On 1/13/21 6:49 PM, Mimi Zohar wrote:

Hi Mimi,

I remain concerned about the possibility of bypassing a measurement by
tampering with the time, but I appear to be the only one who is
worried about this so I'm not going to block this patch on those
grounds.

Acked-by: Paul Moore <p...@paul-moore.com>

Thanks, Paul.

Including any unique string would cause the buffer hash to change,
forcing a new measurement.  Perhaps they were concerned with
overflowing a counter.

My understanding is that Lakshmi wanted to force a new measurement
each time and felt using a timestamp would be the best way to do that.
A counter, even if it wraps, would have a different value each time
whereas a timestamp is vulnerable to time adjustments.  While a
properly controlled and audited system could be configured and
monitored to detect such an event (I *think*), why rely on that if it
isn't necessary?

Why are you saying that even if the counter wraps a new measurement is
guaranteed.   I agree with the rest of what you said.

I was assuming that the IMA code simply compares the passed
"policy_event_name" value to the previous value, if they are different
a new measurement is taken, if they are the same the measurement
request is ignored.  If this is the case the counter value is only
important in as much as that it is different from the previous value,
even simply toggling a single bit back and forth would suffice in this
case.  IMA doesn't keep a record of every previous "policy_event_name"
value does it?  Am I misunderstanding how
ima_measure_critical_data(...) works?

Originally, there was quite a bit of discussion as to how much or how
little should be measured for a number of reasons.  One reason is that
the TPM is relatively slow.  Another reason is to limit the size of the
measurement list.  For this reason, duplicate hashes aren't added to
the measurement list or extended into the TPM.

When a dentry is removed from cache, its also removed from IMA's iint
cache.  A subsequent file read would result in adding the measurement
and extending the TPM again.  ima_lookup_digest_entry() is called to
prevent adding the duplicate entry.

Lakshmi is trying to address the situation where an event changes a
value, but then is restored to the original value.  The original and
subsequent events are measured, but restoring to the original value
isn't re-measured.  This isn't any different than when a file is
modified and then reverted.

Instead of changing the name like this, which doesn't work for files,
allowing duplicate measurements should be generic, based on policy.

Perhaps it is just the end of the day and I'm a bit tired, but I just
read all of the above and I have no idea what your current thoughts
are regarding this patch.

Other than appending the timestamp, which is a hack, the patch is fine.
Support for re-measuring an event can be upstreamed independently.


Thanks for clarifying the details related to duplicate measurement detection and re-measuring.

I will keep the timestamp for the time being, even though its a hack, as it helps with re-measuring state changes in SELinux. We will add support for "policy driven" re-measurement as a subsequent patch series.

thanks,
 -lakshmi

Reply via email to