Re: Allow FUSE filesystems to provide out-of-band hashes to IMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Matthew,

On Thu, 2018-10-04 at 13:30 -0700, Matthew Garrett wrote:
> As of d77ccdc644a59b412d8e101576134c90a0aa6797, IMA will trigger a
> rehash of any file on a FUSE filesystem for every measurement. This has
> a significant impact on performance. Individual FUSE filesystems may
> have the ability to identify whether a file needs to be rehashed, and
> some may even have the ability to obtain the file hash out of band
> without needing the kernel to do it. Longer term, this may also be
> usable for other scenarios where a filesystem can provide a trustworthy
> hash (eg, fs-verity on ext4 could provide a hash and then later abort
> any read()s that discover that the file doesn't match the measurement).

Really, a security vs. performance argument?!  I don't need to tell
you of all people, that one of the basic tenents of trusted boot is
calculating the actual file hash before use.  Limiting the file hash
re-calculation is one thing, but relying on some out of band method of
obtaining the file hash without the kernel ever calculating it is
totally different.  The only exception will be for fs-verity, which
will return not the file hash, but the file's Merkle tree root hash.

If you want to introduce support for identifying whether a FUSE file,
on a trusted mount, needs to be rehashed, that's fine.  It should not
be the default behavior.

Mimi





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux