Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2343845pxk; Mon, 14 Sep 2020 10:45:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw72gseyLHu+eoqVfcSGsy+oMuwjvjEtgOU1DUtb188G686uOneTZCRAmFbbrbsT5yeN/PM X-Received: by 2002:a50:8709:: with SMTP id i9mr18773375edb.141.1600105522507; Mon, 14 Sep 2020 10:45:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600105522; cv=none; d=google.com; s=arc-20160816; b=q3lxhEEFgtjJDYspOMAPzgHaHN5rzku4StQsjeukmgKQW5sGP2kIljJQ1WLeTVVvTR +2UeKV1pyqwgY6POmqH14e/vnDnOM+y94KeDQ6JbwVFeEiBCxMgyx7VQLVFsnuOehPHP p+A16jY62qTinoZn1Ek4DeMP9/yr+/qun39p42BIVaJaXWqxqoK61MTebqYHhgvdeSwn 2UHkSmAH2SaBfP//blsQhTNVSJY9PAzKRqJ7fht9wgH75zHN9juGjmWoxwLr2UlyJADr K5umlQYf5WQkmfu7fu0TNsET7OYRH1fCC3wFD14YQ66FttgqNNOG+5Ry/5opaOiIHJ7p VfZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=Ay535PZXPTP+5F4zTOrmpiyROX9/Pok6kssjPkMC3mo=; b=I22yRlCvBspfq765DFMYpKYrCKqCX+d68G7Futo0o4Os+vORNKdRHikod83ZhUmrDs MzuLz693FWv9PWjOSbqhOqFfe9yAK60d6CrvbKKndl3pK7x3B4qSotLwbiuDdDIMyuBz 9GyHfYJFmDXqjejBiO3QtEtBpVBD0QdWWOEeCE0nMvJGkUjT1CkHZC+vOoTpK0jvkezS UOq3UZbNDSU/XeN20IMLPv+4/TOdjwhQt7Zv/v+iQCNP3F6HfC5yAMunZJeZXVp22bx/ BSBypttSpp57PwSuwMtKXgOj1JQCd9KlHvC5VsdAlZRvktp4fv0mgK5/7rOlSXd/S76U Pmsg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j20si8024952edt.233.2020.09.14.10.45.00; Mon, 14 Sep 2020 10:45:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726187AbgINRoB convert rfc822-to-8bit (ORCPT + 99 others); Mon, 14 Sep 2020 13:44:01 -0400 Received: from lhrrgout.huawei.com ([185.176.76.210]:2812 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726102AbgINMGa (ORCPT ); Mon, 14 Sep 2020 08:06:30 -0400 Received: from lhreml715-chm.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 9D53517D0D1F819FF294; Mon, 14 Sep 2020 13:06:08 +0100 (IST) Received: from fraeml708-chm.china.huawei.com (10.206.15.36) by lhreml715-chm.china.huawei.com (10.201.108.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 14 Sep 2020 13:05:49 +0100 Received: from lhreml722-chm.china.huawei.com (10.201.108.73) by fraeml708-chm.china.huawei.com (10.206.15.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 14 Sep 2020 14:05:48 +0200 Received: from lhreml722-chm.china.huawei.com ([10.201.108.73]) by lhreml722-chm.china.huawei.com ([10.201.108.73]) with mapi id 15.01.1913.007; Mon, 14 Sep 2020 13:05:48 +0100 From: Krzysztof Struczynski To: Mimi Zohar , James Bottomley , "linux-integrity@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "containers@lists.linux-foundation.org" , "linux-security-module@vger.kernel.org" CC: "stefanb@linux.vnet.ibm.com" , "sunyuqiong1988@gmail.com" , "mkayaalp@cs.binghamton.edu" , "dmitry.kasatkin@gmail.com" , "serge@hallyn.com" , "jmorris@namei.org" , "christian@brauner.io" , Silviu Vlasceanu , Roberto Sassu Subject: RE: [RFC PATCH 00/30] ima: Introduce IMA namespace Thread-Topic: [RFC PATCH 00/30] ima: Introduce IMA namespace Thread-Index: AQHWdXPBkpeRDLdh20+fyp1BiEOjYak9+wmAgASx5lCAEwwJgIASd/FA Date: Mon, 14 Sep 2020 12:05:48 +0000 Message-ID: <2a9fa5a443a84f77992959773369beb2@huawei.com> References: <20200818152037.11869-1-krzysztof.struczynski@huawei.com> <1597767571.3898.15.camel@HansenPartnership.com> <401a2f36149f450291d1742aeb6c2260@huawei.com> <5331e60b5a1afb55e2bc778db1b95998466b687d.camel@linux.ibm.com> In-Reply-To: <5331e60b5a1afb55e2bc778db1b95998466b687d.camel@linux.ibm.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.48.217.147] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > From: Mimi Zohar [mailto:zohar@linux.ibm.com] > Sent: Wednesday, September 2, 2020 8:53 PM > > > So I think this can work in the use case where the system owner is > > > responsible for doing the logging and attestation and the tenants just > > > trust the owner without requiring an attestation. However, in a multi- > > > tenant system you need a way for the attestation to be per-container > > > (because the combined list of who executed what would be a security > > > leak between tenants). Since we can't virtualise the PCRs without > > > introducing a vtpm this is going to require a vtpm infrastructure like > > > that used for virtual machines and then we can do IMA logging per > > > container. > > > > I agree and wonder if we should decouple the attestation trust model, > > which depends on the specific use case (e.g. multi/single tenant, > > public/private cloud), from the IMA logic of linking the measurements to > > the container. Indeed, attestation from within the container might require > > anchoring to a vTPM/vPCR and the current measurement tagging mechanism > can > > support several ways of anchoring them to a (virtual) root of trust. > > > > > I don't think the above has to be in your first patch set, we just have > > > to have an idea of how it could be done to show that nothing in this > > > patch set precludes a follow on from doing this. > > > > Given that virtualizing trust anchors seems like a separate problem in > > which industry consensus is not easy to reach for all use cases, an > > anchoring mechanism should probably be a separate IMA feature. > > Other trust anchors for "trusted keys" has been discussed, but I wasn't > aware of any discussion about other trust anchors for the IMA > measurement list. The IMA measurement list is very much tied to a TPM. > Agreed. I wouldn't consider anything else than the TPM in the IMA measurement list context. The anchoring mechanism mentioned above pertained to the possible extensions of the TPM anchor in the containerized environment, like the vTPM. > Including container measurements in the host measurement list, will > unnecessarily cause the host measurement list to grow. The decision of > what should and shouldn't be included in the host measurement list > shouldn't be defined by the container. > The container has no impact on the measurement list entries other than the ones related to the processes running within the container. This in turn, the same as for the original IMA, is defined by the (container's) policy, loaded on the container's creation. Best regards, Krzysztof > Mimi > >