Re: [PATCH 2/7] integrity: IMA as an integrity service provider

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Pavel Machek <pavel@suse.cz>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	linux-kernel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>,
	James Morris <jmorris@namei.org>,
	David Safford <safford@watson.ibm.com>,
	Mimi Zohar <zohar@us.ibm.com>
Subject: Re: [PATCH 2/7] integrity: IMA as an integrity service provider
Date: Tue, 10 Feb 2009 14:49:28 -0600	[thread overview]
Message-ID: <20090210204928.GA9454@us.ibm.com> (raw)
In-Reply-To: <20090210202347.GA1382@ucw.cz>

Quoting Pavel Machek (pavel@suse.cz):
> Hi!
> 
> > --- /dev/null
> > +++ b/security/integrity/ima/Kconfig
> > @@ -0,0 +1,49 @@
> > +# IBM Integrity Measurement Architecture
> > +#
> > +config IMA
> > +	bool "Integrity Measurement Architecture(IMA)"
> > +	depends on ACPI
> 
> Ugh?
> 
> > +	select SECURITYFS
> > +	select CRYPTO
> > +	select CRYPTO_HMAC
> > +	select CRYPTO_MD5
> > +	select CRYPTO_SHA1
> > +	select TCG_TPM
> > +	select TCG_TIS
> > +	help
> > +	  The Trusted Computing Group(TCG) runtime Integrity
> > +	  Measurement Architecture(IMA) maintains a list of hash
> > +	  values of executables and other sensitive system files,
> > +	  as they are read or executed. If an attacker manages
> > +	  to change the contents of an important system file
> > +	  being measured, we can tell.
> > +
> > +	  If your system has a TPM chip, then IMA also maintains
> > +	  an aggregate integrity value over this list inside the
> > +	  TPM hardware, so that the TPM can prove to a third party
> > +	  whether or not critical system files have been modified.
> 
> Sound like 'well use this so people with homegrown distros can't
> access our e-shop'...

That would be tough to pull off, as they would have to have your
TPM's public key stored.

So a small shop could pull this off for their employees, I suppose, but
it's not practical for say a bank to do.  (And if they did, well, I'll
bank elsewhere.)

> > +	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
> > +	  to learn more about IMA.
> 
> Maybe some basic docs should go into Documentation?
> 
> > +config IMA_MEASURE_PCR_IDX
> > +	int
> > +	depends on IMA
> > +	range 8 14
> > +	default 10
> > +	help
> > +	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
> > +	  that IMA uses to maintain the integrity aggregate of the
> > +	  measurement list.  If unsure, use the default 10.
> 
> This is quite ugly. How do you expect enduser to get this right?
> How do you expect distro to get it right for all users?

I'd asked about this before, and here's how I understood it:

End-users aren't expected to get this right - note that it's
hidden.  If it changes, then that will be because some other
software using TPM (like trousers) uses 10, so it will be
changed in the upstream kernel for everyone.

-serge

next prev parent reply	other threads:[~2009-02-10 20:51 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-04 14:06 [PATCH 0/7] integrity Mimi Zohar
2009-02-04 14:06 ` [PATCH 1/7] integrity: IMA hooks Mimi Zohar
2009-02-04 14:06 ` [PATCH 2/7] integrity: IMA as an integrity service provider Mimi Zohar
2009-02-06 20:31   ` Serge E. Hallyn
2009-02-10 20:23   ` Pavel Machek
2009-02-10 20:49     ` Serge E. Hallyn [this message]
2009-02-04 14:06 ` [PATCH 3/7] integrity: IMA display Mimi Zohar
2009-02-04 14:07 ` [PATCH 4/7] integrity: IMA policy Mimi Zohar
2009-02-04 14:07 ` [PATCH 5/7] integrity: IMA policy open Mimi Zohar
2009-02-04 14:07 ` [PATCH 6/7] Integrity: IMA file free imbalance Mimi Zohar
2009-02-04 14:07 ` [PATCH 7/7] Integrity: IMA update maintainers Mimi Zohar
2009-02-04 23:16 ` [PATCH 0/7] integrity James Morris
2009-02-05  0:38   ` Mimi Zohar
2009-02-05  1:00     ` James Morris
2009-02-05  1:11       ` Mimi Zohar
2009-02-05  3:06       ` Mimi Zohar
2009-02-05  9:12         ` James Morris
2009-02-05 16:05           ` Rajiv Andrade
2009-02-05 22:37 ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090210204928.GA9454@us.ibm.com \
    --to=serue@us.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pavel@suse.cz \
    --cc=safford@watson.ibm.com \
    --cc=zohar@linux.vnet.ibm.com \
    --cc=zohar@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox