Re: [Linux-ima-user] [RFC][PATCH] ima: add default rule for initramfsfiles

[Roberto Sassu]

On 07/14/2010 08:29 AM, Seiji Munetoh wrote:
> On Wed, Jul 14, 2010 at 2:42 PM, Shaz<shazalive@xxxxxxxxx>  wrote:
>    
> > On Wed, Jul 14, 2010 at 3:08 AM, Seiji Munetoh<seiji.munetoh@xxxxxxxxx>
> > wrote:
> >      
> > > On Thu, Jul 8, 2010 at 10:14 PM, Mimi Zohar<zohar@xxxxxxxxxxxxxxxxxx>
> > > wrote:
> > >        
> > > > On Tue, 2010-07-06 at 17:08 +0200, Roberto Sassu wrote:
> > > >          
> > > > > This patch modifies the default policy shipped with IMA, in order to
> > > > > avoid measurements
> > > > > of files in the initial ramdisk. Those files can be measured early in
> > > > > the boot process
> > > > > by the bootloader.
> > > > > The patch applies to latest version of the mainline kernel 2.6.35-rc4.
> > > > >            
> > > > Yes, the initramfs measurements are therefore redundant, as they're
> > > > already included in the initramfs measurement, but perhaps, as the
> > > > number of initramfs is very limited and the individual file measurements
> > > > supplies additional information, it wouldn't hurt to keep the individual
> > > > file measurements as well.  These measurements could potentially help in
> > > > identifying initramfs changes.
> > > >
> > > > Would appreciate other opinions before accepting this change.
> > > >          
> > > The hash value of the initramfs is unstable since it was generated
> > > at the time of kernel installation.
> > > So still I want to check  the individual used file in initramfs.
> > >        
> > If initrd is measured by boot loader then changes to individual files should
> > not be measured as this IS redundant. Use the new hash of the initrd as an
> > integrity metric. Why would this not be enough?
> >      
> This depends on remote verifier.
> Creating the initramfs is client side task and  the hash value of initramfs
> will vary each clients.
>
> For me, validation of  current measurements is easier than validation of
> initramfs. And it seems the overhead of this redundancy is less painful.
>
> But some system can validate (or trust) the initramfs measured by IPL.
> So, I would suggest that add Kconfig option to change the default policy.
>
> IMHO, if the eventlog contains fsmagic information for each measurements.
> Verifier can skip the validation of RAMFS measurement easily.
>
>    
This is true, the initramfs's digest cannot be validated by a remote 
verifier. But in my opinion there are three main reasons for don't 
include those files in the measurement list.
First, this is a readonly system and measures don't change in time; so 
if you create the image under a controlled environment and its digest 
doesn't change you can assert it will behave correctly.
Second, including those measurements may be very confusing for a 
verifier since there may be multiple versions of the same object (the 
initramfs changes very rarely in respect to other files).
Lastly, a pratical use of IMA is to load a custom policy. The better 
place to do that is the initramfs but measurements cannot be taken until 
the policy is loaded. The only way, as Shaz mentioned in a previous 
email, to keep track of all actions made during the boot process is that 
you have the initramfs image measured early by the boot loader.


Roberto

> --
> Seiji
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Linux-ima-user mailing list
> Linux-ima-user@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature