Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp2750764pxb; Mon, 31 Jan 2022 03:35:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJwWeQUyOS7+QY7oHMaRyGNIXZgWn7DDej2UxVlHK2c9XjrbXhomRmWg2hicvgn697OxeklL X-Received: by 2002:a17:90a:f3d5:: with SMTP id ha21mr10797108pjb.175.1643628904630; Mon, 31 Jan 2022 03:35:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643628904; cv=none; d=google.com; s=arc-20160816; b=XblN2eG+wisEbrL50GOs8oQob2WCWTnEUlfcOZipnPbCKzJLAFUKKw2A9b+f1WA7KO OXFtgTMkXA5ttc9seK3iM+g+e2bd2Xpn74oQCtWqLW1kdHDKXM5gYVF+awgjN30GbLPY 0NtJUoJTJLUb6NFGnhgT2dFATz+MCxzqiU0kEvXQsSrC9q8Iq0U2q14SuQDfj1XMkL5l finV6NjBiasuEG9IosliaYN3g37Va6J1rFd+Jb08PJNJCFyiNVwzY5qLg/fJ3UN7iCks 85kI++oH4g99TrLQqp9HTDpo8cdmO/XO0P49MatOYxnMM10RnVsyI5porweIPz2bDgkj wmSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=KPIn8FGYx7DQTNsvWccwh4hAfCNYpkngLJahWaKAOIs=; b=xZ0/qADb8PNY7nAD3cdoATyn+elIvi80yEfzSUdPNcqU35RbJsuUhaJf22iHecRZBX 3A1Sf0/jsoodIK0uAf8ngBdNEvj9eHVszT1WM9QAi2UEl54F9Aw1YBX2Q5j/MderCz1g ufd5e6tUxWBsNA6jH0ttXgIW+5JRK8QY/yno7fdjmh2Y7RJ6HHdnXsEsMtfGwxW4BVVR ynv7s6ZRlUcxWcRC7A+s0JVcHCgAvu3WxqQBtQifctfmc4bJcveYWyfBW7fYtTZB0K6h 1PWyfc6FRaIXAtAvoc4ICEkMiEt62S2NalID+Co/KmzYu04jABZtH1P0EdyctTmSUUY9 Al3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ly2c+WcC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u62si13390013pgd.508.2022.01.31.03.34.53; Mon, 31 Jan 2022 03:35:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ly2c+WcC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241054AbiA1UZ6 (ORCPT + 99 others); Fri, 28 Jan 2022 15:25:58 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:58708 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232469AbiA1UZ4 (ORCPT ); Fri, 28 Jan 2022 15:25:56 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7FAD0B825E4; Fri, 28 Jan 2022 20:25:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D38DC340E7; Fri, 28 Jan 2022 20:25:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1643401554; bh=Ph1OyR1ecXlZ+Bdc35dZNoDYirpUuMYM5Ao7nVsb3XM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ly2c+WcC64vuUxS2yM7Ja9KzeZG3/gUJ1Me66weZMQ9tFKcHzxHs7/lLFpT77b8do Ir05XW4W+FHR3B1mQY7Gd8MxBksc1AJAX+tvMO4CasGVPWPXsY5GWvzZ2ilV5abDN/ iuuNU3qDhYhTQhPH3AxCcGFSF3qNyNSGQe2Rk2PiRzvxmTeVzSEUCBVoZNtAYF/wGW qG2q0AJWQJgSZbZA3ohuhCyltyY/t9lzl13gDj300WdUwZLDNW7ByoQi88vLJHCbrO qUjnD+wlaAR4+lSUktSgQ7tAwfdPOqjJODrv0cW+KT9AFqOsPy/25wtcl6nF9Fu1z1 qaH2bknZ/h+8g== Date: Fri, 28 Jan 2022 12:25:52 -0800 From: Eric Biggers To: Roberto Sassu Cc: "linux-integrity@vger.kernel.org" , "zohar@linux.ibm.com" , "stefanb@linux.ibm.com" , "linux-fscrypt@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [RFC][PATCH v3a 00/11] ima: support fs-verity digests and signatures (alternative) Message-ID: References: <20220127184614.2837938-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 28, 2022 at 09:05:01AM +0000, Roberto Sassu wrote: > > From: Eric Biggers [mailto:ebiggers@kernel.org] > > Sent: Thursday, January 27, 2022 8:40 PM > > On Thu, Jan 27, 2022 at 11:35:12AM -0800, Eric Biggers wrote: > > > On Thu, Jan 27, 2022 at 07:46:09PM +0100, Roberto Sassu wrote: > > > > I wanted to propose a different approach for handling fsverity digests and > > > > signatures, compared to: > > > > > > > > https://lore.kernel.org/linux-integrity/20220126000658.138345-1- > > zohar@linux.ibm.com/ > > > > > > > > In the original proposal, a new signature version has been introduced (v3) > > > > to allow the possibility of signing the digest of a more flexible data > > > > structure, ima_file_id, which could also include the fsverity file digest. > > > > > > > > While the new signature type would be sufficient to handle fsverity file > > > > digests, the problem is that its format would not be compatible with the > > > > signature format supported by the built-in verification module in fsverity. > > > > The rpm package manager already has an extension to include fsverity > > > > signatures, with the existing format, in the RPM header. > > > > > > > > Given that the fsverity signature is in the PKCS#7 format, IMA has already > > > > the capability of handling it with the existing code, more specifically the > > > > modsig code. It would be sufficient to provide to modsig the correct data > > > > to avoid introducing a new signature format. > > > > > > I think it would be best to get people moved off of the fs-verity built-in > > > signatures, rather than further extend the use of it. PKCS#7 is a pretty > > > terrible signature format. The IMA one is better, though it's unfortunate that > > > IMA still relies on X.509 for keys. > > > > Note, the only reason that support for fs-verity built-in signatures was added > > to RPM is that people didn't want to use IMA: > > https://lore.kernel.org/linux-fscrypt/b49b4367-51e7-f62a-6209- > > b46a6880824b@gmail.com > > > > If people are going to use IMA anyway, then there would be no point. > > Hi Eric > > I thought that the solution I came with could satisfy multiple needs. > > For people that don't want to use IMA, they could still continue > to use the existing signature format, and wait for an LSM that > satisfy their needs. They also have the option to migrate to the > new signature format you are defining. But will those people be > willing to switch to something IMA-specific? > > For people that use IMA, they could benefit from the effort > of people creating packages with the original fsverity signature. > > For people that are skeptical about IMA, they could be interested > in trying the full solution, which would probably be more easily > available if the efforts from both sides converge. > > If, as you say, you have concerns about the existing signature > format, wouldn't it be better that you address them from the > fsverity side, so that all users of fsverity can benefit from it? > > Currently, fsverity hashes the formatted digest whose format > is FSVerity. Couldn't IMA > hash the same data as well? > > An idea could be to always sign the formatted digest, and have > a selector for the signature format: IMA, PKCS#7 or PGP. Adding support for the new IMA signature format to fsverity_verify_signature() *might* make sense. (When I added this code, my understanding was that it was just verifying signatures the way the kernel usually verifies signatures. I don't think I realized there was a more direct, PKCS#7-less way to do it and that IMA used that way.) However, it would be better to use this as an opportunity to move people off of the built-in signatures entirely, either by switching to a full userspace solution or by switching to IMA. Part of the problem with IMA is that no one wants to use it because it has terrible documentation. It sounds like it's really complicated, and tied to specific TCG standards and to TPMs. I think if it was documented better, people would find it more attractive and wouldn't be trying to avoid it at all costs. - Eric