Collect – measure a file before it is accessed.
Store– add the measurement to a kernel resident list and, if a hardware Trusted Platform Module (TPM) is present, extend the IMA PCR
Attest – if present, use the TPM to sign the IMA PCR value, to allow a remote validation of the measurement list.
Appraise – enforce local validation of a measurement against a “good” value stored in an extended attribute of the file.
Protect – HMAC protect a file's security extended attributes (including appraisal hash) against off-line attack.
The first three functions were introduced with Integrity Measurement Architecture (IMA) in 2.6.30. The last two features were submitted with the EVM/IMA-appraisal patch set for security-testing-2.6/#next, in the 2.6.36 timeframe, and were made available as a tar for linux-2.6.36 stable, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention Trusted and Encrypted keys. Since then a number of improvements have been made, including provisions to support other methods of integrity verification.
The goals, design, and benefits of these features are further described in the whitepaper "An Overview of the Linux Integrity Subsystem".
The kernel's integrity subsystem is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The diagram shows how these standards relate, and provides links to the respective specifications and open source implementations. IMA and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.
IMA is an open source trusted computing component. IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list cannot be compromised by any software attack, without being detectable. Hence, on a trusted boot system, IMA can be used to attest to the system's runtime integrity.
IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with the boot command line parameter 'ima_tcb'. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.)
To determine if your distro enables IMA by default, mount securityfs (mount -t securityfs security /sys/kernel/security), if it isn't already mounted, and then check if '< securityfs >/integrity/ima' exists. If it exists, IMA is indeed enabled. On systems without IMA enabled, recompile the kernel with the config option 'CONFIG_IMA' enabled.
IMA is controlled with several kernel command line parameters:
ima_audit= audit control
Format: { "0" | "1" }
0 -- integrity auditing messages. (Default)
1 -- enable informational integrity auditing messages.
(eg. Although file measurements are only added to the measurement list
once and cached, if the inode is flushed, subsequent access to the inode
will result in re-measuring the file and attempting to add the measurement
again to the measurement list. Enabling ima_audit will log such attempts.)
ima_hash= hash used
Format: { "sha1" | "md5" }
default: "sha1"
ima_tcb
If specified, enables the TCB policy, which meets the needs of the Trusted
Computing Base. This means IMA will measure all programs exec'd,
files mmap'd for exec, and all files opened for read by uid=0.
IMA maintains a runtime measurement list, which can be displayed as shown below.
$ su -c 'mkdir /sys/kernel/security' $ su -c 'mount -t securityfs securityfs /sys/kernel/security'Modify /etc/fstab to mount securityfs on boot.
(Only root is allowed access to securityfs files.)
$ su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements' PCR template-hash filedata-hash filename-hint 10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate 10 2c7020ad8cab6b7419e4973171cb704bdbf52f77 ima e09e048c48301268ff38645f4c006137e42951d0 /init 10 ef7a0aff83dd46603ebd13d1d789445365adb3b3 ima 0f8b3432535d5eab912ad3ba744507e35e3617c1 /init 10 247dba6fc82b346803660382d1973c019243e59f ima 747acb096b906392a62734916e0bb39cef540931 ld-2.9.so 10 341de30a46fa55976b26e55e0e19ad22b5712dcb ima 326045fc3d74d8c8b23ac8ec0a4d03fdacd9618a ld.so.cache
PCR: default CONFIG_IMA_MEASURE_PCR_IDX is 10
template-hash: sha1 hash(filedata-hash, filename-hint)
filedata-hash: sha1 hash(filedata)
The first element in the runtime measurement list, shown above, is the boot_aggregate. The boot_aggregate is a SHA1 hash over tpm registers 0-7, assuming a TPM chip exists, and zeroes, if the TPM chip does not exist.
$ su -c 'head /sys/kernel/security/tpm0/ascii_bios_measurements' 0 f797cb88c4b07745a129f35ea01b47c6c309cda9 08 [S-CRTM Version] 0 dca68da0707a9a52b24db82def84f26fa463b44d 01 [POST CODE] 0 dd9efa31c88f467c3d21d3b28de4c53b8d55f3bc 01 [POST CODE] 0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE] 0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE] 0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE] 0 38dd128dc93ff91df1291a1c9008dcf251a0ef39 01 [POST CODE] 0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE] 0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE] 0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE]
The IMA tests programs are part of the Linux Test Project.
$ wget -O ltp-ima-standalone.tar http://downloads.sf.net/project/linux-ima/linux-ima/ltp-ima-standalone.tar.gz $ tar -xvzf ltp-ima-standalone.tar.gz ima-tests/ ima-tests/test.h ima-tests/README ima-tests/Makefile ima-tests/ltp-tst-replacement.c ima-tests/config.h ima-tests/ima_boot_aggregate.c ima-tests/ima_measure.c ima-tests/ima_mmap.c $ cd ima-tests $ make $ su -c 'make install'
Using the TPM's binary bios measurement list, re-calculate the boot aggregate.
$ su -c '/usr/local/bin/ima_boot_aggregate /sys/kernel/security/tpm0/binary_bios_measurements' 000 f797cb88c4b07745a129f35ea01b47c6c309cda9 000 dca68da0707a9a52b24db82def84f26fa463b44d < snip > 005 6895eb784cdaf843eaad522e639f75d24d4c1ff5 PCR-00: 07274edf7147abda49200100fd668ce2c3a374d7 PCR-01: 48dff4fbf3a34d56a08dfc1504a3a9d707678ff7 PCR-02: 53de584dcef03f6a7dac1a240a835893896f218d PCR-03: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 PCR-04: acb44e9dd4594d3f121df2848f572e4d891f0574 PCR-05: df72e880e68a2b52e6b6738bb4244b932e0f1c76 PCR-06: 585e579e48997fee8efd20830c6a841eb353c628 PCR-07: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 boot_aggregate:b5a166c10d153b7cc3e5b4f1eab1f71672b7c524
and compare the value with the ascii_runtime_measurement list value.
$ su -c 'cat /sys/kernel/security/ima/ascii_runtime_measurements | grep boot_aggregate' 10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate
using the IMA binary measurement list, calculate the PCR aggregate value
$ su -c '/usr/local/bin/ima_measure /sys/kernel/security/ima/binary_runtime_measurements --validate' PCRAggr (re-calculated): B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B
$ cat /sys/devices/pnp0/00:0a/pcrs | grep PCR-10 PCR-10: B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B
Part of the TCG requirement is that all Trusted Computing Base (TCB) files be measured, and re-measured if the file has changed, before reading/executing the file. IMA detects file changes based on i_version. To re-measure a file after it has changed, the filesystem must be mounted with i_version support.
$ su -c 'mount -o remount,rw,iversion /home' mount: you must specify the filesystem type
Attempt to remount '/home' with i_version support, shown above, failed. Please install a version of the util-linux-ng-2.15-rc1 package or later.
UUID=blah /home ext3 defaults,iversion
# Remount the root filesystem read-write. update_boot_stage RCmountfs if remount_needed ; then action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion / fi
As of Linux-audit 2.0, support for integrity auditing messages is available.
The ima_tcb default measurement policy in linux-2.6.30 measures all system sensitive files - executables, mmapped libraries, and files opened for read by root. These measurements, the measurement list and the aggregate integrity value, can be used to attest to a system's runtime integrity. Based on these measurements, a remote party can detect whether critical system files have been modified or if malicious software has been executed.
| Default policy |
|---|
dont_measure fsmagic=PROC_SUPER_MAGIC dont_measure fsmagic=SYSFS_MAGIC dont_measure fsmagic=DEBUGFS_MAGIC dont_measure fsmagic=TMPFS_MAGIC dont_measure fsmagic=SECURITYFS_MAGIC dont_measure fsmagic=SELINUX_MAGIC measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC < add LSM specific rules here > measure func=PATH_CHECK mask=MAY_READ uid=0 |
But not all files opened by root for read, are necessarily part of the Trusted Computing Base (TCB), and therefore do not need to be measured. Linux Security Modules (LSM) maintain file metadata, which can be leveraged to limit the number of files measured.
| Examples: adding LSM specific rules |
|---|
SELinux: dont_measure obj_type=var_log_t dont_measure obj_type=auditd_log_t Smack: measure subj_user=_ func=INODE_PERM mask=MAY_READ |
Dracut commit 0c71fb6 adds initramfs support for loading the custom IMA measurement policy. Build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), to load the custom IMA measurement policy(default: /etc/sysconfig/ima-policy).
For more information on defining an LSM specific measurement policy, refer to the kernel Documentation/ABI/testing/ima_policy.
IMA currently maintains an integrity measurement list used for remote attestation. The IMA-appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute 'security.ima'. The inital method for validating 'security.ima' is hashed based. Other methods for validating 'security.ima', such as digital signatures, are proposed.
