Re: [RFC] IMA Log Snapshotting Design Proposal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks a lot James for looking at this proposal,
and sharing your thoughts. Really appreciate it.

On 8/1/23 14:21, James Bottomley wrote:
On Tue, 2023-08-01 at 12:12 -0700, Sush Shringarputale wrote:
[...]
Truncating IMA log to reclaim memory is not feasible, since it makes
the log go out of sync with the TPM PCR quote making remote
attestation fail.
This assumption isn't entirely true.  It's perfectly possible to shard
an IMA log using two TPM2_Quote's for the beginning and end PCR values
to validate the shard.  The IMA log could be truncated in the same way
(replace the removed part of the log with a TPM2_Quote and AK, so the
log still validates from the beginning quote to the end).
Here we meant just truncating IMA log is not a complete
solution in itself. As you said, we have to take additional steps
like logging TPM2_Quotes etc. Logging AK is an interesting proposal
which we didn’t consider earlier. I am not sure if embedding AK to IMA
log/snapshot is needed. If the client sends them separately with "signed
PCR quotes" + "IMA log" + snapshots, it should still serve the purpose,
right?


If you use a TPM2_Quote mechanism to save the log, all you need to do
is have the kernel generate the quote with an internal AK.  You can
keep a record of the quote and the AK at the beginning of the truncated
kernel log.  If the truncated entries are saved in a file shard it
should have a beginning and end quote and a record of the AK used.
A new IMA log snapshot file (or shard as you call it) will have
the TPM2_Quote record (plus some additional metadata) at the beginning.
I don't believe it needs to be logged at the end of the snapshot (since it can
be computed by replaying the remaining entries in the snapshot).

See the snapshot_aggregate field in section B.5 in the original RFC mail [1].
Since verifiers like Keylime are already using this beginning and end
quote for sharded logs, it's the most natural format to feed to
something externally for verification and it means you don't have to
invent a new format to do the same thing.
Could you please point to the Keylime source and/or documentation
which explains the use of beginning and end quotes? We would like to
understand how the verifiers are addressing this problem currently.


[1] https://lore.kernel.org/all/c5737141-7827-1c83-ab38-0119dcfea485@xxxxxxxxxxxxxxxxxxx/#t

~Tushar

Regards,

James




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux