Re: [PATCH v2] IMA: support for duplicate data measurement

From: Tushar Sugandhi
Date: Wed Feb 17 2021 - 15:50:48 EST

Next message: Minchan Kim: "Re: [RFC 1/2] mm: disable LRU pagevec during the migration temporarily"
Previous message: Amir Goldstein: "Re: [PATCH v3] vfs: fix copy_file_range regression in cross-fs copies"
In reply to: Mimi Zohar: "Re: [PATCH v2] IMA: support for duplicate data measurement"
Next in thread: Tushar Sugandhi: "Re: [PATCH v2] IMA: support for duplicate data measurement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2021-02-17 12:39 p.m., Mimi Zohar wrote:

On Wed, 2021-02-17 at 10:53 -0800, Tushar Sugandhi wrote:

Thanks for the feedback Mimi.
Appreciate it.

On 2021-02-17 7:03 a.m., Mimi Zohar wrote:

Hi Tushar,

The Subject line could be improved. Perhaps something like - "IMA:
support for duplicate measurement records"

Will do.

On Tue, 2021-02-16 at 18:46 -0800, Tushar Sugandhi wrote:

IMA does not measure duplicate data since TPM extend is a very expensive
operation. However, in some cases, the measurement of duplicate data
is necessary to accurately determine the current state of the system.
Eg, SELinux state changing from 'audit', to 'enforcing', and back to
'audit' again. In this example, currently, IMA will not measure the
last state change to 'audit'. This limits the ability of attestation
services to accurately determine the current state of the measurements
on the system.

This patch description is written from your specific usecase
perspective, but it impacts file and buffer data measurements as well,
not only critical data measurements. In all of these situations, with
this patch a new measurement record is added/appended to the
measurement list. Please re-write the patch description making it more
generic.

For example, I would start with something like, "IMA does not include
duplicate file, buffer or critical data measurement records ..."

Agreed.
I will generalize the description further and send the v3 for review.

It would be good to boot with the ima_policy=tcb policy with/without
your patch and account for the different number of measurements. Are
all the differences related to duplicate measurements - original file
hash -> new file hash -> original file hash - similar to what you
described.

Thanks for the ima_policy=tcb pointer.

I tested my patch with:
- duplicate buffer content for "measure func=CRITICAL_DATA"
- and reading the same file twice with "measure func=FILE_CHECK mask=MAY_READ"

In both the above use cases, IMA is measuring the duplicate entries with the patch, and not measuring the duplicate entries w/o the patch.

I will test the "ima_policy=tcb" boot-scenario as you suggested, before posting the next version.

Thanks,
Tushar

thanks,

Mimi

Next message: Minchan Kim: "Re: [RFC 1/2] mm: disable LRU pagevec during the migration temporarily"
Previous message: Amir Goldstein: "Re: [PATCH v3] vfs: fix copy_file_range regression in cross-fs copies"
In reply to: Mimi Zohar: "Re: [PATCH v2] IMA: support for duplicate data measurement"
Next in thread: Tushar Sugandhi: "Re: [PATCH v2] IMA: support for duplicate data measurement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]