On Aug 12, 2020, at 11:42 AM, James Bottomley [off-list ref] wrote:

On Wed, 2020-08-12 at 09:56 -0400, Chuck Lever wrote:

quoted

quoted

On Aug 11, 2020, at 2:28 PM, James Bottomley <James.Bottomley@Hanse
nPartnership.com> wrote:

On Tue, 2020-08-11 at 10:48 -0400, Chuck Lever wrote:

quoted

Mimi's earlier point is that any IMA metadata format that
involves unsigned digests is exposed to an alteration attack at
rest or in transit, thus will not provide a robust end-to-end
integrity guarantee.

I don't believe that is Mimi's point, because it's mostly not
correct: the xattr mechanism does provide this today.  The point is
the mechanism we use for storing IMA hashes and signatures today is
xattrs because they have robust security properties for local
filesystems that the kernel enforces.  This use goes beyond IMA,
selinux labels for instance use this property as well.

I don't buy this for a second. If storing a security label in a
local xattr is so secure, we wouldn't have any need for EVM.

What don't you buy?  Security xattrs can only be updated by local root.
If you trust local root, the xattr mechanism is fine ... it's the only
one a lot of LSMs use, for instance.  If you don't trust local root or
worry about offline backups, you use EVM.  A thing isn't secure or
insecure, it depends on the threat model.  However, if you don't trust
the NFS server it doesn't matter whether you do or don't trust local
root, you can't believe the contents of the xattr.

quoted

quoted

What I think you're saying is that NFS can't provide the robust
security for xattrs we've been relying on, so you need some other
mechanism for storing them.

For NFS, there's a network traversal which is an attack surface.

A local xattr can be attacked as well: a device or bus malfunction
can corrupt the content of an xattr, or a privileged user can modify
it.

How does that metadata get from the software provider to the end
user? It's got to go over a network, stored in various ways, some
of which will not be trusted. To attain an unbroken chain of
provenance, that metadata has to be signed.

I don't think the question is the storage mechanism, but rather the
protection mechanism. Signing the metadata protects it in all of
these cases.

I think we're saying about the same thing.

Roughly.

For most people the
security mechanism of local xattrs is sufficient.  If you're paranoid,
you don't believe it is and you use EVM.

When IMA metadata happens to be stored in local filesystems in
a trusted xattr, it's going to enjoy the protection you describe
without needing the addition of a cryptographic signature.

However, that metadata doesn't live its whole life there. It
can reside in a tar file, it can cross a network, it can live
on a back-up tape. I think we agree that any time that metadata
is in transit or at rest outside of a Linux local filesystem, it
is exposed.

Thus I'm interested in a metadata protection mechanism that does
not rely on the security characteristics of a particular storage
container. For me, a cryptographic signature fits that bill
nicely.

quoted

quoted

I think Mimi's other point is actually that IMA uses a flat hash
which we derive by reading the entire file and then watching for
mutations. Since you cannot guarantee we get notice of mutation
with NFS, the entire IMA mechanism can't really be applied in its
current form and we have to resort to chunk at a time verifications
that a Merkel tree would provide.

I'm not sure what you mean by this. An NFS client relies on
notification of mutation to maintain the integrity of its cache of
NFS file content, and it's done that since the 1980s.

Mutation detection is part of the current IMA security model.  If IMA
sees a file mutate it has to be rehashed the next time it passes the
gate.  If we can't trust the NFS server, we can't trust the NFS
mutation notification and we have to have a different mechanism to
check the file.

When an NFS server lies about mtime and ctime, then NFS is completely
broken. Untrusted NFS server doesn't mean "broken behavior" -- I
would think that local filesystems will have the same problem if
they can't trust a local block device to store filesystem metadata
like indirect blocks and timestamps.

It's not clear to me that IMA as currently implemented can protect
against broken storage devices or incorrect filesystem behavior.

quoted

In addition to examining a file's mtime and ctime as maintained by
the NFS server, a client can rely on the file's NFSv4 change
attribute or an NFSv4 delegation.

And that's secure in the face of a malicious or compromised server?

The bottom line is still, I think we can't use linear hashes with an
open/exec/mmap gate with NFS and we have to move to chunk at a time
verification like that provided by a merkel tree.

That's fine until we claim that remote filesystems require one form of
metadata and local filesystems use some other form.

To guarantee an unbroken chain of provenance, everyone has to use the
same portable metadata format that is signed once by the content creator.
That's essentially why I believe the Merkle-based metadata format must
require that the tree root is signed.


--
Chuck Lever
chucklever@gmail.com