 For the delay now are we're ready? Okay. Oh, no, what happened? I Didn't touch anything What happened, huh? Oh wait out of here Okay Whatever Before we go Presentation what is this no, this isn't where we want this place As I said, this was Tested the first thing this morning Really? Okay, anyway, all right, we're wearing this without the notes the And so hopefully I'll remember everything that I wanted to say I'm a policy support for fs ferrity is really a win-win for Ima and fs ferrity This has been a long time in coming, but we're finally there just from whatever for whatever reasons The talk is gonna talk of I'm gonna be talking starting out with the The goals for Ima and going through the problems and what this work For both Ima and fs ferrity the background information what's missing in each of them and the solution how we resolved it We'll go through the different policies and how this is a win-win for Ima and fs ferrity We'll show the policy rules so that you can actually use it. It was upstreamed in the most recent open window And let's get going so the original goals of Ima have not changed the new features have been added and This is taken from the white paper that my colleague Dave Safford wrote It's still on the wiki and The base ideas haven't changed new features have been added So it's basically the detective files have been accidentally accidentally or maliciously altered both remotely and locally appraise the files measurement against a good value stored as an extended attribute and Sometimes as an appended signature now and enforce local file integrity So when we talk about this, this is basically what you get from secure and trusted boot The problem has been why this is hasn't been so pervasive is that there's a lot of setup required system setup for For secure boot you need the signatures you need the key management and you need policy rules and on the trusted boot side you basically It's very this The setup is rather simple although the policy when isn't that simple, but we'll get to policy later And it's a minimal setup for Trusted boot and the post there's a lot more post processing involved in it We from the very beginning we were asked to include To expose the ion structure which contains the hashes for For some forensics work whether or not that's still being used when you work in the Linux kernel You never know who is using what or when So the initial policy design Was to minimize the system performance pack To make sure that it's flexible for all different use cases and to limit the frequency of measuring and praising files again due to performance, so if we go back to The balancing if you measure to and this there was a lot of discussions before this was Upstreamed as to how much to measure the initial papers referred to really were cognizant that the TPM was Was very slow and that you needed to really consider how much you were measuring So but there's a balance between measuring too much And having this performance impact and measuring too little and not having full integrity of your system so We So somebody asked um, you know that um Yana kahuna said to me which is more important the TCB Which is their original policies or is it the user data the TCB can always be replaced You just reinstalled the files, you know you reinstall your system and your TCB is already back But the user data is more important so when you define a policy and Trying to get the flexibility for all the different cases It's hard. You don't know who's going to be wanting to do what for what reasons and then we have the situation of Not doing not measuring not appraising too often not doing things too often Because caching adds complexity and it makes it really really difficult for namespacing Because unlike on the system where the cache doesn't disappear on you. Well now with namespacing the cache is going to disappear and you have the locking problems of the De-entry coming at the same time that the the Cache can be removed. So Yes caching is good and it provides the performance, but we're when we talk about I'm a namespacing. This is an issue These were the initial policy designs we've gone through a lot of things on adding new types of signatures and Like appendix we have now support for appended signatures for verifying the K exec image We're not limited to verifying just the security X adder So in terms of policy the policy language has been extended But not the enforcement how you load a policy how you do anything else and there are more things that could be done with that Obviously everything has to be backward compatible because this is the Linux kernel and things that don't just disappear Because you ask them to Okay, so what is missing and why is this why am I giving this talk? Why was support for FS Verity? upstreamed basically I'm a reads the file and Just like for the TCG standards it has to read the whole file and it has to verify that file before axis is given to Access or execution whatever it is or the measurement is extended into the TPM and added to the measurement list has to happen Before the file can control can be handed over This relies on iversion to detect whether or not there has been any changes We do want to minimize the number of measurements in the measurement list and that can be there's a number of different ways of doing that but We're dependent on iversion and if iversion isn't there then We remeasure There's no way around it. We can't we have no other way of knowing whether or not the file has changed And this affects fuse the fuse file systems. Do you trust fuse? We certainly don't have any Insight insights into what fuse a fuse file system actually is doing so it always has to remeasure it So the problem with reading the entire file is The performance depending on the size of your file and for that reason So And not only is it the size of the file it's also that if the file is Is Removed from the entry when it comes back it isn't revalidated and There are a number and the information here the malicious block devices the firmware attacks at the end Of the slides there is a list of there are two references one is to To Mike Halcro and Eric Bigger's talk from LSS talk from 2018 and then there's another Paper that was written on this problem Of not Reverifying the file when it comes back from the entry from when it's been evicted and comes back from the page cache So Before we go on are there any questions to FS before we go into FS Verity. Are there any questions up to this point? Okay, so We're gonna when all of this information is taken from the colonel from the colonel docs and from the slides from the talk and From the sample applications FS Verity's Sample applications. So FS Verity is a support layer the file systems can hook into a support transparent integrity and Authenticity protection of read-only files Currently it's supported on ext for f2fs and butterfs file systems So FS Verity instead of verifying Reading the entire file it breaks up the file into chunks and Puts those chunks into a Merkle tree and the Merkle tree the root and the Merkle tree is the signature with the other file metadata And that's your That's the FS Verity digest so this is It's not required that the f in the Merkle you need to create the Merkle tree you need to to create the to get the root hash and to be able to include other file metadata in the in the in the FS Verity digest the you It's not required the design doesn't require it but on The file systems currently that support FS Verity the Merkle tree is stored After the file data as well as the FS descriptor so the benefits of not verifying and then not calculate not having to calculate the full file hash and Is to be able to do partial reads And and the benefit is that as the file is read from disk It's verified each block is verified as you read it But unlike with full file data hashes There are possible read failures So Depending on your use case You might want to know ahead of time whether or not it's going to fail or not think critical infrastructure okay, so As this Verity feature is a hashing mechanism only it optionally supports a simple signature verification mechanism An authenticating files is left up to user space meaning that whatever policy you have has to be in user space It's not So When we talk about FS Verity what it needs We can in me um If we wanted to include the measurements of a file in in the I'm a measurement list it's You can't just read the file because then you defeat the poor read the file calculate the file hash And then land up with that in the measurement that kind of defeats FS Verity So what we really want is to include the FS Verity file digest in the I'm a measurement list and we also Want to support? Having a policy for what to measure what to appraise and going forward in the kernel This was them having it in the kernel was the main reason for I'm a being upstreamed in the first place So this is basically a win-win for I'ma and FS Verity for FS Verity gets the digest and Signatures in the I'm a measurement list and enforces FS Verity base file signatures stored in security I'ma back sadder and it Inclose it closes I FS Verity closes the I'ma integrity gap for files if they did from page cache because as it reads The file back in it's going to verify The the block the data that's being read in Again, we said originally that FS Verity currently only does Read-only files So we're not talking about configuration files. We're talking about only read-only files So we're up to now how this is being implemented So we need to differentiate when they're in when the FS Verity measurements are included in the I'ma measurement list We really need to be able to differentiate Which is an FS Verity file and which is the original I'ma file I'ma I'ma File hash so we defined a new template called I'ma ngv2 It's exactly the same as before the only difference as you'll see over here Is that it's prefixed with the name the type of digest And you'll notice that The shot 256 some it's a straight file hash is included In the measurement list and it matches the sig and the hash down here Okay and when we do this for FS Verity Now you have the Verity as being the type of signature that you're including when you do instead of a shot 256 Some you're now doing a FS Verity digest and that digest is included down here Can't hit enter and So now you have you can differentiate what type of Measurements are included in the measurement list and Similarly We want to be able to have the same type of information on the I'ma sig template So we defined I'ma sig v2 template and here you have the I'ma It's prefixed with I'ma you have the normal Signature that's the EVM I'ma X adder signature and it's a version 2 and It's oh for all of these are enumerations that are included in the various Include files, but this but we have one more step to go We now have a signature, but the FS Verity we can differentiate it in the measurement list But differentiating and making sure that the FS Verity signature is not being used to verify the I you know That they're not interchangeable We want to make sure that they're included and you can use know exactly which signature is which So we defined it we defined a signature version 3 which instead of including just the file digest It includes the file digest plus some other file metadata such as the hash algorithm Yeah, I think it's just the hash algorithm So here we now have the FS Verity measurement entry in the measurement list Again with signature v2 you have it's prefixed with Verity down here It's prefixed with very you have a new signature type and it's it and a new signature version That's not the just the direct File file hash, but a hash, but it indirectly signs the signature v3 And since we want to be able to say That we want only FS Verity files or only I'ma files Files signatures if you have a policy if you have a file that's signed with the wrong with the incorrect signature You'll land up with the zeros As the measurement because it wasn't in the FS Verity case. It wasn't able to collect the the file hash It wasn't able to read the digest so This prevent and it's pretty clear that you weren't verify that you can't verify an FS Verity file If it's not signed with FS Verity Okay, so how do we How do we sign this there the I'ma EVM utils program? I've posted patches for being able to verify the for being able to sign files and We're not using the same mechanism that we currently use for Signing files for I'ma because basically you read the file and you calculate the file hash here We're dependent on FS Verity providing us the digest so So we can use FS Verity digest to collect the file digest and Then pipe it into EVM control you can pipe in an entire file And the output of the file is this similar to shot 256 some it gives you the the hash the The digest the file name and the output will be appended with the signature at the end and afterwards you need to Take you can process that entire file and read it out or Using a script to read the last field and to use said f adder to write out the signature as security dot I'ma and a lot of thanks to Eric biggers for his help with the design and code review similarly for Stefan burger for reviewing the design and code and my colleagues Naina J Naina George and Elaine for for many discussions on why do we need a new new signature version For FS Verity why isn't it enough? Why couldn't we just sign the hashes as it was and we came to the conclusion that this is fine? It differentiates the file the I'ma file signatures from the FS Verity signatures so that they can't be intermixed And and the appreciation for the title of this talk goes to Elaine Any questions? I'm laughing because I asked someone to I Just gave oh and the main point. Oh, wow Okay, I'll answer your question and then I'll go back to a slide where I met left out the most important piece of information Yes, I asked someone to do the performance Analysis to see if there's any difference the assumption is is that the file on file open it will be For large files and small files. It's going to be the same exact thing for FS Verity whereas with with I'ma the the amount of time it won't be Will not Will be is different for small files and large files whether or not you're praising the file Measuring the file The TPM ads perform it has a performance which gets Hidden when you have large files It impacts performance, but I'm assuming that small and large files will be exactly the same and all the burden is on FS Verity But the main thing that I left out because I didn't have my speaker notes here is You have to go all the way back. Yeah, this slide is That little line on the very bottom Basically up to now I started to say that That it's hard to get having people to use I'ma Especially in the circuit boot mode because Getting the file signature is being distributed with every with the metadata with the file data is very was very Long incoming, but I'm happily happy to say that rel 9 Was released with file signatures sent OS night and stream 9 has the signatures and fedora 37 Will have the signatures So I'm looking forward to now that we have this all there I'm looking forward to people using it and really getting the benefit of it. It's been a long time coming and Any other questions So caching and and Extending the TPM are two different questions. All right. I guess I'm supposed to be repeating the question Stefan s is asking whether or not What is the alternative if we don't cash for I'ma namespacing and What is the performance impact? So I don't know what the performance impact would be but We do need to differentiate between measuring the file Repeatedly measuring the file like we do is for fuse file systems like there's another file system that doesn't have I version support and the issue of and Extending the TPM so I'm not sure how much I Mean it won't go into the measurement list the subsequent Measure in other words when you reevaluate the file it the hash is already there in The measurement list and it won't be re added to the measurement list. So the performance is the cash is preventing you from Recalculating the file hash the cat. I'm saying that if you have the cash it prevents you from recalculating the cash Okay, but now that we have fs Verity I'm opening a small file and opening a close a small file a Large file and a small file will not have the same performance impact because we're not calculating the file hash We're relying on fs Verity to provide it to us. So therefore that impetus for having the cash might not be as important and I don't and correct me if I'm wrong I mean at this Verity we've said it is only for read only files read only files And so if you now have if you're limiting what you're verifying to To configurations that have to be hashed and then to use EVM for the file to sign the file metadata then Maybe caching isn't that important because small files like a configuration files Won't take that long. I don't know The rid the the original it was it was for the original IMA namespacing where you needed the cash You really needed the cash It was not related to fs Verity if the log doesn't grow There it is prevented because the hash is the same hash and it will not be added to the measurement list It will not be added to the IMA measurement list again Any other questions? Thank you