Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp331300ybd;
        Fri, 28 Jun 2019 21:03:01 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwCQE81zAqG+LkoLS1mtmdR9XhA/1h1e8ZIRY5yojxr1W5IeDHYdgEebnkJcv6ttvHw89yi
X-Received: by 2002:a17:902:ab8f:: with SMTP id f15mr15358079plr.159.1561780980984;
        Fri, 28 Jun 2019 21:03:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561780980; cv=none;
        d=google.com; s=arc-20160816;
        b=UelVt4vIjX7SDErLvwZq6syNCQiNdK6QMMPymKW8O13i7HfIDWAkqectn2jAjISRyv
         NcuWI9SpRuj7NPAAXuxx5+mNYbjEOmU83FQKLI5jU/uHYnIciFMLGn3i6qyRfRx7uciG
         5DNwqHzui6WSFGdEjjmfBDatWdCxHXSCM4niHjDsNQdKMdatdtquIbyP4YbN9mpcKleW
         ew6PxGrCCQpf6chN3iHMz+gDSJP651AXgbYE+f5I6vv0J6OHKoxHVD1HwHCiPcjrJPZd
         KfuJqhxvsdawEiP1RZxxmkqdC7fT0Uv7YWcGt7qOcQGbCQklngMk3CCF4pr4OGTTJvJl
         0sFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=GvWpAMHeEuz/QOcmcRcO4anZhAw0iOGf/iAUv4v9CGQ=;
        b=ovGMrxrKZnYu69HgwCQorCJBs0YP5x4ue6jcAM8O233x8v+uTu+4Zrrq9CuvT/cigo
         lkGntsyWM7QEA5So1ThEPYCWhc5WQUpVdwu/jg9SAPby/qUZzvBrld/vbCeea2oLWD8o
         cD0uU2qJ54mylXGvdvEleujWy0DxCv2lz1cGwIQbhcHZM6Dq85LJ+aBrmbHUq49CFDKx
         K+Imq5VAYvQRONofEasWpXd4yqtjNFDdcw4NFo1HH5G4E7rFOzUGMcKMTzzw2cCNhma4
         1Bg14h0JUYsAiR/2YDWP3GDFKwV/OcAkGVS7JqQXPAakBLyBri6WHffroK4KP/VMTkzj
         ASsg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k8si2573062pgc.235.2019.06.28.21.02.34;
        Fri, 28 Jun 2019 21:03:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726716AbfF2EBh (ORCPT <rfc822;ayiehere@gmail.com> + 99 others);
        Sat, 29 Jun 2019 00:01:37 -0400
Received: from namei.org ([65.99.196.166]:49794 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725710AbfF2EBh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 29 Jun 2019 00:01:37 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x5T41PhZ017591;
        Sat, 29 Jun 2019 04:01:25 GMT
Date:   Fri, 28 Jun 2019 21:01:25 -0700 (PDT)
From:   James Morris <jmorris@namei.org>
To:     Eric Biggers <ebiggers@kernel.org>
cc:     Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, agk@redhat.com, snitzer@redhat.com,
        dm-devel@redhat.com, scottsh@microsoft.com, mpatocka@redhat.com,
        gmazyland@gmail.com
Subject: Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig
 validation.
In-Reply-To: <20190628040041.GB673@sol.localdomain>
Message-ID: <alpine.LRH.2.21.1906282040490.15624@namei.org>
References: <20190619191048.20365-1-jaskarankhurana@linux.microsoft.com> <20190628040041.GB673@sol.localdomain>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 27 Jun 2019, Eric Biggers wrote:

> I don't understand your justification for this feature.
> 
> If userspace has already been pwned severely enough for the attacker to be
> executing arbitrary code with CAP_SYS_ADMIN (which is what the device mapper
> ioctls need), what good are restrictions on loading more binaries from disk?
> 
> Please explain your security model.

Let's say the system has a policy where all code must be signed with a 
valid key, and that one mechanism for enforcing this is via signed 
dm-verity volumes. Validating the signature within the kernel provides 
stronger assurance than userspace validation. The kernel validates and 
executes the code, using kernel-resident keys, and does not need to rely 
on validation which has occurred across a trust boundary.

You don't need arbitrary CAP_SYS_ADMIN code execution, you just need a 
flaw in the app (or its dependent libraries, or configuration) which 
allows signature validation to be bypassed.

The attacker now needs a kernel rather than a userspace vulnerability to 
bypass the signed code policy.

-- 
James Morris
<jmorris@namei.org>