From: Mimi Zohar <zohar@linux.ibm.com>
To: Ken Williams <ken@williamsclan.us>, linux-integrity@vger.kernel.org
Subject: Re: User questions
Date: Fri, 16 Sep 2022 10:10:31 -0400 [thread overview]
Message-ID: <d70a3bf1bf8245ed54bd55eafd4fbb98fd08e316.camel@linux.ibm.com> (raw)
In-Reply-To: <CADrftwOUDT5CuwHsrgEM1GTu_N3TAhZTpxFBERKa7zwUHkQscw@mail.gmail.com>
On Thu, 2022-09-15 at 22:36 -0700, Ken Williams wrote:
> I am looking at Linux IMA to try and understand how it might be useful
> for my application. I am playing around with it a bit now and as I do
> so, I am finding myself with questions about the usage model and user
> configuration. With that opening, my first question is:
>
> Is this an acceptable forum for asking user and usage questions?
>
> If yes, then let me describe my environment;
> I am running an older kernel, 4.14.238, on a fsl device in a system
> that does not have a TPM although I am running an implementation of
> OP-TEE. In my case, I want to do the best I can to prevent file
> modification, without considering off-line attacks. My deployment
> mechanism is os-tree.
>
> When I look at the measurement capability, I cannot see how that can
> help since I do not have a TPM in which to anchor the measurements so
> it looks like I need to implement appraisal. I did find this link,
> https://sourceforge.net/p/linux-ima/mailman/linux-ima-user/?viewmonth=201409&viewday=10,
> where Mimi says "Enabling IMA-appraisal is anything but simple". and I
> actually found that kind of re-assuring as it confirmed that my
> learning curve in this area may not be out of line. My plan is to
> pre-sign the files prior to installation and I see that effort as
> being outside of the scope of my inquiries here. So now, does it lookg
> like I am starting in the right direction?
>
> Thanks for reading through this and I welcome any comments.
Let's add some context to the above quote. One of the differences
between IMA-appraisal and IMA-measurement is that IMA-appraisal
requires quite a bit of configuration (e.g. keys, signing files, and
policy). This is in comparison to IMA-measurement, which requires just
a policy.
As long as the IMA-appraisal policy encompasses just those things that
can and should be signed, enforcing the IMA-appraisal policy is
straight forward:
- Create a local CA key and build it into the kernel.
- Create a public/private key pair signed by the local CA key
- Sign files.
- Load the public key on the IMA keyring.
- Load the IMA appraise policy.
Examples of the first 2 steps can be seen in the ima-evm-utils README.
Examples of the last two steps can be seen in dracut 98integrity
modules. systemd can be configured to load an IMA custom policy.
--
thanks,
Mimi
next prev parent reply other threads:[~2022-09-16 14:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-16 5:36 User questions Ken Williams
2022-09-16 14:10 ` Mimi Zohar [this message]
2022-09-18 23:47 ` Ken Williams
2022-09-19 3:10 ` Mimi Zohar
2022-09-18 10:48 ` Russell Coker
2022-09-19 3:07 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d70a3bf1bf8245ed54bd55eafd4fbb98fd08e316.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ken@williamsclan.us \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).