Without this patch set, to attest the clients one needs to maintain
an "allowed list" of file hashes of all versions of all client binaries
that are deployed on the clients in the enterprise. That is a huge
operational challenge in a large scale environment of clients with
heterogenous builds. This also limits scalability and agility of
rolling out frequent client binary updates.
The purpose of the ima-sig template, which includes the file signature
and header containing the keyid, is to avoid needing to maintain a
white list as you described.
If the service were to validate the signature in the ima-sig template,
it needs to have the hash of the file. Using the keyid in ima-sig pick
the key, calculate the signed hash and compare it with the signed hash
in the ima-sig template. Correct?
Or, it has to maintain the signed hash of the file and compare it with
the signed hash in the ima-sig template.
In both the cases, the service needs to have the hash or signed hash for
all the client files (for all versions of that file). This the
maintenance overhead we are trying to avoid.
The concern isn't on the client side, but the server side. Once the
ability of including measurements of keys on the builtin and/or
secondary keyrings on the client side exists, the attestation servers
can start requiring it. Providing a means of disabling it on the
client side doesn't address this problem.
But, wouldn't this problem exist for any new measure we add on the
client side? Why is it particularly an issue for measuring trusted keys?
No, there is no need for maintaining a binary hash white list. The
attestation server requires a set of trusted keys used to sign
software.
The only reason for measuring the keys on the builtin and/or secondary
keyrings is to prevent system owners from signing and running
applications on their own systems.
Since you obviously disagree, I'd really like to hear other people's thoughts.
Actually I am agreeing with you - the reason we want to measure the keys
in the trusted keyring is to ensure that the system binaries running on
the client are signed by trusted keys only. Please see below:
We let IMA verify the integrity of the system files on the client using
IMA key(s). The IMA key(s) are themselves signed by "Trusted Key(s)" -
unsigned IMA key or IMA key signed by keys not in the trusted keyring
are not even allowed to be added to the IMA keyring.
And, on the server we validate the "Trusted Keyring" contains only
known\trusted keys.
Through the above process - the server does not need to know the signed
file hash. It only needs to keep a list of trusted keys and verify if
the keys reported by the client is in that trusted keys set.
Please let me know if that answers your questions.
Thanks,
-lakshmi
