On Mon, Sep 16, 2019 at 5:47 PM Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > >> My thought was to use an ephemeral Merkle tree for NFS (and > >> possibly other remote filesystems, like FUSE, until these > >> filesystems support durable per-file Merkle trees). A tree would > >> be constructed when the client measures a file, but it would not > >> saved to the filesystem. Instead of a hash of the file's contents, > >> the tree's root signature is stored as the IMA metadata. > > > > So the attack you are trying to guard against is that the pages that > > were evicted once and that are read back could still be integrity > > verified? > > Yes, the idea would be to provide a generic mechanism for constructing > ephemeral trees such that it can be used for the purpose you describe > on behalf of file systems besides NFS; eg. FUSE, or other remote file > systems such as SMB. I might be wrong, but handling this properly would be good for the core IMA as well. Take an example of a memory mapped database file: this file will have generic write access for a group of processes. Now, if the attacker can create memory pressure on the host, we might eventually end up freeing pages from this particular file. Once this happens the attacker is free to modify the pages on the disk and they will all get eventually loaded back into the memory without no-one noticing. Could the fs-verity be plugged in as a measurement mechanism in the IMA? So rather than calling a hash function, call verity to measure and add new set of IMA hooks to report violations that arise after execution? IMA policy logic and functionality would be pretty much unchanged. -- Janne
