IETF Logo Mail Archive

Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-integrity-measurement-03.txt

David Noveck <davenoveck@gmail.com> Fri, 09 November 2018 10:52 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D449130EA2 for <nfsv4@ietfa.amsl.com>; Fri, 9 Nov 2018 02:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nata8XZP3gcn for <nfsv4@ietfa.amsl.com>; Fri, 9 Nov 2018 02:52:12 -0800 (PST)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29D0B130F2A for <nfsv4@ietf.org>; Fri, 9 Nov 2018 02:52:12 -0800 (PST)
Received: by mail-oi1-x22e.google.com with SMTP id x63-v6so1088480oix.9 for <nfsv4@ietf.org>; Fri, 09 Nov 2018 02:52:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3Fj3Zy8yVpt8xNf6hc0kZr5C1xWheQMznOMW2JXK3Es=; b=GLKxZQEng06XnwPRMrV+MQduC4aXn3FtYorp3XvXu6Y0LltgxcnoLt7QT8tESHSbT6 0rtwhHbcw1OO3D64f64Jt+mjMdCJiWvqNLOTpBEFnKYX4shSjj6jrJsLOetRpiQhlwHX ZvyEWhPvYZQSA3J6YQioqyqntTi+A93OYdEkVzmNx+BND5IIDsx0AXjHR8oUravQJEMb eAQ42j/WwKqird5n7j+G59Cy+vsTvJQZOY431+cXq7C4H6dh2SL0O/eUCx76OgLRQVda QKcJ9BE1TAAhV7l28uR/QshERsxB8C8H1rMcv+f1btpMoX3310CBJ9J36GlQaNp2aptt z5Gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3Fj3Zy8yVpt8xNf6hc0kZr5C1xWheQMznOMW2JXK3Es=; b=VHKR68srT9o2K8wrgopIrnjNaHHrDdAldJF8ccZ6dJ/KhIuiilGElVAnSUBH+upuTF ZrJYN7Nmr2p2hJqmF3N4JrRX31YRddiTTs4YdczTTMlFSzVsZ8jAoJk8JO1oGy65t3ZC FeTrRmuK1QuVzMVnz5CvOx1VO2GK3XeFDNylV4bDJoAKGISasMaaUsdLZoMnn0VBnFfJ b0DmTm8twJz+VzS8OYNt6PFK7fyflPTwdyzJc2M3JNBSHSBpjiWp2FJlkxefruPMmq2P zWF7zZF95HRlP3IA9dho7VHCmyYOsQjQrZ1W/C4WUyRdBkkxicsX3WT4qW5Lyfj+dXoW w8XA==
X-Gm-Message-State: AGRZ1gKEoUfkNBvLoAbK4A98N66umfK2Gp07GdETKtegk8R6mUrbSoY1 3QDnzqi5a2LbAEIS7pCJuhQlOz7fQ4bOyL/T5gM=
X-Google-Smtp-Source: AJdET5fVgjD8iXWEyZcW35QiVf3IaV+syd1Bxc4n7UXPU86Ykhn97dRW/H1B28DndyJB7CAnGusa1dcC47IpO1qag+I=
X-Received: by 2002:aca:d541:: with SMTP id m62-v6mr4519035oig.82.1541760731242; Fri, 09 Nov 2018 02:52:11 -0800 (PST)
MIME-Version: 1.0
References: <154160412218.26446.11676556173331817093@ietfa.amsl.com> <74E10D08-6181-49C8-B994-6554C72C4B7D@oracle.com> <BBC9F2E1-4E81-4FE4-99D0-A0B23F33AAD4@netapp.com> <D1E8642B-9A07-4812-82E0-982EDC6EF73E@oracle.com> <578769FE-6C12-4003-A579-7FB461D99A8A@netapp.com> <32BFC3DE-BF20-4A3B-88AC-FAF2C19F714D@oracle.com> <CCC8A8EA-7D8D-440F-B29C-1D3577FC104D@netapp.com> <CDC6A311-4076-405B-AE4C-26A0BC8CE685@oracle.com>
In-Reply-To: <CDC6A311-4076-405B-AE4C-26A0BC8CE685@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Fri, 09 Nov 2018 05:52:01 -0500
Message-ID: <CADaq8jf-G30UrgdaG9QcAVPXbtpNpW5mteJMkq5c7ZxPvMaCiQ@mail.gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Craig.Everhart@netapp.com, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b6e5d8057a39247d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/6aAmCrSOuauDLsRktKwNtOIVtJ4>
Subject: Re: [nfsv4] Fwd: I-D Action: draft-ietf-nfsv4-integrity-measurement-03.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 10:52:20 -0000

> I do want to have multiple FPI
> blobs per file.

If so, then this desire could be accommodated more simply than by
allowing each such blob type (fpv_type) to be invidually settable
and retrievable as is suggested in -03.  The existing NFSv4 attribute
model would need substantial change to accommodate that.

I think the best way to provide for the possibility of multiple blobs would
be to make the provenace  attribute an array of blobs.   I think the
following would work but I might have messed up the typdef syntax.

typedef file_prov4 fattr4_file_provenance[];

Those who sign content will need to generate all the blobs they want
to support. I don't see why setting each blob needs to a separate operation.

Assesors, could get the entire blob set and fairly easily find the blob(s)
they want to access.

> IMA has one for file content, and another one
> for file attributes (the EVM blob). Both can exist at the same
> time.

OK.

> I'm specifying only the IMA blob for NFS at this time, as
> explained in a prior email,

As I understood it, wou were not actually specifying it but were
simply directing people to a description.   I can't recall the details, but
I recall some complexity about whether that description was actually
a specfication.

> but you should assume that more blobs
> will be coming in the future.

They might and implemeters will make their own decisions about how much
space to allocate to store potenial blobs.

On Thu, Nov 8, 2018 at 1:23 PM Chuck Lever <chuck.lever@oracle.com> wrote:

>
>
> > On Nov 8, 2018, at 12:03 PM, Everhart, Craig <Craig.Everhart@netapp.com>
> wrote:
> >
> > Hi Chuck, just one point.
> >
> > On 11/8/18, 11:54 AM, "Chuck Lever" <chuck.lever@oracle.com> wrote:
> >
> >>   This means _any_ change
> >>   to the content between the time it is generated and the time it
> >>   is used can be detected.
> >>
> >> And detected by only these special tools.
> >
> >    No, the FPI is evaluated by the provenance assessor before each
> >    access of the file.
> >
> > Perhaps you could clarify this architecture.  The menagerie of tools
> that would be modified, this provenance assessor--what is the architecture
> of the system in which these tools exist?  Is the "provenance assessor"
> part of the presumed OS on the NFS client?
>
> We're going in circles now. I've explained this before in e-mail
> and in the document.
>
>
> > Is it active when I read a file with the menagerie (e.g., "cp")?
>
> Depending on policy, it can be.
>
>
> > At backup time?
>
> Depending on policy, it can be.
>
> The primary point of FPI is to prevent the use of corrupted file
> contents. Copying or backing up file content is not necessarily
> considered "use", but an administrator might be paranoid or want
> some notification if tampering has occurred long before a file
> is used. It's also possible that a tool can be constructed to
> scrub a file system to pre-emptively identify corrupted content.
>
> Again, this document is not meant to be a full specification of
> IMA and how it's used. A discussion of tooling is out of scope,
> IMO.
>
>
> > I assume that it will be active when I want to edit the content of a
> source file, or execute a binary executable file.
>
> Most certainly just before a file is executed. If a source file
> is protected, it will be assessed as it is opened but before its
> contents are presented via read(2) or mmap(2). Any edits will
> require that the FPI be refreshed once the file content is stable
> again.
>
> So, now that I'm paged in again, I do want to have multiple FPI
> blobs per file. IMA has one for file content, and another one
> for file attributes (the EVM blob). Both can exist at the same
> time. I'm specifying only the IMA blob for NFS at this time, as
> explained in a prior email, but you should assume that more blobs
> will be coming in the future.
>
>
> --
> Chuck Lever
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email