Received-SPF: pass (google.com: domain of linux-kernel+bounces-85459-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Message-ID: <e6d1314d46dc4befd78bfa33e2cf3d8572a16009.camel@huaweicloud.com>
Subject: Re: [PATCH v3 00/13] security: digest_cache LSM
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: corbet@lwn.net, paul@paul-moore.com, jmorris@namei.org,
 serge@hallyn.com,  shuah@kernel.org, mcoquelin.stm32@gmail.com,
 alexandre.torgue@foss.st.com,  mic@digikod.net
Cc: linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, 
 linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, 
 bpf@vger.kernel.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, 
 linux-integrity@vger.kernel.org, wufan@linux.microsoft.com,
 pbrobinson@gmail.com,  zbyszek@in.waw.pl, hch@lst.de, mjg59@srcf.ucam.org,
 pmatilai@redhat.com,  jannh@google.com, dhowells@redhat.com,
 jikos@kernel.org, mkoutny@suse.com,  ppavlu@suse.com, petr.vorel@gmail.com,
 petrtesarik@huaweicloud.com, Roberto Sassu <roberto.sassu@huawei.com>
Date: Wed, 28 Feb 2024 18:46:43 +0100
In-Reply-To: <20240209140917.846878-1-roberto.sassu@huaweicloud.com>
References: <20240209140917.846878-1-roberto.sassu@huaweicloud.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.44.4-0ubuntu2 
Precedence: bulk
MIME-Version: 1.0

On Fri, 2024-02-09 at 15:09 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>=20
> Introduce the digest_cache LSM, whose purpose is to deliver reference
> digest values to integrity providers, such as IMA and IPE, abstracting to
> them how those digests where extracted from the respective data source.
>=20
> The major benefit is the ability to use the vaste amount of digests alrea=
dy
> provided (and likely signed) by software vendors, without needing them to
> adapt their format to the one understood by the integrity provider.
>=20
> IMA and IPE can immediately interface with the digest_cache LSM and query
> the digest of an accessed file. If the digest is found, it means that the
> file is coming from the software vendor and not modified. If not, the fil=
e
> might have been corrupted. Each integrity provider decides how to handle
> this situation.
>=20
> The second major benefit is performance improvement. Since the digest_cac=
he
> LSM has the ability to extract many digests from a single data source, it
> means that it has less signatures to verify compared to the approach of
> verifying individual file signatures (IMA appraisal). Preliminary tests
> have shown a speedup of IMA appraisal of about 65% for sequential read, a=
nd
> 45% for parallel read.
>=20
> This patch set has as prerequisites the file_release LSM hook (to be
> introduced with the move of IMA/EVM to the LSM infrastructure), and
> support for PGP keys, which is still unclear how it should be done.
>=20
> The IMA integration patch set will be introduced separately. Also a PoC
> based on the current version of IPE can be provided.

Hi everyone

I still hope to receive some comments on this and on the IMA
integration patch set.

Meanwhile, I built openSUSE Tumbleweed packages with both those patch
sets (with few changes) and the PGP one (with the parser in kernel
space).

I also published the first preliminary version of digest-cache-tools
which contains the tools to manage the digest_cache LSM.

https://github.com/linux-integrity/digest-cache-tools


The README should give a pretty good idea on how to configure the
digest_cache LSM correctly, to do IMA measurement (with predictable
PCR) and IMA appraisal.

That basically requires to install only the kernel and the digest-
cache-tools packages (plus dracut, to enable IMA measurement/appraisal
from the initial ram disk).

Other than that, openSUSE Tumbleweed with these three packages (and no
other modifications, even in the build infrastructure) is basically
offering the integrity features that IMA supports.

Roberto

> v2:
> - Include the TLV parser in this patch set (from user asymmetric keys and
>   signatures)
> - Move from IMA and make an independent LSM
> - Remove IMA-specific stuff from this patch set
> - Add per algorithm hash table
> - Expect all digest lists to be in the same directory and allow changing
>   the default directory
> - Support digest lookup on directories, when there is no
>   security.digest_list xattr
> - Add seq num to digest list file name, to impose ordering on directory
>   iteration
> - Add a new data type DIGEST_LIST_ENTRY_DATA for the nested data in the
>   tlv digest list format
> - Add the concept of verification data attached to digest caches
> - Add the reset mechanism to track changes on digest lists and directory
>   containing the digest lists
> - Add kernel selftests
>=20
> v1:
> - Add documentation in Documentation/security/integrity-digest-cache.rst
> - Pass the mask of IMA actions to digest_cache_alloc()
> - Add a reference count to the digest cache
> - Remove the path parameter from digest_cache_get(), and rely on the
>   reference count to avoid the digest cache disappearing while being used
> - Rename the dentry_to_check parameter of digest_cache_get() to dentry
> - Rename digest_cache_get() to digest_cache_new() and add
>   digest_cache_get() to set the digest cache in the iint of the inode for
>   which the digest cache was requested
> - Add dig_owner and dig_user to the iint, to distinguish from which inode
>   the digest cache was created from, and which is using it; consequently =
it
>   makes the digest cache usable to measure/appraise other digest caches
>   (support not yet enabled)
> - Add dig_owner_mutex and dig_user_mutex to serialize accesses to dig_own=
er
>   and dig_user until they are initialized
> - Enforce strong synchronization and make the contenders wait until
>   dig_owner and dig_user are assigned to the iint the first time
> - Move checking IMA actions on the digest list earlier, and fail if no
>   action were performed (digest cache not usable)
> - Remove digest_cache_put(), not needed anymore with the introduction of
>   the reference count
> - Fail immediately in digest_cache_lookup() if the digest algorithm is
>   not set in the digest cache
> - Use 64 bit mask for IMA actions on the digest list instead of 8 bit
> - Return NULL in the inline version of digest_cache_get()
> - Use list_add_tail() instead of list_add() in the iterator
> - Copy the digest list path to a separate buffer in digest_cache_iter_dir=
()
> - Use digest list parsers verified with Frama-C
> - Explicitly disable (for now) the possibility in the IMA policy to use t=
he
>   digest cache to measure/appraise other digest lists
> - Replace exit(<value>) with return <value> in manage_digest_lists.c
>=20
> Roberto Sassu (13):
>   lib: Add TLV parser
>   security: Introduce the digest_cache LSM
>   digest_cache: Add securityfs interface
>   digest_cache: Add hash tables and operations
>   digest_cache: Populate the digest cache from a digest list
>   digest_cache: Parse tlv digest lists
>   digest_cache: Parse rpm digest lists
>   digest_cache: Add management of verification data
>   digest_cache: Add support for directories
>   digest cache: Prefetch digest lists if requested
>   digest_cache: Reset digest cache on file/directory change
>   selftests/digest_cache: Add selftests for digest_cache LSM
>   docs: Add documentation of the digest_cache LSM
>=20
>  Documentation/security/digest_cache.rst       | 900 ++++++++++++++++++
>  Documentation/security/index.rst              |   1 +
>  MAINTAINERS                                   |  16 +
>  include/linux/digest_cache.h                  |  89 ++
>  include/linux/kernel_read_file.h              |   1 +
>  include/linux/tlv_parser.h                    |  28 +
>  include/uapi/linux/lsm.h                      |   1 +
>  include/uapi/linux/tlv_digest_list.h          |  72 ++
>  include/uapi/linux/tlv_parser.h               |  59 ++
>  include/uapi/linux/xattr.h                    |   6 +
>  lib/Kconfig                                   |   3 +
>  lib/Makefile                                  |   3 +
>  lib/tlv_parser.c                              | 214 +++++
>  lib/tlv_parser.h                              |  17 +
>  security/Kconfig                              |  11 +-
>  security/Makefile                             |   1 +
>  security/digest_cache/Kconfig                 |  34 +
>  security/digest_cache/Makefile                |  11 +
>  security/digest_cache/dir.c                   | 245 +++++
>  security/digest_cache/htable.c                | 268 ++++++
>  security/digest_cache/internal.h              | 259 +++++
>  security/digest_cache/main.c                  | 545 +++++++++++
>  security/digest_cache/modsig.c                |  66 ++
>  security/digest_cache/parsers/parsers.h       |  15 +
>  security/digest_cache/parsers/rpm.c           | 223 +++++
>  security/digest_cache/parsers/tlv.c           | 299 ++++++
>  security/digest_cache/populate.c              | 163 ++++
>  security/digest_cache/reset.c                 | 168 ++++
>  security/digest_cache/secfs.c                 |  87 ++
>  security/digest_cache/verif.c                 | 119 +++
>  security/security.c                           |   3 +-
>  tools/testing/selftests/Makefile              |   1 +
>  .../testing/selftests/digest_cache/.gitignore |   3 +
>  tools/testing/selftests/digest_cache/Makefile |  23 +
>  .../testing/selftests/digest_cache/all_test.c | 706 ++++++++++++++
>  tools/testing/selftests/digest_cache/common.c |  79 ++
>  tools/testing/selftests/digest_cache/common.h | 131 +++
>  .../selftests/digest_cache/common_user.c      |  47 +
>  .../selftests/digest_cache/common_user.h      |  17 +
>  tools/testing/selftests/digest_cache/config   |   1 +
>  .../selftests/digest_cache/generators.c       | 248 +++++
>  .../selftests/digest_cache/generators.h       |  19 +
>  .../selftests/digest_cache/testmod/Makefile   |  16 +
>  .../selftests/digest_cache/testmod/kern.c     | 499 ++++++++++
>  .../selftests/lsm/lsm_list_modules_test.c     |   3 +
>  45 files changed, 5714 insertions(+), 6 deletions(-)
>  create mode 100644 Documentation/security/digest_cache.rst
>  create mode 100644 include/linux/digest_cache.h
>  create mode 100644 include/linux/tlv_parser.h
>  create mode 100644 include/uapi/linux/tlv_digest_list.h
>  create mode 100644 include/uapi/linux/tlv_parser.h
>  create mode 100644 lib/tlv_parser.c
>  create mode 100644 lib/tlv_parser.h
>  create mode 100644 security/digest_cache/Kconfig
>  create mode 100644 security/digest_cache/Makefile
>  create mode 100644 security/digest_cache/dir.c
>  create mode 100644 security/digest_cache/htable.c
>  create mode 100644 security/digest_cache/internal.h
>  create mode 100644 security/digest_cache/main.c
>  create mode 100644 security/digest_cache/modsig.c
>  create mode 100644 security/digest_cache/parsers/parsers.h
>  create mode 100644 security/digest_cache/parsers/rpm.c
>  create mode 100644 security/digest_cache/parsers/tlv.c
>  create mode 100644 security/digest_cache/populate.c
>  create mode 100644 security/digest_cache/reset.c
>  create mode 100644 security/digest_cache/secfs.c
>  create mode 100644 security/digest_cache/verif.c
>  create mode 100644 tools/testing/selftests/digest_cache/.gitignore
>  create mode 100644 tools/testing/selftests/digest_cache/Makefile
>  create mode 100644 tools/testing/selftests/digest_cache/all_test.c
>  create mode 100644 tools/testing/selftests/digest_cache/common.c
>  create mode 100644 tools/testing/selftests/digest_cache/common.h
>  create mode 100644 tools/testing/selftests/digest_cache/common_user.c
>  create mode 100644 tools/testing/selftests/digest_cache/common_user.h
>  create mode 100644 tools/testing/selftests/digest_cache/config
>  create mode 100644 tools/testing/selftests/digest_cache/generators.c
>  create mode 100644 tools/testing/selftests/digest_cache/generators.h
>  create mode 100644 tools/testing/selftests/digest_cache/testmod/Makefile
>  create mode 100644 tools/testing/selftests/digest_cache/testmod/kern.c
>=20