[RFC][PATCH] ima: add default rule for initramfs files
in [Kernel]
|
Prev: input: switch to input_abs_*() access functions
Next: x86: only set early_serial_base after port is initialized
From: Roberto Sassu on 14 Jul 2010 04:40 On 07/14/2010 08:29 AM, Seiji Munetoh wrote: > On Wed, Jul 14, 2010 at 2:42 PM, Shaz<shazalive(a)gmail.com> wrote: > >> >> On Wed, Jul 14, 2010 at 3:08 AM, Seiji Munetoh<seiji.munetoh(a)gmail.com> >> wrote: >> >>> On Thu, Jul 8, 2010 at 10:14 PM, Mimi Zohar<zohar(a)linux.vnet.ibm.com> >>> wrote: >>> >>>> On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote: >>>> >>>>> This patch modifies the default policy shipped with IMA, in order to >>>>> avoid measurements >>>>> of files in the initial ramdisk. Those files can be measured early in >>>>> the boot process >>>>> by the bootloader. >>>>> The patch applies to latest version of the mainline kernel 2.6.35-rc4. >>>>> >>>> Yes, the initramfs measurements are therefore redundant, as they're >>>> already included in the initramfs measurement, but perhaps, as the >>>> number of initramfs is very limited and the individual file measurements >>>> supplies additional information, it wouldn't hurt to keep the individual >>>> file measurements as well. These measurements could potentially help in >>>> identifying initramfs changes. >>>> >>>> Would appreciate other opinions before accepting this change. >>>> >>> The hash value of the initramfs is unstable since it was generated >>> at the time of kernel installation. >>> So still I want to check the individual used file in initramfs. >>> >> If initrd is measured by boot loader then changes to individual files should >> not be measured as this IS redundant. Use the new hash of the initrd as an >> integrity metric. Why would this not be enough? >> > This depends on remote verifier. > Creating the initramfs is client side task and the hash value of initramfs > will vary each clients. > > For me, validation of current measurements is easier than validation of > initramfs. And it seems the overhead of this redundancy is less painful. > > But some system can validate (or trust) the initramfs measured by IPL. > So, I would suggest that add Kconfig option to change the default policy. > > IMHO, if the eventlog contains fsmagic information for each measurements. > Verifier can skip the validation of RAMFS measurement easily. > > This is true, the initramfs's digest cannot be validated by a remote verifier. But in my opinion there are three main reasons for don't include those files in the measurement list. First, this is a readonly system and measures don't change in time; so if you create the image under a controlled environment and its digest doesn't change you can assert it will behave correctly. Second, including those measurements may be very confusing for a verifier since there may be multiple versions of the same object (the initramfs changes very rarely in respect to other files). Lastly, a pratical use of IMA is to load a custom policy. The better place to do that is the initramfs but measurements cannot be taken until the policy is loaded. The only way, as Shaz mentioned in a previous email, to keep track of all actions made during the boot process is that you have the initramfs image measured early by the boot loader. Roberto > -- > Seiji > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Linux-ima-user mailing list > Linux-ima-user(a)lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > |