[v3,00/13] security: digest_cache LSM

Message ID 20240209140917.846878-1-roberto.sassu@huaweicloud.com
Headers
Series security: digest_cache LSM |

Message

Roberto Sassu Feb. 9, 2024, 2:09 p.m. UTC
  From: Roberto Sassu <roberto.sassu@huawei.com>

Introduce the digest_cache LSM, whose purpose is to deliver reference
digest values to integrity providers, such as IMA and IPE, abstracting to
them how those digests where extracted from the respective data source.

The major benefit is the ability to use the vaste amount of digests already
provided (and likely signed) by software vendors, without needing them to
adapt their format to the one understood by the integrity provider.

IMA and IPE can immediately interface with the digest_cache LSM and query
the digest of an accessed file. If the digest is found, it means that the
file is coming from the software vendor and not modified. If not, the file
might have been corrupted. Each integrity provider decides how to handle
this situation.

The second major benefit is performance improvement. Since the digest_cache
LSM has the ability to extract many digests from a single data source, it
means that it has less signatures to verify compared to the approach of
verifying individual file signatures (IMA appraisal). Preliminary tests
have shown a speedup of IMA appraisal of about 65% for sequential read, and
45% for parallel read.

This patch set has as prerequisites the file_release LSM hook (to be
introduced with the move of IMA/EVM to the LSM infrastructure), and
support for PGP keys, which is still unclear how it should be done.

The IMA integration patch set will be introduced separately. Also a PoC
based on the current version of IPE can be provided.

v2:
- Include the TLV parser in this patch set (from user asymmetric keys and
  signatures)
- Move from IMA and make an independent LSM
- Remove IMA-specific stuff from this patch set
- Add per algorithm hash table
- Expect all digest lists to be in the same directory and allow changing
  the default directory
- Support digest lookup on directories, when there is no
  security.digest_list xattr
- Add seq num to digest list file name, to impose ordering on directory
  iteration
- Add a new data type DIGEST_LIST_ENTRY_DATA for the nested data in the
  tlv digest list format
- Add the concept of verification data attached to digest caches
- Add the reset mechanism to track changes on digest lists and directory
  containing the digest lists
- Add kernel selftests

v1:
- Add documentation in Documentation/security/integrity-digest-cache.rst
- Pass the mask of IMA actions to digest_cache_alloc()
- Add a reference count to the digest cache
- Remove the path parameter from digest_cache_get(), and rely on the
  reference count to avoid the digest cache disappearing while being used
- Rename the dentry_to_check parameter of digest_cache_get() to dentry
- Rename digest_cache_get() to digest_cache_new() and add
  digest_cache_get() to set the digest cache in the iint of the inode for
  which the digest cache was requested
- Add dig_owner and dig_user to the iint, to distinguish from which inode
  the digest cache was created from, and which is using it; consequently it
  makes the digest cache usable to measure/appraise other digest caches
  (support not yet enabled)
- Add dig_owner_mutex and dig_user_mutex to serialize accesses to dig_owner
  and dig_user until they are initialized
- Enforce strong synchronization and make the contenders wait until
  dig_owner and dig_user are assigned to the iint the first time
- Move checking IMA actions on the digest list earlier, and fail if no
  action were performed (digest cache not usable)
- Remove digest_cache_put(), not needed anymore with the introduction of
  the reference count
- Fail immediately in digest_cache_lookup() if the digest algorithm is
  not set in the digest cache
- Use 64 bit mask for IMA actions on the digest list instead of 8 bit
- Return NULL in the inline version of digest_cache_get()
- Use list_add_tail() instead of list_add() in the iterator
- Copy the digest list path to a separate buffer in digest_cache_iter_dir()
- Use digest list parsers verified with Frama-C
- Explicitly disable (for now) the possibility in the IMA policy to use the
  digest cache to measure/appraise other digest lists
- Replace exit(<value>) with return <value> in manage_digest_lists.c

Roberto Sassu (13):
  lib: Add TLV parser
  security: Introduce the digest_cache LSM
  digest_cache: Add securityfs interface
  digest_cache: Add hash tables and operations
  digest_cache: Populate the digest cache from a digest list
  digest_cache: Parse tlv digest lists
  digest_cache: Parse rpm digest lists
  digest_cache: Add management of verification data
  digest_cache: Add support for directories
  digest cache: Prefetch digest lists if requested
  digest_cache: Reset digest cache on file/directory change
  selftests/digest_cache: Add selftests for digest_cache LSM
  docs: Add documentation of the digest_cache LSM

 Documentation/security/digest_cache.rst       | 900 ++++++++++++++++++
 Documentation/security/index.rst              |   1 +
 MAINTAINERS                                   |  16 +
 include/linux/digest_cache.h                  |  89 ++
 include/linux/kernel_read_file.h              |   1 +
 include/linux/tlv_parser.h                    |  28 +
 include/uapi/linux/lsm.h                      |   1 +
 include/uapi/linux/tlv_digest_list.h          |  72 ++
 include/uapi/linux/tlv_parser.h               |  59 ++
 include/uapi/linux/xattr.h                    |   6 +
 lib/Kconfig                                   |   3 +
 lib/Makefile                                  |   3 +
 lib/tlv_parser.c                              | 214 +++++
 lib/tlv_parser.h                              |  17 +
 security/Kconfig                              |  11 +-
 security/Makefile                             |   1 +
 security/digest_cache/Kconfig                 |  34 +
 security/digest_cache/Makefile                |  11 +
 security/digest_cache/dir.c                   | 245 +++++
 security/digest_cache/htable.c                | 268 ++++++
 security/digest_cache/internal.h              | 259 +++++
 security/digest_cache/main.c                  | 545 +++++++++++
 security/digest_cache/modsig.c                |  66 ++
 security/digest_cache/parsers/parsers.h       |  15 +
 security/digest_cache/parsers/rpm.c           | 223 +++++
 security/digest_cache/parsers/tlv.c           | 299 ++++++
 security/digest_cache/populate.c              | 163 ++++
 security/digest_cache/reset.c                 | 168 ++++
 security/digest_cache/secfs.c                 |  87 ++
 security/digest_cache/verif.c                 | 119 +++
 security/security.c                           |   3 +-
 tools/testing/selftests/Makefile              |   1 +
 .../testing/selftests/digest_cache/.gitignore |   3 +
 tools/testing/selftests/digest_cache/Makefile |  23 +
 .../testing/selftests/digest_cache/all_test.c | 706 ++++++++++++++
 tools/testing/selftests/digest_cache/common.c |  79 ++
 tools/testing/selftests/digest_cache/common.h | 131 +++
 .../selftests/digest_cache/common_user.c      |  47 +
 .../selftests/digest_cache/common_user.h      |  17 +
 tools/testing/selftests/digest_cache/config   |   1 +
 .../selftests/digest_cache/generators.c       | 248 +++++
 .../selftests/digest_cache/generators.h       |  19 +
 .../selftests/digest_cache/testmod/Makefile   |  16 +
 .../selftests/digest_cache/testmod/kern.c     | 499 ++++++++++
 .../selftests/lsm/lsm_list_modules_test.c     |   3 +
 45 files changed, 5714 insertions(+), 6 deletions(-)
 create mode 100644 Documentation/security/digest_cache.rst
 create mode 100644 include/linux/digest_cache.h
 create mode 100644 include/linux/tlv_parser.h
 create mode 100644 include/uapi/linux/tlv_digest_list.h
 create mode 100644 include/uapi/linux/tlv_parser.h
 create mode 100644 lib/tlv_parser.c
 create mode 100644 lib/tlv_parser.h
 create mode 100644 security/digest_cache/Kconfig
 create mode 100644 security/digest_cache/Makefile
 create mode 100644 security/digest_cache/dir.c
 create mode 100644 security/digest_cache/htable.c
 create mode 100644 security/digest_cache/internal.h
 create mode 100644 security/digest_cache/main.c
 create mode 100644 security/digest_cache/modsig.c
 create mode 100644 security/digest_cache/parsers/parsers.h
 create mode 100644 security/digest_cache/parsers/rpm.c
 create mode 100644 security/digest_cache/parsers/tlv.c
 create mode 100644 security/digest_cache/populate.c
 create mode 100644 security/digest_cache/reset.c
 create mode 100644 security/digest_cache/secfs.c
 create mode 100644 security/digest_cache/verif.c
 create mode 100644 tools/testing/selftests/digest_cache/.gitignore
 create mode 100644 tools/testing/selftests/digest_cache/Makefile
 create mode 100644 tools/testing/selftests/digest_cache/all_test.c
 create mode 100644 tools/testing/selftests/digest_cache/common.c
 create mode 100644 tools/testing/selftests/digest_cache/common.h
 create mode 100644 tools/testing/selftests/digest_cache/common_user.c
 create mode 100644 tools/testing/selftests/digest_cache/common_user.h
 create mode 100644 tools/testing/selftests/digest_cache/config
 create mode 100644 tools/testing/selftests/digest_cache/generators.c
 create mode 100644 tools/testing/selftests/digest_cache/generators.h
 create mode 100644 tools/testing/selftests/digest_cache/testmod/Makefile
 create mode 100644 tools/testing/selftests/digest_cache/testmod/kern.c
  

Comments

Roberto Sassu Feb. 28, 2024, 5:46 p.m. UTC | #1
On Fri, 2024-02-09 at 15:09 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Introduce the digest_cache LSM, whose purpose is to deliver reference
> digest values to integrity providers, such as IMA and IPE, abstracting to
> them how those digests where extracted from the respective data source.
> 
> The major benefit is the ability to use the vaste amount of digests already
> provided (and likely signed) by software vendors, without needing them to
> adapt their format to the one understood by the integrity provider.
> 
> IMA and IPE can immediately interface with the digest_cache LSM and query
> the digest of an accessed file. If the digest is found, it means that the
> file is coming from the software vendor and not modified. If not, the file
> might have been corrupted. Each integrity provider decides how to handle
> this situation.
> 
> The second major benefit is performance improvement. Since the digest_cache
> LSM has the ability to extract many digests from a single data source, it
> means that it has less signatures to verify compared to the approach of
> verifying individual file signatures (IMA appraisal). Preliminary tests
> have shown a speedup of IMA appraisal of about 65% for sequential read, and
> 45% for parallel read.
> 
> This patch set has as prerequisites the file_release LSM hook (to be
> introduced with the move of IMA/EVM to the LSM infrastructure), and
> support for PGP keys, which is still unclear how it should be done.
> 
> The IMA integration patch set will be introduced separately. Also a PoC
> based on the current version of IPE can be provided.

Hi everyone

I still hope to receive some comments on this and on the IMA
integration patch set.

Meanwhile, I built openSUSE Tumbleweed packages with both those patch
sets (with few changes) and the PGP one (with the parser in kernel
space).

I also published the first preliminary version of digest-cache-tools
which contains the tools to manage the digest_cache LSM.

https://github.com/linux-integrity/digest-cache-tools


The README should give a pretty good idea on how to configure the
digest_cache LSM correctly, to do IMA measurement (with predictable
PCR) and IMA appraisal.

That basically requires to install only the kernel and the digest-
cache-tools packages (plus dracut, to enable IMA measurement/appraisal
from the initial ram disk).

Other than that, openSUSE Tumbleweed with these three packages (and no
other modifications, even in the build infrastructure) is basically
offering the integrity features that IMA supports.

Roberto

> v2:
> - Include the TLV parser in this patch set (from user asymmetric keys and
>   signatures)
> - Move from IMA and make an independent LSM
> - Remove IMA-specific stuff from this patch set
> - Add per algorithm hash table
> - Expect all digest lists to be in the same directory and allow changing
>   the default directory
> - Support digest lookup on directories, when there is no
>   security.digest_list xattr
> - Add seq num to digest list file name, to impose ordering on directory
>   iteration
> - Add a new data type DIGEST_LIST_ENTRY_DATA for the nested data in the
>   tlv digest list format
> - Add the concept of verification data attached to digest caches
> - Add the reset mechanism to track changes on digest lists and directory
>   containing the digest lists
> - Add kernel selftests
> 
> v1:
> - Add documentation in Documentation/security/integrity-digest-cache.rst
> - Pass the mask of IMA actions to digest_cache_alloc()
> - Add a reference count to the digest cache
> - Remove the path parameter from digest_cache_get(), and rely on the
>   reference count to avoid the digest cache disappearing while being used
> - Rename the dentry_to_check parameter of digest_cache_get() to dentry
> - Rename digest_cache_get() to digest_cache_new() and add
>   digest_cache_get() to set the digest cache in the iint of the inode for
>   which the digest cache was requested
> - Add dig_owner and dig_user to the iint, to distinguish from which inode
>   the digest cache was created from, and which is using it; consequently it
>   makes the digest cache usable to measure/appraise other digest caches
>   (support not yet enabled)
> - Add dig_owner_mutex and dig_user_mutex to serialize accesses to dig_owner
>   and dig_user until they are initialized
> - Enforce strong synchronization and make the contenders wait until
>   dig_owner and dig_user are assigned to the iint the first time
> - Move checking IMA actions on the digest list earlier, and fail if no
>   action were performed (digest cache not usable)
> - Remove digest_cache_put(), not needed anymore with the introduction of
>   the reference count
> - Fail immediately in digest_cache_lookup() if the digest algorithm is
>   not set in the digest cache
> - Use 64 bit mask for IMA actions on the digest list instead of 8 bit
> - Return NULL in the inline version of digest_cache_get()
> - Use list_add_tail() instead of list_add() in the iterator
> - Copy the digest list path to a separate buffer in digest_cache_iter_dir()
> - Use digest list parsers verified with Frama-C
> - Explicitly disable (for now) the possibility in the IMA policy to use the
>   digest cache to measure/appraise other digest lists
> - Replace exit(<value>) with return <value> in manage_digest_lists.c
> 
> Roberto Sassu (13):
>   lib: Add TLV parser
>   security: Introduce the digest_cache LSM
>   digest_cache: Add securityfs interface
>   digest_cache: Add hash tables and operations
>   digest_cache: Populate the digest cache from a digest list
>   digest_cache: Parse tlv digest lists
>   digest_cache: Parse rpm digest lists
>   digest_cache: Add management of verification data
>   digest_cache: Add support for directories
>   digest cache: Prefetch digest lists if requested
>   digest_cache: Reset digest cache on file/directory change
>   selftests/digest_cache: Add selftests for digest_cache LSM
>   docs: Add documentation of the digest_cache LSM
> 
>  Documentation/security/digest_cache.rst       | 900 ++++++++++++++++++
>  Documentation/security/index.rst              |   1 +
>  MAINTAINERS                                   |  16 +
>  include/linux/digest_cache.h                  |  89 ++
>  include/linux/kernel_read_file.h              |   1 +
>  include/linux/tlv_parser.h                    |  28 +
>  include/uapi/linux/lsm.h                      |   1 +
>  include/uapi/linux/tlv_digest_list.h          |  72 ++
>  include/uapi/linux/tlv_parser.h               |  59 ++
>  include/uapi/linux/xattr.h                    |   6 +
>  lib/Kconfig                                   |   3 +
>  lib/Makefile                                  |   3 +
>  lib/tlv_parser.c                              | 214 +++++
>  lib/tlv_parser.h                              |  17 +
>  security/Kconfig                              |  11 +-
>  security/Makefile                             |   1 +
>  security/digest_cache/Kconfig                 |  34 +
>  security/digest_cache/Makefile                |  11 +
>  security/digest_cache/dir.c                   | 245 +++++
>  security/digest_cache/htable.c                | 268 ++++++
>  security/digest_cache/internal.h              | 259 +++++
>  security/digest_cache/main.c                  | 545 +++++++++++
>  security/digest_cache/modsig.c                |  66 ++
>  security/digest_cache/parsers/parsers.h       |  15 +
>  security/digest_cache/parsers/rpm.c           | 223 +++++
>  security/digest_cache/parsers/tlv.c           | 299 ++++++
>  security/digest_cache/populate.c              | 163 ++++
>  security/digest_cache/reset.c                 | 168 ++++
>  security/digest_cache/secfs.c                 |  87 ++
>  security/digest_cache/verif.c                 | 119 +++
>  security/security.c                           |   3 +-
>  tools/testing/selftests/Makefile              |   1 +
>  .../testing/selftests/digest_cache/.gitignore |   3 +
>  tools/testing/selftests/digest_cache/Makefile |  23 +
>  .../testing/selftests/digest_cache/all_test.c | 706 ++++++++++++++
>  tools/testing/selftests/digest_cache/common.c |  79 ++
>  tools/testing/selftests/digest_cache/common.h | 131 +++
>  .../selftests/digest_cache/common_user.c      |  47 +
>  .../selftests/digest_cache/common_user.h      |  17 +
>  tools/testing/selftests/digest_cache/config   |   1 +
>  .../selftests/digest_cache/generators.c       | 248 +++++
>  .../selftests/digest_cache/generators.h       |  19 +
>  .../selftests/digest_cache/testmod/Makefile   |  16 +
>  .../selftests/digest_cache/testmod/kern.c     | 499 ++++++++++
>  .../selftests/lsm/lsm_list_modules_test.c     |   3 +
>  45 files changed, 5714 insertions(+), 6 deletions(-)
>  create mode 100644 Documentation/security/digest_cache.rst
>  create mode 100644 include/linux/digest_cache.h
>  create mode 100644 include/linux/tlv_parser.h
>  create mode 100644 include/uapi/linux/tlv_digest_list.h
>  create mode 100644 include/uapi/linux/tlv_parser.h
>  create mode 100644 lib/tlv_parser.c
>  create mode 100644 lib/tlv_parser.h
>  create mode 100644 security/digest_cache/Kconfig
>  create mode 100644 security/digest_cache/Makefile
>  create mode 100644 security/digest_cache/dir.c
>  create mode 100644 security/digest_cache/htable.c
>  create mode 100644 security/digest_cache/internal.h
>  create mode 100644 security/digest_cache/main.c
>  create mode 100644 security/digest_cache/modsig.c
>  create mode 100644 security/digest_cache/parsers/parsers.h
>  create mode 100644 security/digest_cache/parsers/rpm.c
>  create mode 100644 security/digest_cache/parsers/tlv.c
>  create mode 100644 security/digest_cache/populate.c
>  create mode 100644 security/digest_cache/reset.c
>  create mode 100644 security/digest_cache/secfs.c
>  create mode 100644 security/digest_cache/verif.c
>  create mode 100644 tools/testing/selftests/digest_cache/.gitignore
>  create mode 100644 tools/testing/selftests/digest_cache/Makefile
>  create mode 100644 tools/testing/selftests/digest_cache/all_test.c
>  create mode 100644 tools/testing/selftests/digest_cache/common.c
>  create mode 100644 tools/testing/selftests/digest_cache/common.h
>  create mode 100644 tools/testing/selftests/digest_cache/common_user.c
>  create mode 100644 tools/testing/selftests/digest_cache/common_user.h
>  create mode 100644 tools/testing/selftests/digest_cache/config
>  create mode 100644 tools/testing/selftests/digest_cache/generators.c
>  create mode 100644 tools/testing/selftests/digest_cache/generators.h
>  create mode 100644 tools/testing/selftests/digest_cache/testmod/Makefile
>  create mode 100644 tools/testing/selftests/digest_cache/testmod/kern.c
>