IETF Logo Mail Archive

Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07

Chuck Lever <chuck.lever@oracle.com> Tue, 12 November 2019 15:12 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F08F712082E for <nfsv4@ietfa.amsl.com>; Tue, 12 Nov 2019 07:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVURNQVvQJsl for <nfsv4@ietfa.amsl.com>; Tue, 12 Nov 2019 07:12:32 -0800 (PST)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D9BE12006E for <nfsv4@ietf.org>; Tue, 12 Nov 2019 07:12:31 -0800 (PST)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id xACF4VcA072141; Tue, 12 Nov 2019 15:12:30 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2019-08-05; bh=aLd8RvUHgUcf9Z+nCXD9c3Waff4bmoPQXzJDkH3Dfe0=; b=HjW0lfcQ8yL1laylQjp7NWu+68RL4JS0MSojq1BEZPoQwgPsRgv+kE6q/PgIOfxfqUfZ IWmZwicq6tIUSzoI0E41GxqTGMl35dDAmm6+ITNIXLxrL48cdQw6/H0TyUjJMUDZdDSW ZcpCUQxG0eKZnPUKkc2F2uHMNhCVbtSE38Aun3yiW7rWOQPUTZURQpfwGeROgqk4ozPq cdF8wJRY1jh0qyz7zqmxnPppyAhiaRjl1//fgl6pYjvkQWdqeK3sACjiyCVMnAq8ukwr 4GM+XwGt8Ekju51VIqJ7yNjoVN7r6ldYAjNSncVIcuqe4EHsR+sBXhX74BpO0NLoJUup 3w==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by aserp2120.oracle.com with ESMTP id 2w5ndq5f2y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 Nov 2019 15:12:29 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id xACF4PwM180515; Tue, 12 Nov 2019 15:12:29 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3030.oracle.com with ESMTP id 2w7khkf6mk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 Nov 2019 15:12:28 +0000
Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id xACFCSD6025753; Tue, 12 Nov 2019 15:12:28 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 12 Nov 2019 07:12:27 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CADaq8jfz-H=0n_UaMNFQ1KGWOYA2M-sg+spddHsMPDdFbXRA6Q@mail.gmail.com>
Date: Tue, 12 Nov 2019 10:12:26 -0500
Cc: spencer shepler <spencer.shepler@gmail.com>, Spencer Shepler <sshepler@microsoft.com>, NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <7F58A61E-CD6A-49CA-80E7-DEB369EEE034@oracle.com>
References: <CAFt6BakApq=FJWs+r-jwxvTdXYs9yOg9KS47no93kdnp2gZ_+Q@mail.gmail.com> <9BEBDE7A-522A-4A6B-8132-D9C3A8A4922C@oracle.com> <CAFt6Ba=q=vSt+wtcHsi59gWnwFpuUaDqQue7f=GFSUvd25uV+g@mail.gmail.com> <BFDF314F-B913-4C4A-BAB4-C09FA840F4F6@oracle.com> <CADaq8jc_gM0SWe9weRJYp7s7xjtN9kihbVnUiBN61hF2LUJjzQ@mail.gmail.com> <FD12C92F-BBF4-4174-B896-48738C02B78E@oracle.com> <CAFt6BanwC4uu=9SpZQdiGjFswzkC3cSWPzGia34qBT5W+uuMNw@mail.gmail.com> <5B51BB44-F39D-4EF6-9E1E-3EF958F90260@oracle.com> <20191031192409.GJ88302@kduck.mit.edu> <67D69A00-D231-4845-A840-F3D67D629554@oracle.com> <CAFt6BanShDjwD3SftuDUvChFq9zOU5h1UC2y=W+3bVm++jAEKA@mail.gmail.com> <479C7409-9DCF-4C11-84AB-2E3729D96B22@oracle.com> <CADaq8jfMXjewirgvyCgh3D+yXQSNEX3HbWMCnz=XYCKk5T=6iA@mail.gmail.com> <00F112E6-F869-4624-A68E-9C909AB3B653@oracle.com> <CADaq8jckJQ2GZw-wEY-TLhqWhXcom1QNn8oTLL6TSNZy+4OHzg@mail.gmail.com> <9EAD488D-D246-4961-A6F7-4926734AF292@oracle.com> <CADaq8jfz-H=0n_UaMNFQ1KGWOYA2M-sg+spddHsMPDdFbXRA6Q@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9438 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1910280000 definitions=main-1911120133
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9438 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1910280000 definitions=main-1911120133
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/BCdvDXIhdlxcCyqNWIF9ogagMTU>
Subject: Re: [nfsv4] Comments on draft-ietf-nfsv4-integrity-measurement-07
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 15:12:34 -0000


