Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp481937ybd; Wed, 26 Jun 2019 01:19:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3XzNEwNS+REn1aVCUgxyqGvXdL2PlAvMolCUwPksVTeT8OHxe7Zp3cCbjlvCuiOpEyqj7 X-Received: by 2002:a65:6104:: with SMTP id z4mr1707523pgu.319.1561537167628; Wed, 26 Jun 2019 01:19:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561537167; cv=none; d=google.com; s=arc-20160816; b=KmBp4t0xoMogHvJvHHjqNpxPmK0DZ9vfi06JzgnBVA5F9pe4QAoRIrFIYYIAtV41B4 YfRiTPoY3iI6JQ2HQqZyHUSa5JzxvqmvkOYrl02FKDUIcHV8jlqCvbmrtaOcdM9M0ifp 3YC7saw7sxN8qmd+02e6Z6DWJ+/9svBEN7QqtuLh4/vNpyU1//MM7VdFqOQBmSx56DYr Im8P9LKa3o6zsrto/L0afJEap344KRFjCHLO7IBk/qNoV8ErmwyQQbzrvSWUeMnO8xJx JSPN4AuWDTdN3FQHET2mqHBj47VAYyZ1ffizIZ5SEMJzhg/gTuCdLkZVijDJ2ZegwbG7 TKyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=fY3goNzWi9viq7Qqt+30X7+j/bUdJOdKe+Rx2gNI6vM=; b=sOxc5wfWvZC8W2+HBQ9vtCfgMcepCcVpu7WzB/Xhz+EOm65WavQ4JzD7d/OkvOpSIM 0YGlTawYpZ/7Uj5CcoTeuBOmDNI1iJXx+FHA1DO2S+Z4wQdbMN/vdXhZQppy9xPQmYcb dHT3HIHmhdbteakt+d4YWVzQbVM1OslJiCEXShwS6nZQM0Af6Mop6TMKg7eYOhGUGRG5 Gg61eoUfzXrr8+vh6GCZ9dVqOylg2sNTEW5w1CfCHoEUZw4fMR7rP/lJ/Iwd62hwi3Zp Gnu6xC52K4QZ4BDos88gDnhaqtuh0OWAfuHRNlrvXyoCLzTmj/1420FcodJDLw6+WR/g y0qw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bd11si2702709plb.184.2019.06.26.01.19.11; Wed, 26 Jun 2019 01:19:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726864AbfFZIRJ (ORCPT + 99 others); Wed, 26 Jun 2019 04:17:09 -0400 Received: from lhrrgout.huawei.com ([185.176.76.210]:33035 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725379AbfFZIRI (ORCPT ); Wed, 26 Jun 2019 04:17:08 -0400 Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id D7F66B43525032CA199F; Wed, 26 Jun 2019 09:17:05 +0100 (IST) Received: from [10.220.96.108] (10.220.96.108) by smtpsuk.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 26 Jun 2019 09:16:57 +0100 Subject: Re: [PATCH v4 0/3] initramfs: add support for xattrs in the initial ram disk To: Rob Landley , CC: , , , , , , , , , , , , , , , References: <20190523121803.21638-1-roberto.sassu@huawei.com> <541e9ea1-024f-5c22-0b58-f8692e6c1eb1@landley.net> From: Roberto Sassu Message-ID: <33cfb804-6a17-39f0-92b7-01d54e9c452d@huawei.com> Date: Wed, 26 Jun 2019 10:15:10 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <541e9ea1-024f-5c22-0b58-f8692e6c1eb1@landley.net> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.220.96.108] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/3/2019 8:32 PM, Rob Landley wrote: > On 6/3/19 4:31 AM, Roberto Sassu wrote: >>> This patch set aims at solving the following use case: appraise files from >>> the initial ram disk. To do that, IMA checks the signature/hash from the >>> security.ima xattr. Unfortunately, this use case cannot be implemented >>> currently, as the CPIO format does not support xattrs. >>> >>> This proposal consists in including file metadata as additional files named >>> METADATA!!!, for each file added to the ram disk. The CPIO parser in the >>> kernel recognizes these special files from the file name, and calls the >>> appropriate parser to add metadata to the previously extracted file. It has >>> been proposed to use bit 17:16 of the file mode as a way to recognize files >>> with metadata, but both the kernel and the cpio tool declare the file mode >>> as unsigned short. >> >> Any opinion on this patch set? >> >> Thanks >> >> Roberto > > Sorry, I've had the window open since you posted it but haven't gotten around to > it. I'll try to build it later today. > > It does look interesting, and I have no objections to the basic approach. I > should be able to add support to toybox cpio over a weekend once I've got the > kernel doing it to test against. Ok. Let me give some instructions so that people can test this patch set. To add xattrs to the ram disk embedded in the kernel it is sufficient to set CONFIG_INITRAMFS_FILE_METADATA="xattr" and CONFIG_INITRAMFS_SOURCE="" in the kernel configuration. To add xattrs to the external ram disk, it is necessary to patch cpio: https://github.com/euleros/cpio/commit/531cabc88e9ecdc3231fad6e4856869baa9a91ef (xattr-v1 branch) and dracut: https://github.com/euleros/dracut/commit/a2dee56ea80495c2c1871bc73186f7b00dc8bf3b (digest-lists branch) The same modification can be done for mkinitramfs (add '-e xattr' to the cpio command line). To simplify the test, it would be sufficient to replace only the cpio binary and the dracut script with the modified versions. For dracut, the patch should be applied to the local dracut (after it has been renamed to dracut.sh). Then, run: dracut -e xattr -I (add -f to overwrite the ram disk) Xattrs can be seen by stopping the boot process for example by adding rd.break to the kernel command line. Roberto -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI