From: Mimi Zohar <zohar@linux.ibm.com>
To: Ken Williams <ken@williamsclan.us>
Cc: linux-integrity@vger.kernel.org
Subject: Re: User questions
Date: Sun, 18 Sep 2022 23:10:08 -0400 [thread overview]
Message-ID: <f9f13bcd35ea54bd24007e4fa244ed346ac89c00.camel@linux.ibm.com> (raw)
In-Reply-To: <CADrftwOM6mWaQ+xNbExbgcHisAirBe1vQSRdCEtET7xqQ=_bjg@mail.gmail.com>
Hi Ken,
On Sun, 2022-09-18 at 16:47 -0700, Ken Williams wrote:
> Hi Mimi and others and thanks for responding.
>
> My primary goal right now is to develop an understanding of IMA for
> the purpose of determining if and how it can be useful for my application.
> For that, I have outlined below a few implementation scenarios.
>
> I have played around with IMA a bit so as to get some understanding of
> the process, configuration and capabilities. This included creating a
> policy file
> for measurements as well as signing files and enabling appraisal.
> All of this was done on-target and obviously putting a private key on the target
> is not right but this was a familiarization exercise. In any case, my current
> understanding is that options available to me, without a TPM device, are:
>
> - Measure files which have no security.ima=<HASH> xattr
> In this case I can detect if a previously measured file has changed.
> This is a nice exercise for getting my feet wet but without a TPM,
> it is hard to embrace this alone as being a security tool that can
> work for me.
>
> - Measure files which do have a security.ima=<HASH> xattr
> This is a good step up but I cannot see how this enables the
> detection of a 'bad' but properly labeled file without a link to
> some kind of file validation server. Again, I have no TPM.
In either case, the TPM is needed for remote attestation. The 'ima-
sig' template includes the file signature, if available, in the
measurement list. With just the public key, the remote attestation
server can verify the file signature.
>
> - Attest to files which have been signed with a private key prior to
> installation
> With this, I understand that as long as I have control over the file
> installation
> process, I have a level of protection equal to that of the signing algorithm.
> If I am correct, I also understand that this applies only to immutable files,
> typically executable binaries. The process of signing the files would be
> off-target and outside the scope of my questions and comments here.
>
> Again, I do not have a TPM so I understand that an off-line attack
> is still possible
> but it looks like this might be the best I can get out of IMA for
> the environment
> I have.
IMA file hashes are used for mutable files, which cannot be signed.
When file hashes are stored as security.ima, EVM HMAC must be used to
detect off line file metadata changes.
--
thanks,
Mimi
next prev parent reply other threads:[~2022-09-19 3:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-16 5:36 User questions Ken Williams
2022-09-16 14:10 ` Mimi Zohar
2022-09-18 23:47 ` Ken Williams
2022-09-19 3:10 ` Mimi Zohar [this message]
2022-09-18 10:48 ` Russell Coker
2022-09-19 3:07 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f9f13bcd35ea54bd24007e4fa244ed346ac89c00.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ken@williamsclan.us \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).