Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp331300ybd; Fri, 28 Jun 2019 21:03:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqwCQE81zAqG+LkoLS1mtmdR9XhA/1h1e8ZIRY5yojxr1W5IeDHYdgEebnkJcv6ttvHw89yi X-Received: by 2002:a17:902:ab8f:: with SMTP id f15mr15358079plr.159.1561780980984; Fri, 28 Jun 2019 21:03:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561780980; cv=none; d=google.com; s=arc-20160816; b=UelVt4vIjX7SDErLvwZq6syNCQiNdK6QMMPymKW8O13i7HfIDWAkqectn2jAjISRyv NcuWI9SpRuj7NPAAXuxx5+mNYbjEOmU83FQKLI5jU/uHYnIciFMLGn3i6qyRfRx7uciG 5DNwqHzui6WSFGdEjjmfBDatWdCxHXSCM4niHjDsNQdKMdatdtquIbyP4YbN9mpcKleW ew6PxGrCCQpf6chN3iHMz+gDSJP651AXgbYE+f5I6vv0J6OHKoxHVD1HwHCiPcjrJPZd KfuJqhxvsdawEiP1RZxxmkqdC7fT0Uv7YWcGt7qOcQGbCQklngMk3CCF4pr4OGTTJvJl 0sFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=GvWpAMHeEuz/QOcmcRcO4anZhAw0iOGf/iAUv4v9CGQ=; b=ovGMrxrKZnYu69HgwCQorCJBs0YP5x4ue6jcAM8O233x8v+uTu+4Zrrq9CuvT/cigo lkGntsyWM7QEA5So1ThEPYCWhc5WQUpVdwu/jg9SAPby/qUZzvBrld/vbCeea2oLWD8o cD0uU2qJ54mylXGvdvEleujWy0DxCv2lz1cGwIQbhcHZM6Dq85LJ+aBrmbHUq49CFDKx K+Imq5VAYvQRONofEasWpXd4yqtjNFDdcw4NFo1HH5G4E7rFOzUGMcKMTzzw2cCNhma4 1Bg14h0JUYsAiR/2YDWP3GDFKwV/OcAkGVS7JqQXPAakBLyBri6WHffroK4KP/VMTkzj ASsg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k8si2573062pgc.235.2019.06.28.21.02.34; Fri, 28 Jun 2019 21:03:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726716AbfF2EBh (ORCPT + 99 others); Sat, 29 Jun 2019 00:01:37 -0400 Received: from namei.org ([65.99.196.166]:49794 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725710AbfF2EBh (ORCPT ); Sat, 29 Jun 2019 00:01:37 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x5T41PhZ017591; Sat, 29 Jun 2019 04:01:25 GMT Date: Fri, 28 Jun 2019 21:01:25 -0700 (PDT) From: James Morris To: Eric Biggers cc: Jaskaran Khurana , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-fsdevel@vger.kernel.org, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, scottsh@microsoft.com, mpatocka@redhat.com, gmazyland@gmail.com Subject: Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation. In-Reply-To: <20190628040041.GB673@sol.localdomain> Message-ID: References: <20190619191048.20365-1-jaskarankhurana@linux.microsoft.com> <20190628040041.GB673@sol.localdomain> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 27 Jun 2019, Eric Biggers wrote: > I don't understand your justification for this feature. > > If userspace has already been pwned severely enough for the attacker to be > executing arbitrary code with CAP_SYS_ADMIN (which is what the device mapper > ioctls need), what good are restrictions on loading more binaries from disk? > > Please explain your security model. Let's say the system has a policy where all code must be signed with a valid key, and that one mechanism for enforcing this is via signed dm-verity volumes. Validating the signature within the kernel provides stronger assurance than userspace validation. The kernel validates and executes the code, using kernel-resident keys, and does not need to rely on validation which has occurred across a trust boundary. You don't need arbitrary CAP_SYS_ADMIN code execution, you just need a flaw in the app (or its dependent libraries, or configuration) which allows signature validation to be bypassed. The attacker now needs a kernel rather than a userspace vulnerability to bypass the signed code policy. -- James Morris