Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp582921lqh; Sat, 4 May 2024 13:13:50 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUYkOYEhis6jRo9aEf4byWaE2xDHpvyt2QN4xojPSQPH3kcADzXQ1cpvjmg8NoOQccidrOMlYYr+39l1yzi/Gb4KTmJcI9d1i089VIe2w== X-Google-Smtp-Source: AGHT+IFT8tKbgLohezu/ghcyPCc+1D7hfJJiIw8EclbaxtsirF4Z2kxjVF14RjEhWj97LQQB7Z3+ X-Received: by 2002:a05:6e02:1c08:b0:369:8f73:ed89 with SMTP id l8-20020a056e021c0800b003698f73ed89mr7799317ilh.2.1714853630652; Sat, 04 May 2024 13:13:50 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714853630; cv=pass; d=google.com; s=arc-20160816; b=DCh6X/qzJFtrRGwH2jLdrYF3bA0hSrYWCFezOtGkS3KZge8cSK0Eqx88L2I9XdrmZx PtofFiRBEwxIesRR9GGbTdbnmuBwnXTy+ZxV5OYJjsLwhM+omD9vqlztNkjR9QgfgdSp z5PODeprWxaZu6SerM3AuXsSRoePvWvPtaSQq3KDpBib+ZSFld9V3speF2RbNvt1qr1Q DBWXlLB1AzNo5fbSuhsaFrM4TdxdcuMR4c0cSSOOiKPqH3S2yhiK5RYXDAwhEmrG+eb4 OxsrBuB4od28Ai+OeYjSjf1XxK42+mwDs0mhnynJPVIIXeU3OAktYlLcnMx5NMwcKZhf VjOg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature :dkim-filter; bh=Xjz+ah6dGJK98fSkhXGcgKoJ+WDVAsQMdYbME8KL/v4=; fh=j1arrgr2dvYKLUF2aiZtZGes46cdiwFoXHU5Kcfo4gQ=; b=FGiYtT/blXKY3O55wXXvnlPP9IiGC45M6xOiCUhx/AOYs1EpDK4S6IQx9PyYO3Qlsf gHgUEfjuD1R9bA7ZA7Yd6wqAGo6DfNCFR/tDR3JU8qNnTMlQZBEnD94UyrREmBr5UtGW k4W6DvXM7y06nuWEFBBjXcc74QEEAHSPnqnzmETylYWjS5LfGdBuKQ8PeZdIEZmNTG1q jmitV/pJWA3MVcXfPE7pwuR4SsYweu/7Wg8oDcTaEhhcsk9+DggECr7tYNcsx892PTZO 4RR2iI67pX549AVQoLqGGEBtThleS2KCs8TU3kPPKqSFnE2rp8+McjG5JYirmv7zZzrF dBYQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=AF7a2jdM; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-168813-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168813-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id n17-20020a638f11000000b0061d2394ddb3si3420943pgd.616.2024.05.04.13.13.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 May 2024 13:13:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-168813-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=AF7a2jdM; arc=pass (i=1 spf=pass spfdomain=linux.microsoft.com dkim=pass dkdomain=linux.microsoft.com dmarc=pass fromdomain=linux.microsoft.com); spf=pass (google.com: domain of linux-kernel+bounces-168813-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168813-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 0DB57B2145B for ; Sat, 4 May 2024 20:13:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 31EC784D23; Sat, 4 May 2024 20:13:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="AF7a2jdM" Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C9FFE7318A; Sat, 4 May 2024 20:13:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714853604; cv=none; b=XOwf2wIoUOSvjw4wy5YMzkoX3Bkv6CiPFQ11MlfN2N0rZpVq8EbXv8iSKjSS0mLeMYYC8+pSqydZhKgrfN9+PxXesKJSg6t+kyoXr9lpM+jZRSnufsRQIruOc1VCyYUWiTHd5qhbctLotWg+hOsrojJnuYrsrWcuRx0LN6bSwPU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714853604; c=relaxed/simple; bh=fhto2uEYgU4wqeL/mix3cVjrhwG4PTmSdbCpoGKNje0=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=aGo6C4MiNswYbj8bQgBmPxE6KlSX+Ng9hCypm3p8iOl94npK3d/rS+6xVcfHRSbKjjH9MCx/Tpd1Vvl1N5jOfpuXbi46YtXJjh5V9WU+5lMggo5vs5L0GO5IBP5ZYlw5JtTrFMaQ9KiTrGl5SajKGqLXpEnvX0bcjJ2308jkON4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=AF7a2jdM; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Received: from [10.137.106.151] (unknown [167.220.2.23]) by linux.microsoft.com (Postfix) with ESMTPSA id 79675207DBB5; Sat, 4 May 2024 13:13:16 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 79675207DBB5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1714853596; bh=Xjz+ah6dGJK98fSkhXGcgKoJ+WDVAsQMdYbME8KL/v4=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=AF7a2jdMT93DQfcuBJJyAee3iRGHkB6sAaFzHW3xa8rmM2fr/yng8b/vuFYOI6r1C mOake8mf6Ya2UDnxaN+IpyWI8rszWLoz+iix+kLcubqMjZSW2GP9OEzG1RuoPbRQBn oVcqMwODzceFEk90N4os+slDEJ+rrCu+IqwzfnOM= Message-ID: Date: Sat, 4 May 2024 13:13:16 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v18 20/21] Documentation: add ipe documentation To: Bagas Sanjaya , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, fsverity@lists.linux.dev, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers References: <1714775551-22384-1-git-send-email-wufan@linux.microsoft.com> <1714775551-22384-21-git-send-email-wufan@linux.microsoft.com> Content-Language: en-CA From: Fan Wu In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 5/4/2024 1:04 AM, Bagas Sanjaya wrote: > On Fri, May 03, 2024 at 03:32:30PM -0700, Fan Wu wrote: >> +IPE does not mitigate threats arising from malicious but authorized >> +developers (with access to a signing certificate), or compromised >> +developer tools used by them (i.e. return-oriented programming attacks). >> +Additionally, IPE draws hard security boundary between userspace and >> +kernelspace. As a result, IPE does not provide any protections against a >> +kernel level exploit, and a kernel-level exploit can disable or tamper >> +with IPE's protections. > > So how to mitigate kernel-level exploits then? > One possible way is to use hypervisor to protect the kernel integrity. https://github.com/heki-linux is one project on this direction. Perhaps I should also add this link to the doc. >> +Allow only initramfs >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> ... >> +Allow any signed and validated dm-verity volume and the initramfs >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> ... > > htmldocs build reports new warnings: > > Documentation/admin-guide/LSM/ipe.rst:694: WARNING: Title underline too short. > > Allow any signed and validated dm-verity volume and the initramfs > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Documentation/admin-guide/LSM/ipe.rst:694: WARNING: Title underline too short. > > Allow any signed and validated dm-verity volume and the initramfs > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Documentation/arch/x86/resctrl.rst:577: WARNING: Title underline too short. > > I have to match these sections underline length: > > ---- >8 ---- > diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst > index 1a3bf1d8aa23f0..a47e14e024a90d 100644 > --- a/Documentation/admin-guide/LSM/ipe.rst > +++ b/Documentation/admin-guide/LSM/ipe.rst > @@ -681,7 +681,7 @@ Allow all > DEFAULT action=ALLOW > > Allow only initramfs > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > +~~~~~~~~~~~~~~~~~~~~ > > :: > > @@ -691,7 +691,7 @@ Allow only initramfs > op=EXECUTE boot_verified=TRUE action=ALLOW > > Allow any signed and validated dm-verity volume and the initramfs > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > :: > > @@ -725,7 +725,7 @@ Allow only a specific dm-verity volume > op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW > > Allow any fs-verity file with a valid built-in signature > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > :: > > @@ -735,7 +735,7 @@ Allow any fs-verity file with a valid built-in signature > op=EXECUTE fsverity_signature=TRUE action=ALLOW > > Allow execution of a specific fs-verity file > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > :: > > >> +Additional Information >> +---------------------- >> + >> +- `Github Repository `_ >> +- Documentation/security/ipe.rst > > Link title to both this admin-side and developer docs can be added for > disambiguation (to avoid confusion on readers): > > ---- >8 ---- > diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst > index a47e14e024a90d..25b17e11559149 100644 > --- a/Documentation/admin-guide/LSM/ipe.rst > +++ b/Documentation/admin-guide/LSM/ipe.rst > @@ -7,7 +7,8 @@ Integrity Policy Enforcement (IPE) > > This is the documentation for admins, system builders, or individuals > attempting to use IPE. If you're looking for more developer-focused > - documentation about IPE please see Documentation/security/ipe.rst > + documentation about IPE please see :doc:`the design docs > + `. > > Overview > -------- > @@ -748,7 +749,7 @@ Additional Information > ---------------------- > > - `Github Repository `_ > -- Documentation/security/ipe.rst > +- :doc:`Developer and design docs for IPE ` > > FAQ > --- > diff --git a/Documentation/security/ipe.rst b/Documentation/security/ipe.rst > index 07e3632241285d..fd1b1a852d2165 100644 > --- a/Documentation/security/ipe.rst > +++ b/Documentation/security/ipe.rst > @@ -7,7 +7,7 @@ Integrity Policy Enforcement (IPE) - Kernel Documentation > > This is documentation targeted at developers, instead of administrators. > If you're looking for documentation on the usage of IPE, please see > - Documentation/admin-guide/LSM/ipe.rst > + `IPE admin guide `_. > > Historical Motivation > --------------------- > > Thanks. > My apologies for these format issues and thanks for the suggestions. I will fix them. -Fan