Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1008348pxu; Mon, 23 Nov 2020 09:20:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJyG/rCnXQF6xM5XZji6XFP8oMJwXDKOLWTaWW0V9otynzZ41gM42zfd1sfjzaqbPrTgYL1y X-Received: by 2002:a17:906:1688:: with SMTP id s8mr564079ejd.293.1606152020457; Mon, 23 Nov 2020 09:20:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606152020; cv=none; d=google.com; s=arc-20160816; b=XQYqrQNbQmxSGDvmmOfhCwpBXaiclmNnQReuKfrYQdyb6DWsn2tvlRsvQ7wyKmdvHf 58116UdeID+8dN9z8WICAbZeAb6dhm21PEb4FmM+UYCZd9APi6cV4A7sTGOw6fxYg+dN 97cpxzdBq8P/BZ8nD8EV2pPfSFwxN2W8Jbyqa2VUo9qvsiAgnq87j0DO7o1qL7eMaVXO MMWxjjGftM+qSgCUFAuJu8Cwd5KZlg+IOHh3Ts7i1eIvtJKIb8ghLANuCKLDsUSIudko SWfiNcHRWfQ6Zwul6eq/l7Ok1A9pea6Lldr6p3yhJo9bawj5VN5pUg/C852JYHXZeu6j 852Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=AGzwLr3YgelRxjSLLKnIEMguJDjHmODEGnOuqhaDfaE=; b=eE/KjSa7sG1Ry0IAzcvbqJoZ4dbsrisMi1DoDvJAdzQivv7kZLvDm+18AxDqa3GW2M +yXB/Gawyu2ImhOXR/5/wvmbdDQ/vraXht29lOMKuTNIPc3XIMvDVbwgeGxvzHU+jiPH Uk9D/jhogk5wMgb3a+7Ux2plGiB2jTbvNlOIopkhlGymJEwc9N0MV90fPqoTkkB7UIDw q3DkMLeDLj72AetDUCy7SHWy1f+edotjC2TgV+tNi9y9pm8zGdUeBonXUuYXxVsnbRkq SrU7cMJpXHW/4bW3amIe9Kc1/Q1jl48FLSb7xpigbX2DeQex/2GEf1tpCfV7Lgxi+CCq GwNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o3si6688728ejn.637.2020.11.23.09.19.56; Mon, 23 Nov 2020 09:20:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388512AbgKWRSE (ORCPT + 99 others); Mon, 23 Nov 2020 12:18:04 -0500 Received: from jabberwock.ucw.cz ([46.255.230.98]:55268 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729378AbgKWRSD (ORCPT ); Mon, 23 Nov 2020 12:18:03 -0500 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 23EAC1C0B9D; Mon, 23 Nov 2020 18:18:01 +0100 (CET) Date: Mon, 23 Nov 2020 18:18:00 +0100 From: Pavel Machek To: Mimi Zohar Cc: Tushar Sugandhi , stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com, paul@paul-moore.com, tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: Re: [PATCH v6 0/8] IMA: support for measuring kernel integrity critical data Message-ID: <20201123171800.GA6407@duo.ucw.cz> References: <20201119232611.30114-1-tusharsu@linux.microsoft.com> <20201120124657.GA31468@duo.ucw.cz> <20201122210031.GA26756@amd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > > >How is it supposed to be useful? > > > > > > > >I'm pretty sure there are critical data that are not measured by > > > >proposed module... and that are written under normal circumstances. > > > > > > > The goal of this series is to introduce the IMA hook > > > measure_critical_data() and the necessary policies to use it; and > > > illustrate that use with one example (SELinux). It is not scalable to > > > identify and update all the critical data sources to use the proposed > > > module at once. > > >=20 > > > A piecemeal approach to add more critical data measurement in subsequ= ent > > > patches would be easy to implement and review. > >=20 > > Basically every other data structure in kernel is "critical" by your > > definition, and you can't really measure them all; some of them change > > rather often. Going piecemeal does not really help here. >=20 > Agreed, measuring data structures that change is not really applicable. > However, measuring data structures that once initialized don't change, > does make sense (similar concept to __ro_after_init). The attestation > server doesn't need to know anything about the measurement, other than > more than a single measurement is indicative of a problem. So, why not simply measure everything that is ro_after_init? But... I really fail to see how this is useful. It is trivial to "backdoor" kernel w/o modifying anything that is ro_after_init. (Example: page tables). Pavel --=20 http://www.livejournal.com/~pavelmachek --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCX7vuyAAKCRAw5/Bqldv6 8l0NAKCno5uLV1J+u9T4SaYxmY8EkH/yQQCeJ/9tVl7wyA/jWR7tMN6Lj6pfIx8= =FwxO -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU--