Support for dm-verity volumes that have their root hash measured via the TPM2

[RaitoBezarius]

Certain setups relies heavily on remote attestation and ensure that everything relevant gets measured, in these scenarios, a goal is to minimize the number of signing keys (and get them to zero successfully, we build the kernel with a key that we throw after the build to lock the kernel).

In these setups, a welcome addition would be to enable IPE but IPE requires to write a (signed) policy that knows the dm-verity hash in advance. It would be great if instead we could rely on the implicit trust that stems from having a dm-verity volume that had its root hash measured (via the kernel command line measurement for example), something like:

DEFAULT action=ALLOW
DEFAULT op=EXECUTE action=DENY
op=EXECUTE boot_verified=TRUE action=ALLOW
op=KMODULE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_cmdline_measured=TRUE action=ALLOW
op=KMODULE dmverity_cmdline_measured=TRUE action=ALLOW

This way, we wouldn't need to specify any hash and such a policy can be inherently trusted if measurements of initramfs and dm-verity volumes takes place, we could bake it into the kernel directly without having to ship it separately (and therefore sign it).

I think I can send a patch to do this but the problem is how to detect that a root hash has been measured. I feel like pulling out the kernel command line to see if there's roothash=$root_hash is a bit weird.

[jxwufan]

Hi,

Thanks for the proposal. I have some concerns here.

Measurement alone doesn't establish trust, it only records what was loaded, not whether it should be trusted. An attacker could boot with a malicious dm-verity volume and it would still be "measured". IPE's role is to enforce policy based on explicit trust properties like signatures and specific dm-verity hashes, not to blindly trust whatever happens to be measured.

I'm also not entirely clear on how the cmdline approach would work, but regardless, having IPE parse cmdline to extract roothash feels out of scope and would open up various other issues. I could be wrong here, but relying on measurement status to make trust decisions is really what IMA appraisal is designed for, so IMA is probably the right place for this.

[RaitoBezarius]

Thank you so much for the reply.

Here's another idea: what if the trust was provided by something that boots the kernel and IPE can be configured to trust whatever loaded the kernel is trusted.

For example, AdrianVovk/linux#1 propose to add a .vendor section to UKIs (which are usually Secure Boot signed and measured), therefore, IPE policies could be signed perhaps via one of the key in the .vendor section, that's easier for my usecase but I wonder if a better outcome can be achieved by having maybe a custom section in UKI like .ipe which can provide a trusted IPE policy to the kernel.

AFAIK, IMA would require an entire new mechanism to support this idea and IPE is still the closest thing for that.