Re: [nfsv4] Review of draft-ief-nfsv4-integrity-measurement-04

Chuck Lever <chuck.lever@oracle.com> Tue, 21 May 2019 19:00 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F70012019F for <nfsv4@ietfa.amsl.com>; Tue, 21 May 2019 12:00:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFPPc50xWuUn for <nfsv4@ietfa.amsl.com>; Tue, 21 May 2019 12:00:45 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEEE2120298 for <nfsv4@ietf.org>; Tue, 21 May 2019 12:00:44 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4LIwmH3118954; Tue, 21 May 2019 19:00:41 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=fVmBczVzPhwy7wixmWUrEHUT99z1v+dE2EUMMaMO4ws=; b=AGg3TWJ93BBPhoSlgvxU6KRwcLeJXamVgDwosol3Yy7eGV4h7A2YgMWrFWz+N9YzrQfl bi5aBVB/BKW9bTwEZwv1FGHXKJq+cfDVeVgB9AmOrBce3ER1rAdbGK1D0CLl3zYgh13n D9ZTI/BoVPrSXyQE4HrdMShcHGpaaKpoMqKR0MTBxALFQ+gDxbUBFm/cdgoxQhgu4Mby xApKQArel/keYlqFb8ymg8CGfC9BhjxmzOQipc5l/+qiRHrkYHcbUHHor7WthrkKqpAD R0OfTIDcPKlyqSY0nemF53M+lU5cx4qiwlwQhg5f2Fk+By4hv21mrSfoawKfmp2UPSNt jw==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by aserp2130.oracle.com with ESMTP id 2sj7jdqptb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 21 May 2019 19:00:41 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4LIwpEg048266; Tue, 21 May 2019 19:00:40 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userp3030.oracle.com with ESMTP id 2skudbjbkn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 21 May 2019 19:00:40 +0000
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x4LJ0dYR012791; Tue, 21 May 2019 19:00:39 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 21 May 2019 19:00:39 +0000
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CADaq8jeKEN9MY9hs859hJxfyCjeObOR1vBdWMyjFGF9g+KhnfQ@mail.gmail.com>
Date: Tue, 21 May 2019 15:00:38 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6562B008-FDA5-4DE2-B0CE-EC310F372E03@oracle.com>
References: <CADaq8jc2FoNEYHp282hxjY3EnWH7qQhF=WHomp+W9O5qf85USw@mail.gmail.com> <AACE7624-98E3-47AE-AA4F-BBD752A818AD@oracle.com> <CADaq8jeKEN9MY9hs859hJxfyCjeObOR1vBdWMyjFGF9g+KhnfQ@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9264 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905210116
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9264 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905210117
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Z96OTnrw_XB2aLJBRvIKYALNHuk>
Subject: Re: [nfsv4] Review of draft-ief-nfsv4-integrity-measurement-04
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2019 19:00:54 -0000

Hi Dave-

> On May 21, 2019, at 5:52 AM, David Noveck <davenoveck@gmail.com> wrote:
> 
> Thanks for the quick response.    I look forward to seeing -05.
> 
> Rather than subjecting each other (and the working group) to a 
> series of messages with long strings of >'s, let me try to summarize
> our remaining disagreement by noting that you are uncomfortable with
> my description of this as a linux-only feature and deny that this
> is atypical by citing a number of other features that have only a
> single implementation, in Linux.
> 
> I agree that these features are de facto Linux-only features.   I think it
> is relevant to note two reasons that I consider the im stuff different, making
> it, in -04 and probably in -05, a de jure Linux-client-only feature.   In -00, 
> there was an attempt to make this client-neutral but those efforts seem 
> to have lapsed.   Note that:
> 	• Unlike the other features you mentioned, the word "LINUX" appears as part of the attribute name, as opposed to the use of "PROVENANCE" in -00.   My interpretation of this shift is that it indicates a decision to treat this as a Linux-client-only feature, rather than one which just happens to have only a single current client implementation.

I changed the name because of comments from you and Craig.

I used LINUX because IMA is "specified" by the Linux implementation,
not because IMA is implemented only on Linux.

So let's pick a name that does not have LINUX in it. I see that RFC
8276 uses

      /// typedef component4     xattrkey4;
      /// typedef opaque         xattrvalue4<>;

No sign of "linux" there. I'm open to suggestions. If no-one has one,
I'll use FATTR4_IMA in the next revision.


> 	• With what is in the spec, it is impossible to write a non-Linux client implementation, because the format of the IMA metadata is not described.

The attributes added by the proposed protocol extension are
completely specified in this document. Any NFS client can enable
access to and updates of IMA metadata using this document.

Why would a client without an IMA implementation want to do this?
For example, the metadata can be copied with the file's content.
There is no need for any interpretation of that metadata on the
copying host, it is simply an opaque blob. But not copying that
blob means there is unwanted loss of information in the copy.

If, for instance, the Linux IMA tool "evmctl" is ported to other
operating systems (if they have xattr support), IMA metadata is
exposed to user space on that OS and can be read or set via evmctl.

I should mention that the changes to the Linux NFS client and
server implementation do not know anything about the form of the
metadata, nor do they need to.


> There have been requests to provide this and it has not been provided and I'm not sure if I will ever understand why it has not.

I have explained repeatedly on list why it is not possible. There
is no specification for IMA, there is only an implementation. What
could be cited in my document? I stated that up front when I
presented during last summer's IETF meeting. This is the major
issue with this document. There is no specification of IMA to cite.

I have also explained why there is no need for the document to
describe the metadata format: NFS acts only as a conduit, just like
it does for user xattrs or file content. The metadata is not
interpreted by either the NFS client or server implementation.

This is the same as the local filesystem case. Local filesystems
store the metadata, and a separate security module (or user space
programs like evmctl) interprets it. To the local filesystem, IMA
metadata is completely opaque. It is no different for NFS.

[ As soon as this document provides format details, it will become
the specification for IMA. I'm not sure the IETF or the WG wants
to sign up for that responsibility, and IMO the Linux community
would not settle for being tied down by an RFC either. ]


> In any case, while the server can treat this as uninterpreted data, a client implementation cannot,

I believe that is a false assertion.

When I wrote "interpreted /on/ the NFS client" I meant on the host
where the file content is accessed via NFS and then subsequently
used. The NFS client implementation itself does not interpret the
metadata any more than it cares what's in the file's byte stream.

So my quibble yesterday is now a full blown objection to your
characterization: Neither the NFS client implementation nor the
NFS server implementation interprets IMA metadata. Both are pass-
through agents.

The metadata is interpreted by a separate (trusted) agent whenever
the file content is read (or executed). But it is totally opaque
to the NFS protocol and implementations.

In this sense, IMA metadata is precisely the same as a user xattr.


> so that, until this is is specified, the ima stuff is, from the client point of view, a Linux-only feature.

Perhaps it is, practically speaking, but I disagree with your
reasoning.

I will re-write the Introduction again to clarify the above points.


--
Chuck Lever