Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation.

From: Jaskaran Singh Khurana
Date: Fri Jun 28 2019 - 15:45:14 EST

Next message: Kees Cook: "Re: [PATCH v2] Convert struct pid count to refcount_t"
Previous message: Atish Patra: "Re: [PATCH v4] RISC-V: Add an Image header that boot loader can parse."
In reply to: Eric Biggers: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Next in thread: Eric Biggers: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Eric,
On Thu, 27 Jun 2019, Eric Biggers wrote:

On Wed, Jun 19, 2019 at 12:10:47PM -0700, Jaskaran Khurana wrote:

This patch set adds in-kernel pkcs7 signature checking for the roothash of
the dm-verity hash tree.
The verification is to support cases where the roothash is not secured by
Trusted Boot, UEFI Secureboot or similar technologies.
One of the use cases for this is for dm-verity volumes mounted after boot,
the root hash provided during the creation of the dm-verity volume has to
be secure and thus in-kernel validation implemented here will be used
before we trust the root hash and allow the block device to be created.

Why we are doing validation in the Kernel?

The reason is to still be secure in cases where the attacker is able to
compromise the user mode application in which case the user mode validation
could not have been trusted.
The root hash signature validation in the kernel along with existing
dm-verity implementation gives a higher level of confidence in the
executable code or the protected data. Before allowing the creation of
the device mapper block device the kernel code will check that the detached
pkcs7 signature passed to it validates the roothash and the signature is
trusted by builtin keys set at kernel creation. The kernel should be
secured using Verified boot, UEFI Secure Boot or similar technologies so we
can trust it.

What about attacker mounting non dm-verity volumes to run executable
code?

This verification can be used to have a security architecture where a LSM
can enforce this verification for all the volumes and by doing this it can
ensure that all executable code runs from signed and trusted dm-verity
volumes.

Further patches will be posted that build on this and enforce this
verification based on policy for all the volumes on the system.

I don't understand your justification for this feature.

If userspace has already been pwned severely enough for the attacker to be
executing arbitrary code with CAP_SYS_ADMIN (which is what the device mapper
ioctls need), what good are restrictions on loading more binaries from disk?

Please explain your security model.

- Eric

In a datacenter like environment, this will protect the system from below attacks:

1.Prevents attacker from deploying scripts that run arbitrary executables on the system.
2.Prevents physically present malicious admin to run arbitrary code on the
machine.

Regards,
Jaskaran

Next message: Kees Cook: "Re: [PATCH v2] Convert struct pid count to refcount_t"
Previous message: Atish Patra: "Re: [PATCH v4] RISC-V: Add an Image header that boot loader can parse."
In reply to: Eric Biggers: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Next in thread: Eric Biggers: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]