Hi Thore,
Replying to a few questions which were not already answered by me/Alasdair.
On 7/27/21 3:18 AM, Thore Sommer wrote:
There is no way to verify if the root hash was verified against a signature. We
have "root_hash_sig_key_desc SIGNATURE_DESCRIPTION" in the dm table.
"SIGNATURE_DESCRIPTION" itself is not really useful because it seems that we
cannot map it back to the certificate that was used for verification but the
presence of "root_hash_sig_key_desc" might be enough in combination with
measuring the keyring.
Thanks for the suggestion Thore.
I can update the verity_status() to measure if v->signature_key_desc is
set.
Something like:
DMEMIT("signature_key_desc_present=%c,", v->signature_key_desc ? 'y' :
'n');
Alasdair, Mike,
Can you tell if this is needed and/or sufficient?
If it is needed, should we log the full string v->signature_key_desc?
I am concerned about logging the full string as it is an unbounded
buffer (a char*) coming from UM. And at the same time, not sure if just
logging the presence is sufficient. Thoughts?
Thore,
Please note – even if we measure signature_key_desc (full string or just
its presence): in order to use it with the keyrings, the IMA policy also
needs to be set to measure key rings (using “measure func=KEY_CHECK
...”). It is independent from measuring the device mapper data (which is
measured when the policy is set to “measure func=CRITICAL_DATA
label=device-mapper ...”).
Therefore measuring keyrings together (i.e. in the same IMA log) with DM
data is not always guaranteed, since it is dictated by how the IMA
policy is configured.
Just FYI.
For remote attestation services it would be nice if we have clear indicator from
what component the "ima-buf" entry was generated. Prefixing all "n-ng" field
entries with something like "dm_" would make it easier for us to add different
validators for different measurements that use the "ima-buf" template. The
keyring measurements already use "ima-buf" and using some kind of naming scheme
to easily differentiate the entries would be nice.
The event names typically come from kernel components that are doing the
measurement of critical data. So any duplicates should be caught in the
upstream review of the kernel patch.
But thanks for the suggestion. I will prefix the event names in this
patch series with “dm_” to indicate they are related to device mapper.
Thanks,
Tushar
Regards,
Thore
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel