Support for including fs-verity file digests and signatures in the IMA measurement list as well as verifying the fs-verity file digest based signatures, both based on IMA policy rules, was discussed prior to fs-verity being upstreamed[1,2]. Support for including fs-verity file digests in the 'd-ng' template field is based on a new policy rule option named 'digest_type=verity'. A new template field named 'd-type' as well as a new template named 'ima-ngv2' are defined to differentiate between the regular IMA file hashes from the fs-verity file digests (tree-hash based file hashes) stored in the 'd-ng' template field. Support for verifying fs-verity based file signatures stored in the 'security.ima' xattr is similarly based on the policy rule option 'digest_type=verity'. To differentiate IMA from fs-verity file signatures a new xattr_type named IMA_VERITY_DIGSIG is defined. Signature version 3, which is a hash of the ima_file_id struct, disambiguates the signatures stored as 'security.ima' xattr. fs-verity only supports the new signature format (version 3). To prevent abuse of the different signature formats, policy rules must be limited to a specific signature version. [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf [2] Documentation/filesystems/fsverity.rst Changelog v4: - Based on Eric Bigger's signature verification concerns of replacing the contents of a file with the ima_file_id struct hash, require per policy rule signature versions. - Addressed Eric Bigger's other comments. - Added new audit messages "causes". - Updated patch descriptions. Changelog v3: - Addressed Eric Bigger's comments: included Ack, incremented the signature format version, the crypto issues are generic and will be addressed by him separately. - Addressed Vitaly Chikunov's comments: hard coded maximum digest size rather than using a flexible array, removed unnecessary assignment, and fixed comment to match variable name. - Defined new "ima_max_digest_size" struct to avoid wrapping the "ima_digest_data" struct inside a function local structure or having to dynamically allocate it with enough memory for the specific hash algo size. Changelog v2: - Addressed Eric Bigger's comments: sign the hash of fsverity's digest and the digest's metadata, use match_string, use preferred function name fsverity_get_digest(), support including unsigned fs-verity's digests in the IMA measurement list. - Remove signatures requirement for including fs-verity's file digests in the 'd-ng' field of the measurement list. Changelog v1: - Updated both fsverity and IMA documentation. - Addressed both Eric Bigger's and Lakshmi's comments. Mimi Zohar (8): ima: rename IMA_ACTION_FLAGS to IMA_NONACTION_FLAGS ima: define ima_max_digest_data struct without a flexible array variable fs-verity: define a function to return the integrity protected file digest ima: define a new template field 'd-type' and a new template 'ima-ngv2' ima: permit fsverity's file digests in the IMA measurement list ima: define signature version 3 ima: support fs-verity file digest based version 3 signatures fsverity: update the documentation Documentation/ABI/testing/ima_policy | 22 +++++ Documentation/filesystems/fsverity.rst | 22 +++-- Documentation/security/IMA-templates.rst | 11 ++- fs/verity/Kconfig | 1 + fs/verity/fsverity_private.h | 7 -- fs/verity/measure.c | 41 ++++++++ include/linux/fsverity.h | 18 ++++ security/integrity/digsig.c | 3 +- security/integrity/ima/ima_api.c | 59 ++++++++--- security/integrity/ima/ima_appraise.c | 113 +++++++++++++++++++++- security/integrity/ima/ima_init.c | 10 +- security/integrity/ima/ima_main.c | 2 +- security/integrity/ima/ima_policy.c | 45 ++++++++- security/integrity/ima/ima_template.c | 3 + security/integrity/ima/ima_template_lib.c | 23 ++++- security/integrity/ima/ima_template_lib.h | 2 + security/integrity/integrity.h | 53 +++++++++- 17 files changed, 385 insertions(+), 50 deletions(-) -- 2.27.0
