BIT SHIFT MY ROBOT

random things I made and things I learnt making them

Linux IMA notes

Posted on by bitshiftjo1

Glossary

  • IMA Integrity Measurement Architecture, responsible for calculating the hashes of files and programs before they are loaded, and supports reporting on the hashes and validate if they adhere to a predefined list.
  • TCB Trusted Computing Base, a set of all hardware, firmware, and/or software components that are critical to the security of a computer system.
  • LSM Linux Security Modules, a framework allowing the Linux kernel to support without bias a variety of computer security models.
  • TCG Trusted Computing Group, implements Trusted Computing concepts across personal computers.
  • Trusted Computinggives hardware manufacturers control over what software does and does not run on a system by refusing to run unsigned software
  • securityfs is a filesystem used by LSM located at /sys/kernel/security

  • EVM Extended Verification Module, used to validate security-sensitive extended attributes before allowing operations on the files.

Enabling IMA measurement

  • “ima_policy=” on the boot command line

IMA Kernel command line options

  • ima_audit subsequent access to flushed inodes will also be logged.

  • ima_policy=

    • tcb measures all executables run, all mmap’d files for execution (such as shared libraries), all kernel modules loaded, and all firmware loaded. Additionally, a files opened for read by root are measured as well.
    • appraise_tcb appraises all files owned by root.
    • secure_boot appraises all loaded modules, firmware, kexec’d kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the kernel in “secure boot” scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.
  • ima_template The template to be used for the format of stored measurements.

Working with IMA

  1. mount -t securityfs security /sys/kernel/security
  2. If <securityfs>/integrity/ima does not exist, recompile the kernel with the config option CONFIG_IMA enabled

Viewing measurements

  • sudo cat /sys/kernel/security/ima/ascii_runtime_measurements
10 0adefe762c149c7cec19da62f0da1297fcfbffff ima-ng sha256:0000000000000000000000000000000000000000000000000000000000000000 boot_aggregate

Verifying measurements

The IMA tests programs are part of the Linux Test Project.

Standalone version: ltp-ima-standalone-v2.tar

make
make install
sudo /usr/local/bin/ima_boot_aggregate /sys/kernel/security/ima/binary_bios_measurements

010 2c149c7cec19da62f0da1297fcfbffff06000000
Error event too longPCR-00: 0000000000000000000000000000000000000000
PCR-01: 0000000000000000000000000000000000000000
PCR-02: 0000000000000000000000000000000000000000
PCR-03: 0000000000000000000000000000000000000000
PCR-04: 0000000000000000000000000000000000000000
PCR-05: 0000000000000000000000000000000000000000
PCR-06: 0000000000000000000000000000000000000000
PCR-07: 0000000000000000000000000000000000000000
boot_aggregate:9797edf8d0eed36b1cf92547816051c8af4e45ee

Compare with the ascii_runtime_measurement value.

Custom IMA poilcy

https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy

IMA Appraisal

The IMA-appraisal extension adds local integrity validation and enforcement of the measurement against a stored “good” value.

ima: appraisal extension
IMA appraisal extension

Further reading

https://www.linux-magazine.com/Issues/2021/250/Integrity-Measurement-Architecture

Leave a Reply

Your email address will not be published. Required fields are marked *