Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp3665596ybd; Fri, 28 Jun 2019 12:45:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqzDjVXOYfzP9rXy2/TsTkl57fRcgqD9fiy8bbKYSRKhqDma1/xSTclNLraHqkiQvbZ7BZav X-Received: by 2002:a65:5888:: with SMTP id d8mr10699250pgu.124.1561751151390; Fri, 28 Jun 2019 12:45:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561751151; cv=none; d=google.com; s=arc-20160816; b=EoZXQ3/K8yJnd0S5htNkqWAMpLK3/e30QIaluzQo2eWmC0fJep5nzYz7LKY5jrZOTM ZGazvVwSa2m44cZrjl6mVdj2EiMzbc4cAQxAUsniqehXFDIpgDsXmxst3Ugc+KDQbV80 LwemIhmZg5F5YxcPwlbcfGdSsVLwUoNcltX3q/61eiZAj8fKnpTolpBaoN59CLcxu4ji SEZhsjx8/fFmSRgCHAM0ptJZ+7yzYSNt+VDNEP0UgogPfYQE2kcfB8p464uQdftoPLg3 Ku8z+EvXXcjHLD14yoTQjV4QZzRnOxE17xZeA6sBvleJWgz+c8npOW5o0w7SOCBq4V/B B2Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=BCc1Fo0i9O7+aqLC1dsCcWQIAdFG9kkH7bQEFt8Wnq4=; b=Jw5bgQxtwWJWgc24OVlHltnvapHz8sqVdIdCjmFNHK9xyMhzcj2rfl6UCVYqoecNcS 3RqC8cwO3iaqecdrqyiZYfo94eIn1wkqYqskFeinN9UQJ8vbpUbhwaEBziEFcvFWKP+A 6LAkbDydneXifxlpyMaAcg1lr8Rj2wst5OomJN38SKzcAfcaD6c1IoSAbz2O+lLtnw78 e8pC8Y0B1diDkB0Bhawxy0mBJIUyaiJcEZDP7QPYoIoOTy4RwiQNIC8NlHXuJdF6248n iC7b+FxHywtJwqB2qvns29gdj9JXBv2njQHe2iW1Kp/Jkz+KrgU8MMbZlJkXLe3ekRtN h79w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u12si3073220pfh.256.2019.06.28.12.45.33; Fri, 28 Jun 2019 12:45:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727039AbfF1TpM (ORCPT + 99 others); Fri, 28 Jun 2019 15:45:12 -0400 Received: from linux.microsoft.com ([13.77.154.182]:60050 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726497AbfF1TpM (ORCPT ); Fri, 28 Jun 2019 15:45:12 -0400 Received: by linux.microsoft.com (Postfix, from userid 1029) id 5A4D22007696; Fri, 28 Jun 2019 12:45:11 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by linux.microsoft.com (Postfix) with ESMTP id 4A08C301032E; Fri, 28 Jun 2019 12:45:11 -0700 (PDT) Date: Fri, 28 Jun 2019 12:45:11 -0700 (PDT) From: Jaskaran Singh Khurana X-X-Sender: jaskarankhurana@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net To: Eric Biggers cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-fsdevel@vger.kernel.org, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, jmorris@namei.org, scottsh@microsoft.com, mpatocka@redhat.com, gmazyland@gmail.com Subject: Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation. In-Reply-To: <20190628040041.GB673@sol.localdomain> Message-ID: References: <20190619191048.20365-1-jaskarankhurana@linux.microsoft.com> <20190628040041.GB673@sol.localdomain> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Eric, On Thu, 27 Jun 2019, Eric Biggers wrote: > On Wed, Jun 19, 2019 at 12:10:47PM -0700, Jaskaran Khurana wrote: >> This patch set adds in-kernel pkcs7 signature checking for the roothash of >> the dm-verity hash tree. >> The verification is to support cases where the roothash is not secured by >> Trusted Boot, UEFI Secureboot or similar technologies. >> One of the use cases for this is for dm-verity volumes mounted after boot, >> the root hash provided during the creation of the dm-verity volume has to >> be secure and thus in-kernel validation implemented here will be used >> before we trust the root hash and allow the block device to be created. >> >> Why we are doing validation in the Kernel? >> >> The reason is to still be secure in cases where the attacker is able to >> compromise the user mode application in which case the user mode validation >> could not have been trusted. >> The root hash signature validation in the kernel along with existing >> dm-verity implementation gives a higher level of confidence in the >> executable code or the protected data. Before allowing the creation of >> the device mapper block device the kernel code will check that the detached >> pkcs7 signature passed to it validates the roothash and the signature is >> trusted by builtin keys set at kernel creation. The kernel should be >> secured using Verified boot, UEFI Secure Boot or similar technologies so we >> can trust it. >> >> What about attacker mounting non dm-verity volumes to run executable >> code? >> >> This verification can be used to have a security architecture where a LSM >> can enforce this verification for all the volumes and by doing this it can >> ensure that all executable code runs from signed and trusted dm-verity >> volumes. >> >> Further patches will be posted that build on this and enforce this >> verification based on policy for all the volumes on the system. >> > > I don't understand your justification for this feature. > > If userspace has already been pwned severely enough for the attacker to be > executing arbitrary code with CAP_SYS_ADMIN (which is what the device mapper > ioctls need), what good are restrictions on loading more binaries from disk? > > Please explain your security model. > > - Eric > In a datacenter like environment, this will protect the system from below attacks: 1.Prevents attacker from deploying scripts that run arbitrary executables on the system. 2.Prevents physically present malicious admin to run arbitrary code on the machine. Regards, Jaskaran