This is a request for comments on the attached patches which implement
two LSM modules, EVM and SLIM. These patches are also available, along
with sources for associated user space programs, and technical papers,
at http://www.research.ibm.com/gsal/tcpa in the tpm-3.0.2 package.
EVM (Extended Verification Module) is similar to digsig, in that it
provides access control based on file integrity, but it provides this
protection for all files (not just executables) through a general
mechanism of authenticated extended attributes, based on keys
protected by "TPM trusted boot". EVM is configurable to protect any
extended attributes, including those for SLIM and selinux. In addition,
when EVM is LSM stacked, the data and metadata integrity information can
be passed to subsequent modules for further access control enforcement,
such as demoting the integrity level of any process allowed to access
the questionable file (i.e. sandboxing), and SLIM demonstrates this
stacking.
SLIM provides a simple integrity mandatory access control, similar
to LOMAC, but using EVM information to aid decisions, and to ensure
the integrity of guard processes. The former IMA (Integrity Measurement
Architecture) is included as a configurable part of SLIM. While IMA is
not an access control component, if integrity attestation is desired, it
is most efficiently implemented here, as EVM has already measured all
files, and SLIM knows which ones are integrity sensitive, and which
should therefore be added to the TPM registers.
We believe that EVM and SLIM help demonstrate the usefulness of LSM
stacking, and of data and metadata integrity verification as an
integral part of access control decisions.
The attached patches (against 2.6.14-rc4-git1) are (in order):
stacker.patch (a roll-up of Serge's stacker, as of 23 Sept)
tcfl-lsm.patch (to reintroduce inode_post_create and _mkdir)
tpm.patch (adds trusted boot support to TPM driver)
(it's not LSM, but is included for convenience)
evm.patch (evm module)
slim-ima.patch (slim-ima module)
The tcfl-lsm.patch reintroduces the inode_post_create and
inode_post_mkdir hooks. EVM needs a way to HMAC newly created
extended attributes after they have been written, which is
not possible through the inode_init_security hook. We would
certainly like to see these hooks reintroduced to LSM, if EVM
is eventually accepted.
This is the first public RFC release, and as such, all
questions and comments will be most appreciated.
dave safford
Mimi Zohar
This archive was generated by hypermail 2.1.3 : Mon Oct 17 2005 - 12:15:53 PDT