On Mon, 2020-01-06 at 11:01 -0500, Ken Goldman wrote: > On 1/6/2020 10:50 AM, Mimi Zohar wrote: > >> I did have a question about the 'd-ng | sig | sig' template. Is that an > >> error or could a file be signed with e.g. both RSA-2048 and RSA-3072? > >> > >> Etc. You can see where I'm going - precise rules for an IMA log verifier. > > The "sig" field is the original IMA signature, stored as an extended > > attribute. If/when IMA fs-verity support is added, that signature > > would require defining new digest and signature field types. A > > template with two "sig" fields doesn't make sense. > > We cannot prevent an attacker from creating the custom template 'd-ng | > sig | sig', nor can we prevent an attacker from sending such a log to a > verifier. Thus, we have to specify to a verifier what logs are valid > and what logs should be rejected and flagged as an attack. There is only one security.ima extended attribute per file, at least for the time being until IMA namespacing. That would imply both "sig" fields would have to be exactly the same. Mimi > > I.e., the verifier cannot assume that it will only receive logs that > make sense. A secure parser has to handle any cleverly malformed event log. > > There are 8-9 different possible IMA log fields, and we have to assume > the attacker will corrupt any or all of them.
