[PATCH 00/14] Implement Trusted Security Event Modeling.
Dr. Greg
greg at enjellic.com
Sat Feb 4 05:09:40 UTC 2023
This patch series implements Trusted Security Event Modeling (TSEM) as
a new Linux Security Module (LSM) architecture.
At a conceptual level, TSEM can be thought of as an integration of
integrity measurement and mandatory access controls. TSEM brings to
Linux security, a new model for implementing security controls that is
unique among current operating system platforms.
TSEM is designed to support the concept of a Trust Orchestration
System (TOS). Trust orchestration involves the process of modeling
the security behavior of a workload, or a platform at large, and
defining whether or not a process is to be trusted, based on whether
or not the security events that it produces are consistent with a
security model that has been designed for a workload or platform.
TSEM operates under the premise, that security, like all other
physical phenomena in science and engineering, can be mathematically
modeled. TSEM notionally treats the LSM security event hooks as a
basis set that is capable of generating a functional value for a
security model.
To support this notion, TSEM implements, entirely within the context
of the LSM architecture, the notion of security modeling domains which
are akin to resource namespaces. A modeling domain is designed to be
paired with a Trusted Modeling Agent (TMA) that implements the root of
trust for a security domain/namespace.
A TMA implementation uses the descriptive parameters of a security
event hook to compute task specific coefficients for each security
event that occurs in a modeling domain. The sum of these
coefficients, represents the security 'state' of the model. These
coefficients, nee state points, for a security model are designed to
be developed by unit testing of an application stack.
TSEM thus represents a security architecture designed to support
modern software development strategies that are embracing
resource containerization and continuous integration and
development practices. The objective of TSEM, along with
Quixote, it's userspace TOS implementation, is to bring to Linux
integrity and mandatory what Docker brought to Linux resource
namespaces.
The Quixote TOS has implementations of trust orchestrator's for the
following TMA trust roots:
Kernel.
Userspace process.
SGX enclave.
Xen Hypervisor domain.
Hardware based security coprocessors.
One of the objectives for Quixote/TSEM is to provide a framework for
developing next generation security co-processor technology that
extends beyond what is currently represented in the form of Trusted
Platform Modules.
Included with the Quixote TOS is an implementation of a security
co-processor based on the Nordic NRF52840-DONGLE micro-controller.
This is a USB form factor device that is currently being used for
projects such as GOOGLE's OpenSK security key initiative and 3mdeb's
Fobnail attestation server project.
Included in the patch series is an extensive documentation file that
can be found in the following location after the series is applied:
Documentation/admin-guide/LSM/tsem.rst
Reviewers, and other who are interested, are referred to this
document for a more extensive discussion into the rationale,
design and implementation of the TSEM architecture.
Control of TSEM is surfaced entirely through the tsemfs filesystem
that has the following mountpoint:
/sys/fs/tsem
TSEM is designed to be largely self-contained and independent of the
kernel at large and other LSM's. It operates without the need for
filesystem labeling or cryptographic integrity protection of
filesystem metadata.
Source code for the userspace trust orchestration system and
pre-compiled binariesare available at the following location:
ftp://ftp.enjellic.com/pub/Quixote
The Quixote/TSEM TMA currently implements a very simple deterministic
security model. The architecture is designed to provide a flexible
framework to support the potential implementation of more advanced
models that use stochastics, inference or other machine learning
methodologies.
Dr. Greg (14):
Update MAINTAINERS file.
Add TSEM specific documentation.
Add magic number for tsemfs.
Implement CAP_TRUST capability.
Add TSEM master header file.
Add primary TSEM implementation file.
Add root domain trust implementation.
Implement TSEM control plane.
Add namespace implementation.
Add security event description export facility.
Add event description implementation.
Implement security event mapping.
Implement an internal Trusted Modeling Agent.
Activate the configuration and build of the TSEM LSM.
Documentation/ABI/testing/tsemfs | 576 ++++++
Documentation/admin-guide/LSM/index.rst | 1 +
Documentation/admin-guide/LSM/tsem.rst | 1240 ++++++++++++
.../admin-guide/kernel-parameters.txt | 5 +
MAINTAINERS | 8 +
include/uapi/linux/capability.h | 6 +-
include/uapi/linux/magic.h | 1 +
security/Kconfig | 11 +-
security/Makefile | 1 +
security/selinux/include/classmap.h | 2 +-
security/tsem/Kconfig | 22 +
security/tsem/Makefile | 2 +
security/tsem/event.c | 474 +++++
security/tsem/export.c | 388 ++++
security/tsem/fs.c | 894 ++++++++
security/tsem/map.c | 497 +++++
security/tsem/model.c | 598 ++++++
security/tsem/namespace.c | 226 +++
security/tsem/trust.c | 134 ++
security/tsem/tsem.c | 1801 +++++++++++++++++
security/tsem/tsem.h | 388 ++++
21 files changed, 7268 insertions(+), 7 deletions(-)
create mode 100644 Documentation/ABI/testing/tsemfs
create mode 100644 Documentation/admin-guide/LSM/tsem.rst
create mode 100644 security/tsem/Kconfig
create mode 100644 security/tsem/Makefile
create mode 100644 security/tsem/event.c
create mode 100644 security/tsem/export.c
create mode 100644 security/tsem/fs.c
create mode 100644 security/tsem/map.c
create mode 100644 security/tsem/model.c
create mode 100644 security/tsem/namespace.c
create mode 100644 security/tsem/trust.c
create mode 100644 security/tsem/tsem.c
create mode 100644 security/tsem/tsem.h
--
2.39.1
More information about the Linux-security-module-archive
mailing list