On Tue, May 14, 2019 at 07:44:42PM +0200, Roberto Sassu wrote: > On 5/14/2019 5:57 PM, Arvind Sankar wrote: > > On Tue, May 14, 2019 at 11:27:04AM -0400, Arvind Sankar wrote: > >> It's also much easier to change/customize it for the end > >> system's requirements rather than setting the process in stone by > >> putting it inside the kernel. > > > > As an example, if you allow unverified external initramfs, it seems to > > me that it can try to play games that wouldn't be prevented by the > > in-kernel code: setup /dev in a weird way to try to trick /init, or more > > easily, replace /init by /bin/sh so you get a shell prompt while only > > the initramfs is loaded. It's easy to imagine that a system would want > > to lock itself down to prevent abuses like this. > > Yes, these issues should be addressed. But the purpose of this patch set > is simply to set xattrs. And existing protection mechanisms can be > improved later when the basic functionality is there. > Yeah but it's much easier to enhance it when it lives in userspace and can be tailored to a particular system's requirements. Eg a lot of the issues will disappear if you don't have to allow for external initramfs at all, so those systems can have a very simple embedded /init that doesn't have to do much. > > > So you might already want an embedded initramfs that can be trusted and > > that can't be overwritten by an external one even outside the > > security.ima stuff. > > The same problems exist also the root filesystem. These should be solved > regardless of the filesystem used, for remote attestation and for local > enforcement. > > -- > HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 > Managing Director: Bo PENG, Jian LI, Yanli SHI
