Re: [nfsv4] Linux IMA on NFS follow-up
Tom Talpey <tom@talpey.com> Wed, 29 August 2018 11:48 UTC
Return-Path: <tom@talpey.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AADE2130E87 for <nfsv4@ietfa.amsl.com>; Wed, 29 Aug 2018 04:48:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXj8FIr_W3AU for <nfsv4@ietfa.amsl.com>; Wed, 29 Aug 2018 04:48:44 -0700 (PDT)
Received: from p3plsmtpa11-07.prod.phx3.secureserver.net (p3plsmtpa11-07.prod.phx3.secureserver.net [68.178.252.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E420129AB8 for <nfsv4@ietf.org>; Wed, 29 Aug 2018 04:48:44 -0700 (PDT)
Received: from [192.168.0.55] ([24.218.182.144]) by :SMTPAUTH: with ESMTPSA id uyxnf2SoofWu4uyxnfDZa7; Wed, 29 Aug 2018 04:48:43 -0700
To: nfsv4@ietf.org
References: <C3D8FCD5-D792-43DA-BF4C-A56053AD85D3@oracle.com> <CAKKJt-dn1WbxYOx-CeWyGpWrpHxtVqLpFxroVj5LC4w9E8HZkw@mail.gmail.com> <ED4BDE8F-6AD4-4F96-A300-136C0BF2C43E@oracle.com> <BL0PR2101MB099349DA26CAEFACA5CD3C66A00A0@BL0PR2101MB0993.namprd21.prod.outlook.com> <501EFD14-0E07-42A3-87E5-C223FB110718@oracle.com>
From: Tom Talpey <tom@talpey.com>
Message-ID: <3f340381-9361-dcec-07b8-8a9e137b49c5@talpey.com>
Date: Wed, 29 Aug 2018 07:48:43 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <501EFD14-0E07-42A3-87E5-C223FB110718@oracle.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfExsRfUqs7KC7jb3xk5DJGGCnjSfI2NcOtaa7auszBiUN3j9jRP6mzAEc5IsjkUq6YnyP3U9o0dZT9KLfycu/6CI3X9yT7AUBUfnHM8CjdLqc8+LaP2V yauZStJruItyimqsMJtMUnGLABrjn6vjZK6FJC+MOHjQ6EYyyBxHom/e
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/q4nMCjBXSKRaJk4aPuFxXZvhtPc>
Subject: Re: [nfsv4] Linux IMA on NFS follow-up
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 11:48:47 -0000
On 8/28/2018 7:22 PM, Chuck Lever wrote: > Hi Tom- > >> On Aug 28, 2018, at 4:42 PM, Tom Talpey <ttalpey@microsoft.com> wrote: >> >>> The issue of interoperation is IMA's problem: they need to >>> be able to add/remove features while remaining compatible >>> with what's already in on-disk filesystems, as their vision >>> of IMA evolves. IOW they already have to solve this problem >>> with local filesystems. >> >> Is your intention to limit the discussion to IMA? What about filesystems >> which support native integrity, such as ReFS, ZFS, etc? > > I think it is limited to integrity measurement. It is > different than "native integrity", where the data is > protected only while it's at rest on the NFS server. > Native integrity metadata is generated on the fly by > the filesystem itself. > > Native integrity also would not seem to be suitable for > protecting the data while in transit. NFS has a separate > mechanism for that too. Ok, thanks for the clarification. Obviously, I haven't read the draft. NFS has protection for its messages, at least if krb5i is used, but that's a hop-by-hop protection and quite different. Not at issue, here, got it. > IMA provides provenance: the content hash is signed by a > software provider. The signature plus the content hash > guarantee that the content hasn't been altered since the > file was written by the software provider. It ensures > integrity from the "factory" all the way to the > execution environment of the end user. > > So this is a piece of long-lived security metadata that > is generated independently of users or local storage > devices. Ok, that's clear, but it requires the upper layer to provide the information. So NFS becomes basically a transport for the hash. What upper layers are actually using such an interface? Are they actually looking to use NFS? Unless such an application is part of the discussion, I don't think the working group should take this on. Tom. > Our approach to this class of metadata has been to create > additional fattr4 attributes: ACLs, security labels, and > so on. Here we have something that has a definite purpose, > but no defined format. > > >> It seems that if >> those are present, there should be a story for NFS to use them. Or if not, >> then a portable, interoperable NFS-level definition. > > The NFS protocol and NFS implementations do not have any > role in interpreting this metadata. All that is needed > is to store some additional bits that will be interpreted > elsewhere. > > Seems like we've done this before: NFS security labels > are defined elsewhere, and are not interpreted by NFS > itself. User extended attributes, named streams are not > interpreted by NFS, and are separate from file content. > > IMO it's valid to claim that interoperability in this > case is out of scope. > > >> Hitching onto a >> sidetracked train doesn't seem, to me, a recipe for success. >> Just my view from another cheap seat. >> >> Tom. >> >>> -----Original Message----- >>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of Chuck Lever >>> Sent: Tuesday, August 28, 2018 4:06 PM >>> To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> >>> Cc: NFSv4 <nfsv4@ietf.org> >>> Subject: Re: [nfsv4] Linux IMA on NFS follow-up >>> >>> >>> >>>> On Aug 28, 2018, at 3:13 PM, Spencer Dawkins at IETF >>> <spencerdawkins.ietf@gmail.com> wrote: >>>> >>>> Hi, Chuck, >>>> >>>> You invited comments from the "cheap seats" in your note, but I think that's >>> actually me, and people who understand what's going on better than I do >>> would be in the orchestra pit seats. So I'd also invite comments from people >>> who understand what's going on better than I do. >>> >>> According to the RFC Editor, as AD you are the final >>> authority on what is an adequate set of citations >>> for the NFS specs we publish, so you get to be the >>> conductor today. >>> >>> Or anyway, you get first crack at an opinion. >>> >>> >>>> Having said that ... >>>> >>>>> On Tue, Aug 28, 2018 at 1:38 PM Chuck Lever <chuck.lever@oracle.com> >>> wrote: >>>>> Hi Spencer D. ! >>>>> >>>>> During our meeting in Montreal last month, I presented a backgrounder >>>>> on supporting Linux IMA (file integrity measurement) on NFS. >>>>> >>>>> A stumbling block to forward progress of the IMA-on-NFS specification >>>>> is the lack of any standard describing IMA. You recommended reaching >>>>> out to the Linux IMA community to inquire if they had plans for >>>>> standardizing IMA. I have done this: >>>>> >>>>> >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.spi >>> nics.net%2Flists%2Flinux- >>> integrity%2Fmsg03399.html&data=02%7C01%7Cttalpey%40microsoft.co >>> m%7C18f04391586c4fcee43308d60d21a54e%7C72f988bf86f141af91ab2d7cd >>> 011db47%7C1%7C0%7C636710835491618174&sdata=Up9RBEFvcwXzx9 >>> hcDCBnYO3U1usX4MEwHlOZGbFZ83s%3D&reserved=0 >>>>> >>>>> And received no response. I conclude that there is no active effort >>>>> and perhaps no desire to standardize Linux IMA. >>>> >>>> I THINK what we're talking about here, is a stable reference for draft-ietf- >>> nfsv4-integrity-measurement to point to. Does that sound right? >>> >>> Yes, that was the problem described in Montreal. >>> >>> >>>> I'd like to better understand what reference is available - whether it is >>>> • a versioned description with a stable URL >>>> • an unversioned description >>>> • "the code is in github, good luck" >>>> • or some variation along that spectrum >>> >>> There is a wiki with a white paper, and there is what >>> is implemented in Linux. >>> >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourcefor >>> ge.net%2Fp%2Flinux- >>> ima%2Fwiki%2FHome%2F&data=02%7C01%7Cttalpey%40microsoft.com >>> %7C18f04391586c4fcee43308d60d21a54e%7C72f988bf86f141af91ab2d7cd01 >>> 1db47%7C1%7C0%7C636710835491618174&sdata=iIaZX2iTXbmTvIqGuz >>> OTJ97Zm7Sz6Y6MaWezWZA9vj0%3D&reserved=0 >>> >>> So, some from row B and some from row C. And some man >>> pages. It's a practical implementation, not something >>> that was conceived by standard and later implemented. >>> >>> However, all the participating filesystem needs to do >>> is store some security metadata. So I would like the >>> NFS pieces to be entirely agnostic to the metadata >>> format, and instead focus on: >>> >>> a) how to find this metadata >>> b) how large it can be >>> c) how to protect it in-transit >>> d) how to authorize access and updates to it >>> >>> >>>> I think having a stable reference matters more than something being a >>> "standard", from our perspective. >>> >>> We could cite the URL where the white paper resides, as >>> an Informative reference, but I'm not certain that is a >>> "stable" URL. Maybe the wiki is stable enough? >>> >>> >>>>> Therefore I propose the following changes to >>>>> draft-ietf-nfsv4-integrity-measurement: >>>>> >>>>> - Replace all specific mention of IMA with general discussion of >>>>> purpose and use cases >>>>> - Rename the new attributes with non-specific names; for example >>>>> fattr4_signature_content, fattr4_signature_attributes, and >>>>> fattr_signature_attrlist >>>>> - REQUIRE that the material stored in the first two attributes is >>>>> self-describing, such that the integrity measurement subsystems >>>>> on NFS endpoints can properly interpret and utilize their content >>>> >>>> So, is the goal here to be resilient to changes in IMA, or to be resilient to >>> replacing IMA with something else? >>> >>> Mostly the former goal. The latter is hypothetical at this >>> point, but possible down the road. >>> >>> >>>>> Do you feel this is adequate for the purposes of standardization? Are >>>>> there other approaches you would like me to consider? >>>> >>>> I'd only be looking for some way to achieve interoperation, so I'd be listening >>> for feedback from people who will implement this and deploy this mechanism. >>> >>> Fair enough. >>> >>> The issue of interoperation is IMA's problem: they need to >>> be able to add/remove features while remaining compatible >>> with what's already in on-disk filesystems, as their vision >>> of IMA evolves. IOW they already have to solve this problem >>> with local filesystems. >>> >>> >>>> I hope that's helpful! >>>> >>>> Spencer (D) >>>> >>>>> Comments/suggestions from the cheap seats (tm David Black) also welcome. >>>>> >>>>> -- >>>>> Chuck Lever >>> >>> -- >>> Chuck Lever >>> >>> >>> >>> _______________________________________________ >>> nfsv4 mailing list >>> nfsv4@ietf.org >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf >>> .org%2Fmailman%2Flistinfo%2Fnfsv4&data=02%7C01%7Cttalpey%40micr >>> osoft.com%7C18f04391586c4fcee43308d60d21a54e%7C72f988bf86f141af91a >>> b2d7cd011db47%7C1%7C0%7C636710835491628183&sdata=NQQdpaw >>> GC19QWioBOPkj2O7SnLlvweZvYSNhsLEt1MU%3D&reserved=0 > > -- > Chuck Lever > > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 >
- [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Spencer Dawkins at IETF
- Re: [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Tom Talpey
- Re: [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Quigley, David
- Re: [nfsv4] Linux IMA on NFS follow-up Tom Talpey
- Re: [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Theodore Y. Ts'o
- Re: [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Benjamin Kaduk
- Re: [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Theodore Y. Ts'o
- Re: [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Quigley, David
- Re: [nfsv4] Linux IMA on NFS follow-up Theodore Y. Ts'o
- Re: [nfsv4] Linux IMA on NFS follow-up Chuck Lever
- Re: [nfsv4] Linux IMA on NFS follow-up Theodore Y. Ts'o