Linux Integrity Subsystem
The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file's measurement against a "good" value stored as an extended attribute, and enforce local file integrity. These goals are complementary to Mandatory Access Control(MAC) protections provided by LSM modules, such as SElinux and Smack, which, depending on policy, can attempt to protect file integrity. The following modules provide serveral integrity functions:
The first three functions were introduced with Integrity Measurement Architecture (IMA) in 2.6.30. The EVM/IMA-appraisal patches add support for the last two features.
For additional information about the Linux integrity subsystem, refer to the Wiki.
IMA measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The diagram shows how these standards relate, and provides links to the respective specifications and open source implementations. IMA and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.