On Thu, 2018-10-11 at 11:24 -0700, Matthew Garrett wrote: > On Thu, Oct 11, 2018 at 11:21 AM Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > > > > On Thu, Oct 11, 2018 at 8:22 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > > > This patch description starts out saying that IMA needs the file hash > > > without explaining why. Without that explanation, simply extracting > > > the file hash included in the file signature might sound plausible, > > > but kind of defeats the purpose of IMA. > > > > I'm not sure how it defeats the purpose - IMA wants to know the hash > > of a file so it can either log it or compare it against a signature, > > and it currently obtains this hash by reading the entire file at > > measurement time. If the filesystem later returns different data then > > IMA won't notice, which allows a malicious filesystem to bypass the > > measurements - there's no guarantee that we won't evict large parts of > > the copy of an executable that IMA read, and the filesystem can give > > us back a modified page when we page it back in. So IMA fundamentally > > relies on the filesystem to be trustworthy, and if we rely on the > > filesystem to be trustworthy then we should be able to rely on it to > > accurately store and provide the hash of a file. > > Oh, to clarify on the signature part of things - it would obviously be > inappropriate to, say, just read the hash out of security.ima and hand > that back. Right, reading it either directly or extracted from the file signature stored in security.ima. > But for a hypothetical case where the filesystem itself > verifies the signature, then the filesystem would abort the > transaction if the signature didn't match and it seems reasonable to > avoid doing the validation twice (once up front and then again on > every read) Right, this is a hypothetical scenario as far as I'm aware, since none of the filesystems are currently calculating and storing the file hash. The default should be for IMA to re-calculate the file hash. Mimi
