Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2399455ybi; Mon, 1 Jul 2019 11:19:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqyC0wujsVaub4HbgKBxit/uOyFPUCIH0WAhTDpugkvZ8M82wqc1Imd9H1k18anGpwbuCqAk X-Received: by 2002:a63:79ca:: with SMTP id u193mr7708052pgc.91.1562005194735; Mon, 01 Jul 2019 11:19:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562005194; cv=none; d=google.com; s=arc-20160816; b=AHpdhHCa+4cpuLJXoidwftUR57P5f5aVhv5CVxmDZYeJPAXRBXUvqMOeB7LTZqUJC6 UzW0cXPvkEPi2rZU4Klwo4yYiDCzVt2Bv7H9oRw1uGPN6fUGIWqVktVLMmLFw0qMpOEi P50xM7h0/Kkl9/U4+ZxSmOYcG38zrqVgIk1V/nvNkoK5YInr8y4uacfwf2bZvgntb5/K ob3tSkoReB8S3+amkCwxQ5IAq/lwYn2EVxC8F6qHRwqoR/nOyT/6DJuXUyf5SnfMq7sf aVDp6s2VZVoELd6vrtVCqOOtjocUV38T/EG6lbRCTlB+BWCcdwlAma+HROCSSiRFTgt4 7UIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=T85BWSiu0NcDa/F5zED6maLVPQ4S6cPN+gw9cWSzEAc=; b=dmQIdh+kMm7T0t/c5yTbLIP2neiBwQZ9Z/4ohkfmx8+8S/5BU/0kBO/HEWpc/4KNtS MgsjTnTYjKkeq/S/xHnAh/J/Bc4FP3zzelSzlAavlmiNr+uGGXHRblnW0O7sjvRJao5q Tfy/HvBEVuIu+N4HNEG+w7th8txCbDtdWboqnQhW4g8VbkAtUh3ue5haKUT5kNe6Daof d+FfqNjq/QrhLABtyw9WB03KuZOus4MVI4mnyjdd8EUkkB3D8WAkMuoswhH3yh8V4TG1 vhx00FSLqoQQaobf9eBiXHW+OCohQzX0au4Gw1hNdb1OmF6EN8hQDRaD/wKfItKG/hbg td8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cf16si908301plb.346.2019.07.01.11.19.29; Mon, 01 Jul 2019 11:19:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727790AbfGARdB (ORCPT + 99 others); Mon, 1 Jul 2019 13:33:01 -0400 Received: from linux.microsoft.com ([13.77.154.182]:53792 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727334AbfGARdB (ORCPT ); Mon, 1 Jul 2019 13:33:01 -0400 Received: by linux.microsoft.com (Postfix, from userid 1029) id 2FEB720BCFC5; Mon, 1 Jul 2019 10:33:00 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by linux.microsoft.com (Postfix) with ESMTP id 2922E3011494; Mon, 1 Jul 2019 10:33:00 -0700 (PDT) Date: Mon, 1 Jul 2019 10:33:00 -0700 (PDT) From: Jaskaran Singh Khurana X-X-Sender: jaskarankhurana@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net To: Milan Broz cc: James Morris , Eric Biggers , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-fsdevel@vger.kernel.org, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, scottsh@microsoft.com, mpatocka@redhat.com Subject: Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation. In-Reply-To: <749ddf56-3cb6-42c8-9ccc-71e09558400f@gmail.com> Message-ID: References: <20190619191048.20365-1-jaskarankhurana@linux.microsoft.com> <20190628040041.GB673@sol.localdomain> <749ddf56-3cb6-42c8-9ccc-71e09558400f@gmail.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Milan, On Mon, 1 Jul 2019, Milan Broz wrote: > On 29/06/2019 06:01, James Morris wrote: >> On Thu, 27 Jun 2019, Eric Biggers wrote: >> >>> I don't understand your justification for this feature. >>> >>> If userspace has already been pwned severely enough for the attacker to be >>> executing arbitrary code with CAP_SYS_ADMIN (which is what the device mapper >>> ioctls need), what good are restrictions on loading more binaries from disk? >>> >>> Please explain your security model. >> >> Let's say the system has a policy where all code must be signed with a >> valid key, and that one mechanism for enforcing this is via signed >> dm-verity volumes. Validating the signature within the kernel provides >> stronger assurance than userspace validation. The kernel validates and >> executes the code, using kernel-resident keys, and does not need to rely >> on validation which has occurred across a trust boundary. > > Yes, but as it is implemented in this patch, a certificate is provided as > a binary blob by the (super)user that activates the dm-verity device. > > Actually, I can put there anything that looks like a correct signature (self-signed > or so), and dm-verity code is happy because the root hash is now signed. > > Maybe could this concept be extended to support in-kernel compiled certificates? > > I like the idea of signed root hash, but the truth is that if you have access > to device activation, it brings nothing, you can just put any cert in the keyring > and use it. > > Milan > The signature needs to be trusted by the .builtin_trusted_keys which is a read-only list of keys that were compiled into the kernel. The verify_pkcs7_signature verifies trust against the builtin keyring so I think what you are suggesting is covered here. Regards, Jaskaran.