Re: [Linux-ima-devel] IMA SHA-1 log format "specification"

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2017-07-28 at 17:11 -0400, Ken Goldman wrote:
> On 7/17/2017 7:26 PM, Mehmet Kayaalp wrote:
> > 
> >>
> >> Question:  What is the maximum number of event records?
> > 
> > There is no limit and the number is stored in a long field.
> 
> 1 - Long is platform dependent, right?
> 
> 2 - If an attacker sends a long with 0xffffffff records, or 0xfffffff 
> ffffffff records, the server should not blindly try to malloc that much 
> memory.

Based on policy, files are measured and appended to the tail of the
measurement list.  From a design perspective of measure before use,
the number of elements in the measurement list can not be limited.  At
some point we might want to add support for saving the measurements
offline.

> >> This is a 4-byte integer representing the length of the Template Name field.
> >>
> >> Question:  What is the maximum length?
> > 
> > in security/integrity/ima/ima_template.c
> > #define MAX_TEMPLATE_NAME_LEN 15
> 
> I'm looking for a guaranteed maximum.  I don't want a server to break
> if the client side code changes.

As new template fields are defined, the maximum custom template name
length will change.  The template data is prefixed with a length.
 Unknown template records can be skipped.  Template field data is
prefixed with a length. Unknown fields can be ignored/skipped.

> 
> >> 3.4.1. Signature Type
> >>
> >> This is a 1-byte field.  The value is 0x03.
> >>
> >> Question:  What are the valid values and meanings.  How does the type affect the other fields.
> > 
> > The whole signature data is part of the xattr data. This is actually
> > not the signature type, but the xattr type defined in:
> > security/integrity/integrity.h as:
> > 
> > enum evm_ima_xattr_type {
> > 	IMA_XATTR_DIGEST = 0x01,
> > 	EVM_XATTR_HMAC,
> > 	EVM_IMA_XATTR_DIGSIG,
> > 	IMA_XATTR_DIGEST_NG,
> > 	IMA_XATTR_LAST
> > };
> > 
> > So the only value is 3 for an event with signature.
> 
> I'm looking for a definition of 0x03, as well as any other values a 
> server might receive.

The last field of the ima-sig ("d-ng|n-ng|sig") template includes the
file signature (0x03) in the measurement list.  When Thiago
Bauermann's "Appended signatures support for IMA appraisal" patch set
is upstreamed, it will introduce a new signature format named
IMA_MOD_SIG (0x05).

Mimi

> > 
> >> 3.4.2. Signature Version
> >>
> >> This is a 1-byte field.  The value is 0x02.
> >>
> >> Question:  What are the valid values and meanings.  How does the version affect the other fields.
> > 
> > Only 1 and 2 are valid right now. In function integrity_digsig_verify:
> 
> What are the meanings of 1 and 2 - something I could add to the 
> specification.
> 
> >> 3.4.5. Signature Size
> >>
> >> This is a 2-byte integer representing the size of the Signature field.
> >>
> >> Question:  What are the legal values?  1024 and 2048?  Others?
> > 
> > This one is defined by the signature. For RSA, the key determines the
> > resulting signature size. When writing the xattr, it is set to the return value
> > of RSA_private_encrypt:
> 
> Understood, but what are the legal sizes that a server must handle.