Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider

[david safford <safford@watson.ibm.com>]

On Sat, 2008-05-31 at 09:54 +0200, Pavel Machek wrote:
> On Wed 2008-05-28 01:22:42, Andrew Morton wrote:
> > On Fri, 23 May 2008 11:05:45 -0400 Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > 
> > > This is a re-release of Integrity Measurement Architecture(IMA) as an
> > > independent Linunx Integrity Module(LIM) service provider, which implements
> > > the new LIM must_measure(), collect_measurement(), store_measurement(), and
> > > display_template() API calls. The store_measurement() call supports two 
> > > types of data, IMA (i.e. file data) and generic template data.
> ...
> ...also, it would be nice to see explanation 'what is this good for'.
> 
> Closest explanation I remember was 'it will protect you by making
> system unbootable if someone stole disk with your /usr filesystem --
> but not / filesystem -- added some rootkit, and then stealthily
> returned it'. That seems a) very unlikely scenario and b) probably
> better solved by encrypting /usr.
> 							Pavel

Sorry about this delayed response - we are about to repost for RFC, and
noticed we missed responding to this.

You are thinking about a related project, EVM, which HMAC's a file's
metadata, to protect against off-line attacks, (which admittedly
many users are not concerned about.)

This submission, IMA, provides hardware (TPM) based measurement and
attestation, which measures all files before they are accessed in
any way (on the inode_permission, bprm and mmap hooks), and
commits the measurements to the TPM. The TPM can sign these 
measurement lists, and thus the system can prove to itself and
to a third party these measurements in a way that cannot be
circumvented by malicious or compromised software. IMA is just one
part of integrity detection, as it does not detect purely in-memory
attacks, such as worms. 

dave safford