Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3215969pxa; Tue, 18 Aug 2020 09:23:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy44UJR7UDhCU8ukVBUlr08B5NMr7zwV2CZxfNKeww+1STb+oqkP49D2wOAJbIVVRQR2uUL X-Received: by 2002:a05:6402:1443:: with SMTP id d3mr21450058edx.40.1597767809674; Tue, 18 Aug 2020 09:23:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597767809; cv=none; d=google.com; s=arc-20160816; b=ldcvOTLrH2QVfSG8mXrM7rlfZ4fV2m3JqQM3gSAF5SrjmZlrjEQKS0KrvDnuy1pxod uQviLG0kzAz+kOtIfBgVn/FgsT7UsO4gVJ1afJev1qELgTBlk7MRxLXdXJYInNmm07pl ZxplzN/tOmxl/JbIaUef+SjTs/tbN1JVyoa/a+mfK4C4RNRQ44i/gNqncctvNR7ZbkyU 1CPiru8FBn6urqlrozKCQ43ZZSdHX6nfLdHHgYM2cwhE8XDyLzto7hXtgD/4x+RQA9+h g1uSrN+TKIkeT/Yd05ys8Jae3hwzj6jStMhecGKha+ELm87yvJMMBZPKdZ0SlCY+lG0q dzng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:dkim-signature; bh=oOeXhDWB7Pt5wiyuC15Rbormj8t78Pq243kQxXCKKhQ=; b=nye4OCuh3iTlIsdXT+Ihqx1kb/E2k7nKyFSyknsNJnrFk4HQwaoBPw4XPhTlDiYU1r i2IGHYBfl8Fppl+DcGMt+TuV8d/h3zQQj1GsJoxy8V1sqbWIsp2Vr3BMQjTbKReTE0eZ O4HtGniFi2daGMvSW8hiqIW7Wmg49a5xdI3JEzFn/y3XA3r9dTOFh+wA2iT0vWPVWb2C 7G/HCqGiV6DEmTJKtqVJ3hAxSsKICKcVMv8PJLtNpoJ17DO1LcIs17CgCsfXUTx8y9XZ e/sy2lgEsNTCzfDyDnmln70SiHPOgtp9GZ7W1j4F3eb0HJA5ywbcM8Huc2jSPVtj6UxA XVIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=F3TJolfs; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=S1ijLZW5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f3si14007566edl.49.2020.08.18.09.23.05; Tue, 18 Aug 2020 09:23:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=F3TJolfs; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=S1ijLZW5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726759AbgHRQT4 (ORCPT + 99 others); Tue, 18 Aug 2020 12:19:56 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:51336 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726482AbgHRQTj (ORCPT ); Tue, 18 Aug 2020 12:19:39 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 5F2EA8EE1A9; Tue, 18 Aug 2020 09:19:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1597767575; bh=L/MN+lxn8x8KGJbs1vAEkdW/rjO9wlNxW0FetUNgKJE=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=F3TJolfs2dnkOc99Rj/5Zn8QU8AwiBtf/PoD+Ybd46WQYFKE47TMO4K9Rse9ySnha K8EiUDemagYiEcnjDJ3wb7TRylgGNWzB4SBFLklBk+HUeu6VYP1lI7fBVPerHFKl2G 4AG081qyKmoSiPoq1FuBRwnepFJ2OsaN6DveGoOc= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5V37A5Z9zYZ5; Tue, 18 Aug 2020 09:19:34 -0700 (PDT) Received: from [153.66.254.174] (c-73-35-198-56.hsd1.wa.comcast.net [73.35.198.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 1EEAE8EE17F; Tue, 18 Aug 2020 09:19:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1597767574; bh=L/MN+lxn8x8KGJbs1vAEkdW/rjO9wlNxW0FetUNgKJE=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=S1ijLZW5ep+iwtdY2BSLm5T+ZmNajMO7m+g+9JVex4iRAXkSI2+oCoXpb2vIS3IKS SC1rbcuo8t6pBK5PPcflRruDFKgZ7qdmGNInHRGVS68Dq7jZisFZrfRFusbJqEojj1 BioijcDNFNk01kzf/xCm0lQWStYSXsperJU1UIBc= Message-ID: <1597767571.3898.15.camel@HansenPartnership.com> Subject: Re: [RFC PATCH 00/30] ima: Introduce IMA namespace From: James Bottomley To: krzysztof.struczynski@huawei.com, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, linux-security-module@vger.kernel.org Cc: zohar@linux.ibm.com, stefanb@linux.vnet.ibm.com, sunyuqiong1988@gmail.com, mkayaalp@cs.binghamton.edu, dmitry.kasatkin@gmail.com, serge@hallyn.com, jmorris@namei.org, christian@brauner.io, silviu.vlasceanu@huawei.com, roberto.sassu@huawei.com Date: Tue, 18 Aug 2020 09:19:31 -0700 In-Reply-To: <20200818152037.11869-1-krzysztof.struczynski@huawei.com> References: <20200818152037.11869-1-krzysztof.struczynski@huawei.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2020-08-18 at 17:20 +0200, krzysztof.struczynski@huawei.com wrote: > The measurement list remains global, with the assumption that there > is only one TPM in the system. Each IMA namespace has a unique ID, > that allows to track measurements per IMA namespace. Processes in one > namespace, have access only to the measurements from that namespace. > The exception is made for the initial IMA namespace, whose processes > have access to all entries. So I think this can work in the use case where the system owner is responsible for doing the logging and attestation and the tenants just trust the owner without requiring an attestation. However, in a multi- tenant system you need a way for the attestation to be per-container (because the combined list of who executed what would be a security leak between tenants). Since we can't virtualise the PCRs without introducing a vtpm this is going to require a vtpm infrastructure like that used for virtual machines and then we can do IMA logging per container. I don't think the above has to be in your first patch set, we just have to have an idea of how it could be done to show that nothing in this patch set precludes a follow on from doing this. James