Re: [RFC][PATCH v2 06/12] diglim: Interfaces - digest_list_add, digest_list_del
From: Mimi Zohar
Date: Mon Aug 02 2021 - 11:01:38 EST
On Mon, 2021-08-02 at 08:14 +0000, Roberto Sassu wrote:
> > From: Roberto Sassu [mailto:roberto.sassu@xxxxxxxxxx]
> > Sent: Friday, July 30, 2021 4:25 PM
> > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
> > > Sent: Friday, July 30, 2021 4:03 PM
> > > Hi Roberto,
> > >
> > > On Fri, 2021-07-30 at 13:16 +0000, Roberto Sassu wrote:
> > > > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
> > > > > Sent: Friday, July 30, 2021 2:40 PM
> > >
> > > > > "critical data", in this context, should probably be used for verifying
> > > > > the in memory file digests and other state information haven't been
> > > > > compromised.
> > > >
> > > > Actually, this is what we are doing currently. To keep the
> > > > implementation simple, once the file or the buffer are uploaded
> > > > to the kernel, they will not be modified, just accessed through
> > > > the indexes.
> > >
> > > My main concern about digest lists is their integrity, from loading the
> > > digest lists to their being stored in memory. A while back, there was
> > > some work on defining a write once memory allocator. I don't recall
> > > whatever happened to it. This would be a perfect usecase for that
> > > memory allocator.
> >
> > Adding Igor in CC.
> >
> > Regarding loading, everything uploaded to the kernel is carefully
> > evaluated. This should not be a concern. Regarding making them
> > read-only, probably if you can subvert digest lists you can also
> > remove the read-only protection (unless you use an hypervisor).
>
> I briefly talked with Igor. He also agreed with that, and added that
> it could make it more difficult for an attacker to also disable the
> protection. However, he is not planning to submit an update soon,
> so I wouldn't consider this an option for now.
Hi Roberto, Greg,
As long as others understand and agree to the risk, the IMA details can
be worked out.
thanks,
Mimi