> On Nov 12, 2019, at 9:09 AM, David Noveck <davenoveck@gmail.com> wrote:
> 
> > There is also the question of whether the format discriminator field
> > not only marks the internal format, 
> 
> I don't understand.   I would think that the format discriminator
> identified the external format.  Of course, as a practical, matter,
> a server implementation might well choode to make the internal
> and external formats the same, since it doesn't really care.

Sorry. Not sure why I used the term "internal" here. I merely
meant the public integrity metadata format.


> > but also allows the storage and
> > retrieval of metadata stored in other xattrs (unlike the discriminator
> > for NFSv4 security labels, which applies only to one xattr).
> 
> From the NFSv4 poiint of view, the particular (system) xattr used 
> for this purpose don't really matter.   Since they are not not
> NFSv4 (user) xattrs, any such assigment is purely an
> implemenation matter.

The issue is similar for NFSv4 security labels, though that ship
has sailed. On Linux each label type is stored in a unique xattr,
but the NFSv4 security label specification requires there be only
one accessible label at a time per file.

Yes, multiple security labels per file does make sense.


> > IMA, for example, already uses two xattrs, security.ima and
> > security.evm, that can co-exist on the same file. 
> 
> That the first of hear of this and your spec does not mention it.

It's not the first time it's been discussed here, and in fact
some earlier revisions of the personal draft version of this
document did discuss EVM, iirc.

IMA is a hash of file content. EVM is a hash of file
attributes. EVM is not supported by my spec simply because
the NFS protocol does not expose all of a file's attributes
(the file's capability settings being one of the most
important attributes that EVM protects). Thus NFS clients
are unable to verify EVM metadata.


> I presume this is because this division into multiple sub-blobs
> is not necessary to implement the protocol you describe,
> although it might be necessary to implement appraisal. 
> 
> > It would be slick
> > to add support for security.evm simply by adding another entry into
> > the IANA registry.
> 
> I don't see why this wouldn't work or why it is even in question.

It's in question because NFSv4 security labels explicitly do not
allow multiple labels per file, but integrity will likely need
that kind of functionality.

During a previous discussion, future EVM support was mentioned as
a reason why having a discriminator field would be a good thing.


> If there is a furure IMA metadata format consisting of these two 
> sub-blobs, it would not affect the protocol yout have described.
> Servers would not care about this sub-dvision while those concerned
> with appraisal would have to be aware of them.  However, they would 
> not need to know anything about how these sub-blobs were stored.

That's correct: EVM is similarly opaque to filesystem implementations.


> I assume on-Disk Linux file systems would use these xattrs, while 
> NFSv4.2 servers with no appraisal capabilities would probably store 
> the whole blob  as-is.

I agree that the protocol specification should remain agnostic about
how NFS servers store integrity metadata. I'd simply like to be able
to store multiple distinct types of integrity metadata on the same
file.


=====

Recall that at least one revision of this document called the metadata
"file provenance information." Craig didn't like that because he felt
it was dishonest about what the purpose of this extension actually
was -- to store Linux IMA metadata.

If the pendulum is swinging back to enabling storage and transport of
generic integrity metadata, perhaps calling this attribute IMA is no
longer appropriate, and some other name would be better.

FATTR4_INTEGRITY_METADATA or maybe just FATTR4_INTEGRITY ?


--
Chuck Lever

v2.23.0 | Report a Bug | By Email