Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp226685pxb; Thu, 30 Sep 2021 04:57:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzFGhtcxVJ/wQFRLrsVAIlWQZpxJjNNsfkKYETBvIVCGQzWTGWFDQ+jK78TL2yW9WCtiDWP X-Received: by 2002:a17:906:940c:: with SMTP id q12mr6075933ejx.151.1633003070858; Thu, 30 Sep 2021 04:57:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633003070; cv=none; d=google.com; s=arc-20160816; b=f8vrGlzOHXg16dif25o2jh8u71Oj1EME9pZO58ON7PihH3RaiBwr9iPpn16ZNf+zKs j6S899LrWQ6rkWwlmnreM6uRlBP19lhlDkYRiWmV/w9CyXVX8skrQwJuvh4yNcDEY7jb p57MEWS3S1hDPNBhlRRZLpEc/IwEZwrVi5w98XYn3Md/ijVjZb3HP7eAkWSa2ENiTSOp CkCYI/N9WjwEokw7Ro+5QDIP5TsCC+FAnPqtg8sQ6EFNZYpi0HYgAHVbJCv63bjoCfsG B45YDooKv/Id/lQqwE3exXxA4kkwTS+xspl2vfc55YIdA36ovzgejY8Ov7CdeKE2DewJ R3YA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=tQJTMWe1t2BwJa7w1J0ts4CMr4BYcivn4wEvme+Ca1I=; b=SxNlkdwDb+lPwpBFyo8wV63L/C4eR40PQ1l7B0I3tKYllZ3WaGU/uEnkQgsfk9pZVj f9cd8HWVLApZufn6xq7KmvlBZcK2cR++N5NDUvS6UVAr9emWGnXrS2N4NqwBXTFztTLd 87AejSKisHfFWhOFvVn2GRbJzVz6vJ3C3F6UdiuPprnTNmK4Rjv0W5GvtnoomNF1KCwg BPU7w25kKsuaIc8277xY2/3hRmVSqOcO1I3iAr5xSu8hU+IZo2BF7cPSPjkXp9Xcb4Qa eYTUnFpwohtujyn563BIzqZcu+n2gPlblyQDGv4ZwCRVk9IloATJDamxPscet0zkinKK ++xg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dc16si2984451ejb.287.2021.09.30.04.57.23; Thu, 30 Sep 2021 04:57:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350588AbhI3L5a (ORCPT + 99 others); Thu, 30 Sep 2021 07:57:30 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]:3894 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350526AbhI3L53 (ORCPT ); Thu, 30 Sep 2021 07:57:29 -0400 Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4HKs7m4b6Pz67Vmm; Thu, 30 Sep 2021 19:53:08 +0800 (CST) Received: from roberto-ThinkStation-P620.huawei.com (10.204.63.22) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Thu, 30 Sep 2021 13:55:44 +0200 From: Roberto Sassu To: , , CC: , , , Roberto Sassu Subject: [RFC][PATCH 0/7] ima: Measure and appraise files with DIGLIM Date: Thu, 30 Sep 2021 13:55:26 +0200 Message-ID: <20210930115533.878169-1-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.204.63.22] X-ClientProxiedBy: lhreml752-chm.china.huawei.com (10.201.108.202) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I'm posting this patch set, although the dependencies are not yet accepted, to provide a more complete picture about DIGLIM and how it can be concretely used. This patch set depends on: - new execution policies in IMA (https://lore.kernel.org/linux-integrity/20210409114313.4073-1-roberto.sassu@huawei.com/) - support for the euid policy keyword for critical data (https://lore.kernel.org/linux-integrity/20210705115650.3373599-1-roberto.sassu@huawei.com/) - DIGLIM basic features (https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@huawei.com/) - DIGLIM advanced features (https://lore.kernel.org/linux-integrity/20210915163145.1046505-1-roberto.sassu@huawei.com/) The patch sets 'integrity: Introduce DIGLIM' and 'integrity: Introduce DIGLIM advanced features' introduced the possibility to build a repository of reference values for files shipped with Linux distributions. Currently those reference values can be loaded from a file in the compact format, supported by the kernel, or from RPM headers. With future patch sets, which will add support for PGP appended signatures, it will also be possible to appraise untouched RPM headers with IMA. The objective of this patch set is to introduce an alternative method for performing measurements and appraisal with IMA, that overcome some important limitations of the currently supported methods. For example, for measurement, it is very hard to obtain a stable PCR that can be use for sealing of TPM keys or data. For appraisal, Linux distributions vendors have to change their building systems to include file signatures in the packages. The alternative method introduced with this patch set consists in skipping the measurement and/or in granting access, when appraisal is in enforcing mode, if the file or metadata digest has been found in the DIGLIM hash table. A discussion about this approach can be found in the Benefits section at: https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@huawei.com/ The structure of this patch set is as follows. Patches 1-3 introduce the 'use_diglim' keyword to select the alternative method for measurement and appraisal and two new hardcoded policies to measure and appraise DIGLIM-related files, and to enable usage of DIGLIM for the other selected policy rules. Patches 4-5 query respectively the file and metadata digest in DIGLIM. DIGLIM returns whether the digest lists containing the passed digest have been measured and appraised (requirement to select the alternative method), and whether the file or metadata are immutable. In a future extension, a new modifier will be introduced to tell IMA that the digest belongs to a deny list instead of an allow list, so that IMA can act accordingly. Patches 5-6 introduce the alternative method for measurement and appraisal. If at least one digest list containing the calculated file or metadata digest have been measured, IMA behaves as it performed a measurement. If at least one digest list containing the calculated metadata digest has been appraised, metadata verification is successful (required only when EVM is enabled). If the same condition is verified for the calculated file or metadata digest, file content verification is successful and the file is marked as immutable if the digest lists have the corresponding modifier set in the header. It is important to remark that unless 'use_diglim' is set in the IMA policy, DIGLIM is completely ignored and IMA behaves as before. In addition, even if DIGLIM usage is enabled, other appraisal verification methods with the xattr or the appended signature take precedence. Roberto Sassu (7): integrity: Change type of IMA rule-related flags to u64 ima: Introduce new policy keyword use_diglim ima: Introduce diglim and appraise_diglim policies ima: Query file digest and retrieve info from its digest lists ima: Query metadata digest and retrieve info from its digest lists ima: Skip measurement of files found in DIGLIM hash table ima: Add support for appraisal with digest lists Documentation/ABI/testing/ima_policy | 4 +- .../admin-guide/kernel-parameters.txt | 19 ++- include/linux/evm.h | 14 ++ security/integrity/evm/evm_main.c | 40 +++++ security/integrity/ima/ima.h | 9 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_appraise.c | 37 ++++- security/integrity/ima/ima_main.c | 84 +++++++++- security/integrity/ima/ima_policy.c | 144 +++++++++++++++++- security/integrity/integrity.h | 62 ++++---- 10 files changed, 365 insertions(+), 50 deletions(-) -- 2.32.0