On Aug 11, 2020, at 2:28 PM, James Bottomley
<James.Bottomley(a)HansenPartnership.com> wrote:
On Tue, 2020-08-11 at 10:48 -0400, Chuck Lever wrote:
> Mimi's earlier point is that any IMA metadata format that involves
> unsigned digests is exposed to an alteration attack at rest or in
> transit, thus will not provide a robust end-to-end integrity
> guarantee.
I don't believe that is Mimi's point, because it's mostly not correct:
the xattr mechanism does provide this today. The point is the
mechanism we use for storing IMA hashes and signatures today is xattrs
because they have robust security properties for local filesystems that
the kernel enforces. This use goes beyond IMA, selinux labels for
instance use this property as well.
I don't buy this for a second. If storing a security label in a
local xattr is so secure, we wouldn't have any need for EVM.
What I think you're saying is that NFS can't provide the
robust
security for xattrs we've been relying on, so you need some other
mechanism for storing them.
For NFS, there's a network traversal which is an attack surface.
A local xattr can be attacked as well: a device or bus malfunction
can corrupt the content of an xattr, or a privileged user can modify
it.
How does that metadata get from the software provider to the end
user? It's got to go over a network, stored in various ways, some
of which will not be trusted. To attain an unbroken chain of
provenance, that metadata has to be signed.
I don't think the question is the storage mechanism, but rather the
protection mechanism. Signing the metadata protects it in all of
these cases.
I think Mimi's other point is actually that IMA uses a flat hash
which
we derive by reading the entire file and then watching for mutations.
Since you cannot guarantee we get notice of mutation with NFS, the
entire IMA mechanism can't really be applied in its current form and we
have to resort to chunk at a time verifications that a Merkel tree
would provide.
I'm not sure what you mean by this. An NFS client relies on notification
of mutation to maintain the integrity of its cache of NFS file content,
and it's done that since the 1980s.
In addition to examining a file's mtime and ctime as maintained by
the NFS server, a client can rely on the file's NFSv4 change attribute
or an NFSv4 delegation.
Doesn't this make moot any thinking about
standardisation in NFS for the current IMA flat hash mechanism because
we simply can't use it ... If I were to construct a prototype I'd have
to work out and securely cache the hash of ever chunk when verifying
the flat hash so I could recheck on every chunk read. I think that's
infeasible for large files.
James
--
Chuck Lever
chucklever(a)gmail.com