Hi Mimi,
Thanks a lot for your continual engagement and
providing us valuable feedback on this work.
On 2020-10-24 8:35 p.m., Mimi Zohar wrote:
Hi Tushar,
On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote:
There are several kernel components that contain critical data which if
accidentally or maliciously altered, can compromise the security of the
kernel. Example of such components would include LSMs like SELinux, or
AppArmor; or device-mapper targets like dm-crypt, dm-verity etc.
^"the integrity of the system."
Ok. I will revisit this cover letter again, when we post the next
version of the series. We also need to update the cover letter to
include the description for new patches to be added in this series, as
per your suggestion below. {built-in policy patch (by Lakshmi) and an
example measurement patch (SeLinux by Lakshmi)}
This cover letter needs to be re-written from a higher perspective,
explaining what is meant by "critical data" (e.g. kernel subsystem
specific information only stored in kernel memory).
Many of these components do not use the capabilities provided by kernel
integrity subsystem (IMA), and thus they don't use the benefits of
extended TPM PCR quotes and ultimately the benefits of remote attestation.
True, up until recently IMA only measured files, nothing else. Why is
this paragraph needed? What new information is provided?
Here, I was attempting to describe the problem (what needs to be
solved), before proposing a solution below. But maybe it is not adding
value. I will get rid of the above paragraph in the next iteration.
This series bridges this gap, so that potential kernel components that
contain data critical to the security of the kernel could take advantage
of IMA's measuring and quoting abilities - thus ultimately enabling
remote attestation for their specific data.
Perhaps, something more along the lines, "This patch set defines a new
IMA hook named ... to measure critical data."
Will do.
System administrators may want to pick and choose which kernel
components they would want to enable for measurements, quoting, and
remote attestation. To enable that, a new IMA policy is introduced.
Reverse the order of this paragraph and the following one, describing
the new feature and only afterwards explaining how it may be
constrained.
Makes total sense. Will do.
And lastly, the functionality is exposed through a function
ima_measure_critical_data(). The functionality is generic enough to
measure the data of any kernel component at run-time. To ensure that
only data from supported sources are measured, the kernel component
needs to be added to a compile-time list of supported sources (an
"allowed list of components"). IMA validates the source passed to
ima_measure_critical_data() against this allowed list at run-time.
This patch set must include at least one example of measuring critical
data, before it can be upstreamed. Tushar, please coordinate with
Lakshmi and Raphael.
Yes. I am coordinating with Lakshmi/Raphael on including one of the
examples. (SeLinux as per your feedback)
BTW, we also have one more data source (dm-crypt) currently in review,
that uses critical data measurement infrastructure to measure its kernel
in-memory data.
https://patchwork.kernel.org/patch/11844817/
Thanks again for all the help and support with the patches.
~Tushar
thanks,
Mimi