220.96.108] (10.220.96.108) by smtpsuk.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 16 May 2019 12:42:42 +0100 Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk To: Arvind Sankar CC: James Bottomley , Rob Landley , Andy Lutomirski , Arvind Sankar , LKML , Linux API , Linux FS Devel , linux-integrity , , Silviu Vlasceanu References: <4f522e28-29c8-5930-5d90-e0086b503613@landley.net> <1557861511.3378.19.camel@HansenPartnership.com> <4da3dbda-bb76-5d71-d5c5-c03d98350ab0@landley.net> <1557878052.2873.6.camel@HansenPartnership.com> <20190515005221.GB88615@rani.riverdale.lan> <20190515160834.GA81614@rani.riverdale.lan> <20190516052934.GA68777@rani.riverdale.lan> From: Roberto Sassu Message-ID: Date: Thu, 16 May 2019 13:42:28 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190516052934.GA68777@rani.riverdale.lan> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.220.96.108] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/16/2019 7:29 AM, Arvind Sankar wrote: > On Wed, May 15, 2019 at 07:06:52PM +0200, Roberto Sassu wrote: >> On 5/15/2019 6:08 PM, Arvind Sankar wrote: >>> On Wed, May 15, 2019 at 01:19:04PM +0200, Roberto Sassu wrote: >>>> On 5/15/2019 2:52 AM, Arvind Sankar wrote: >>> I don't understand what you mean? The IMA hashes are signed by some key, >>> but I don't see how what that key is needs to be different between the >>> two proposals. If the only files used are from the distro, in my scheme >>> as well you can use the signatures and key provided by the distro. If >>> they're not, then in your scheme as well you would have to allow for a >>> local signing key to be used. Both schemes are using the same >>> .xattr-list file, no? >> >> I was referring to James's proposal to load an external initramfs from >> the embedded initramfs. If the embedded initramfs opens the external >> initramfs when IMA is enabled, the external initramfs needs to be >> signed with a local signing key. But I read your answer that this >> wouldn't be feasible. You have to specify all initramfs in the boot >> loader configuration. >> >> I think deferring IMA initialization is not the safest approach, as it >> cannot be guaranteed for all possible scenarios that there won't be any >> file read before /init is executed. >> >> But if IMA is enabled, there is the problem of who signs .xattr-list. >> There should be a local signing key that it is not necessary if the user >> only accesses distro files. >> > I think that's a separate issue. If you want to allow people to be able > to put files onto the system that will be IMA verified, they need to > have some way to locally sign them whether it's inside an initramfs or > on a real root filesystem. Yes. But this shouldn't be a requirement. If I have only files signed by the distro, I should be able to do appraisal without a local signing key. I made an IMA extension called IMA Digest Lists, that extracts reference digests from RPM headers and performs appraisal based on the loaded white lists. The only keys that must be in the kernel for signature verification are the PGP keys of the distro (plus the public key for the RPM parser, which at the moment is different). .xattr-list is generated by my custom dracut module and contains the signature of the digest lists and the parser. >>> Right, I guess this would be sort of the minimal "modification" to the >>> CPIO format to allow it to support xattrs. >> >> I would try to do it without modification of the CPIO format. However, >> at the time .xattr-list is parsed (in do_copy() before .xattr-list is >> closed), it is not guaranteed that all files are extracted. These must >> be created before xattrs are added, but the file type must be correct, >> otherwise clean_path() removes the existing file with xattrs. >> >> Roberto >> >> -- >> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 >> Managing Director: Bo PENG, Jian LI, Yanli SHI > > Right by "modification" in quotes I meant the format is actually the > same, but the kernel now interprets it a bit differently. > > Regarding the order you don't have to handle that in the kernel. The > kernel CPIO format is already restricted in that directories have to be > specified before the files that contain them for example. It can very > well be restricted so that an .xattr-list can only specify xattrs for > files that were already extracted, else you bail out with an error. The > archive creation tooling can easily handle that. If someone wants to > shoot themselves in the foot by trying to add more files/replace > existing files after the .xattr-list its ok, the IMA policy will prevent > such files from being accessed and they can fix the archive for the next > boot. Unfortunately, dracut sorts the files before adding them to the CPIO image (.xattr-list is at the beginning). I could move xattrs from the existing file to the file with different mode, but this makes the code more complex. I think it is better to call do_readxattrs() after files are extracted, or when .xattr-list is going to be replaced by another one in the next initramfs. Roberto -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI