On Thu, 2019-04-04 at 18:50 -0700, Matthew Garrett wrote: > On Thu, Apr 4, 2019 at 3:35 PM James Bottomley > <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > Redundant information is always possible, but it can become > > inconsistent and, because the hashes can't be derived from each > > other, it's hard to tell if it is inconsistent without redoing the > > whole hash with each method. > > Part of the problem here is that IMA is effectively used for two > related but different purposes - measurement and appraisal. You > generally want measurements to be comparable across filesystems, > whereas appraisal doesn't need to be. Sure, but I think the only requirement for measurement is knowing how to reproduce them. As long as you know the algorithm the filesystem is using ... i.e. it's recorded in the IMA log, you should be able to verify them. > So if we don't have comparable measurements, there's less benefit in > performing measurement (we have no real idea what the expected > measurements would be in advance). As long as the algorithm used for the measurement is recorded, I don't think there's a problem. The IMA log currently records the hash algorithm and the actual hash, so if we take shaX to be a flat hash, we could use shaX-merkle for fs-verity and everything would work. > That's less important for appraisal, but arguably we don't care about > appraisal of stuff on fs-verity backed filesystems to begin with > because we can just attest that they're legitimate? I think Ted mentioned they did like to sign the merkle tree to prove the apk being installed was legitimate, so I think both measurement and appraisal are relevant. > > I was more wondering what, if any, problems would follow if we did > > let the filesystem choose the hash method and simply used the top > > merkle hash in place of the usual IMA hash? > > We could definitely just pass it through as a separate hash type, and > my initial thinking was that fs-verity might be a reasonable use case > for that, but I'm not sure that it buys us much in the IMA case. Unifying the interfaces for measurement and appraisal sounds like a desirable thing. IMA has just been debating measurement on mmap and the per-page hashes of fs-verity seem to be tailor made for this. Note: I'm not insisting on this, you just asked for other feedback and I think it's a useful discussion. James