IMA-appraisal is currently a proposed patch set for the security-testing-2.6/#next tree, available from git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.git/#next-ima-appraisal.
Refer to compiling the kernel for directions on configuring and building a new kernel with IMA-appraisal support enabled.
The IMA-appraisal policy extends the measurement policy ABI with two new keywords: appraise/dont_appraise. The default appraise policy appraises all files owned by root. Like the default measurement policy, the default appraisal policy does not appraise pseudo filesystem files (eg. debugfs, tmpfs, securityfs, or selinuxfs.)
Additional rules can be added to the default IMA measurement/appraisal policy, which take advantage of the SELinux labels, for a more fine grained policy. Refer to Documentation/ABI/testing/ima_policy.
A new boot parameter 'ima_appraise=' has been defined in order to label existing file systems with the 'security.ima' extended attribute.
After building a kernel with IMA-appraisal enabled and verified that the
filesystems are mounted with i_version support,
to label the filesystem, reboot with the boot command line options
'ima_appraise=fix' and 'ima_tcb'. Opening a file owned by root, will cause the
'security.ima' extended attributes to be written. For example, to label the
entire filesystem, execute:
find / -fstype ext4 -type f -uid 0 -exec head -n 1 '{}' >/dev/null \;
Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel and initramfs. Reboot with the 'ima_tcb' and ,possibly, the 'rootflags=i_version' options.
EVM detects offline tampering of the security extended attributes (e.g. security.selinux, security.SMACK64, security.ima), which is the basis for LSM permission decisions and, with the IMA-appraisal extension, integrity appraisal decisions. EVM provides a framework, and an initial method, to detect offline tampering of the security extended attributes. The initial method maintains an HMAC-sha1 across a set of security extended attributes, storing the HMAC as the extended attribute 'security.evm'. To verify the integrity of an extended attribute, EVM exports evm_verifyxattr(), which re-calculates the HMAC and compares it with the version stored in 'security.evm'. Other methods of validating the integrity of a file's metadata will be posted separately (eg. EVM-digital-signatures).
EVM is currently in the security-testing-2.6/#next tree. EVM is also available from git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.git/#next_evm.
Refer to compiling the kernel, for directions on configuring and building a new kernel with EVM support.
EVM is configured automatically to protect standard “security” extended attributes:
EVM protects the configured extended attributes with an HMAC across their data, keyed with an EVM key provided at boot time. EVM looks for this key named 'evm-key' on root's key ring. Refer to trusted and EVM encrypted keys, for directions on creating EVM keys. Once loaded, EVM can be activated by writing a '1' to the evm securityfs file: echo "1" > /sys/kernel/security/evm
Before EVM is activated, any requested integrity appraisals are unknown, so the EVM startup should be done early in the boot process, preferably entirely within the kernel and initramfs (which are measured by trusted grub) and before any reference to the real root filesystem. To build an initramfs with EVM enabled, build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), which contains the trusted and EVM dracut modules.
A new boot parameter 'evm=fix' has been defined in order to label existing file systems with the 'security.evm' extended attribute.
After building a kernel with EVM, IMA-appraisal, and trusted and encrypted keys enabled, installed the trusted and EVM dracut modules, created the EVM key, and verified that the filesystems are mounted, including root, with i_version support, to label the filesystem, reboot with the command line options 'ima_tcb', 'ima_appraise=fix', 'evm=fix' and, possibly, 'rootflags=i_version'.
Once EVM is started, as existing file metadata changes or as new files
are created, EVM assumes that the LSM has approved such changes, and
automatically updates the HMACs accordingly, assuming the existing value
is valid. In fix mode, opening a file owned by root, will fix the 'security.ima'
extended attribute, causing the 'security.evm' extended attribute to be
written as well, regardless if the existing security 'ima' or 'evm' extended
attributes are valid. To label the entire filesystem, execute:
find / -fstype ext4 -type f -uid 0 -exec head -n 1 '{}' >/dev/null \;
Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel and initramfs. Reboot with just the 'ima_tcb' and, possibly, 'rootflags=i_version' options.
For those unfamiliar with building a linux kernel, here is a short list of existing websites.
IMA, if not already enabled by the distro, requires getting the distro's kernel source and recompiling the kernel with the additional .config options, below. Refer to the distro's documentation for building the kernel from source. Skip this step, if you intend to enable either EVM or IMA-appraisal as well.
CONFIG_INTEGRITY=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y
The EVM/IMA-appraisal patches are based on the security-testing-2.6/#next tree. Clone the security-testing-2.6, and then add ima-2.6.git as a remote.
$ cd ~/src/kernel $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6.git $ cd security-testing-2.6 $ git remote update $ git branch -r origin/HEAD origin/master origin/next $ git remote add ima-2.6 git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.git $ git remote update $ git checkout --track -b next-ima-appraisal ima-2.6/next-ima-appraisalFor IMA, enable the following .config options:
CONFIG_INTEGRITY=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=yFor IMA-appraisal, enable the following .config options:
CONFIG_INTEGRITY=y CONFIG_IMA_APPRAISE=y
EVM has a dependency on encrypted keys, which should be encrypted/decrypted using a trusted key, but could be encrypted/decrypted with a user-defined key instead. For EVM, enable the following .config options:
CONFIG_TCG_TPM=y CONFIG_KEYS=y CONFIG_TRUSTED_KEYS=y CONFIG_ENCRYPTED_KEYS=y CONFIG_INTEGRITY=y CONFIG_EVM=y
Before installing the new kernel, clone dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git). By default, masterkey and integrity are not enabled in the dracut git tree. Edit module-setup in both directories, changing the check() return value to 0. SElinux is also not enabled. For those interested in enabling SELinux, change the SELinux module-setup() to return 0 as well. Then 'make' and 'install' dracut. Once an updated version of dracut is installed, continue with installing the kernel as normal.
$ su -c "make modules_install install"
Trusted and encrypted keys are two new key types (upstreamed in 2.6.38) added to the existing kernel key ring service. Both of these new types are variable length symmetic keys and, in both cases, are created in the kernel. User space sees, stores, and loads only encrypted blobs. Trusted Keys require the availability of a Trusted Platform Module (TPM) chip for greater security, while encrypted keys can be used on any system. All user level blobs, are displayed and loaded in hex ascii for convenience, and are integrity verified.
Depending on the distro, trusted and encrypted keys might not be enabled. Refer to compiling the kernel, for directions on configuring and building a new kernel with trusted and encrypted key support.
The trusted and EVM dracut modules, by default, looks for the trusted and EVM encrypted keys in /etc/keys. To create and save the kernel master and EVM keys,
$ su -c 'mkdir -p /etc/keys' # To create and save the kernel master key (trusted type): $ su -c 'modprobe trusted encrypted' $ su -c 'keyctl add trusted kmk-trusted "new 32" @u' $ su -c 'keyctl pipe `keyctl search @u trusted kmk-trusted` > \ /etc/keys/kmk-trusted.blob' # Create the EVM encrypted key $ su -c 'keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u' $ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` > \ /etc/keys/evm-trusted.blob'
For those systems which don't have a TPM, but want to experiment with EVM, create a user key of 32 random bytes, and an EVM user encrypted key. Unlike trusted/encrypted keys, user type key data is visible to userspace.
$ su -c 'mkdir -p /etc/keys' # To create and save the kernel master key (user type): $ su -c 'modprobe trusted encrypted' $ su -c 'keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u' $ su -c 'keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob' # Create the EVM encrypted key $ su -c 'keyctl add encrypted evm-key "new user:kmk-user 32" @u' $ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` > \ /etc/keys/evm-user.blob'
Update /etc/sysconfig/masterkey to reflect using a 'user-defined' master key type.
MULTIKERNELMODE="NO"
MASTERKEYTYPE="user"
MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob"
Similarly update /etc/sysconfig/evm or on the boot command line specify the EVM key filename (eg. 'evmkey=/etc/keys/evm-user.blob'.)
The first entry is the TPM boot aggregate containing PCR values 0 - 7. Enable the TPM in BIOS and take ownership.
To take ownership of the TPM, download the tpm-tools, start tcsd (eg. 'service tcsd start'), and execute "tpm_takeownership -u -z". This will set the SRK key to the well-known secret(20 zeroes) and prompt for the TPM owner password.
The measurement list is invalidated, when a regular file is opened for read and, at the same time, opened for write. In the majority of cases, these files should not have been measured in the first place (eg. log files). In other cases, the application needs to be fixed.
To detect files changing, the filesystem needs to be mounted with i_version support. For the root filesystem, either update /etc/rc.sysinit or add 'rootflags=iversion' boot command line option. For all other filesystems, modify /etc/fstab.
On some systems, after a suspend/resume, the TPM measurement list does not verify. On those systems, add the boot command line option "tpm.suspend_pcr=< unused PCR >".
The first '/init' is from the initramfs. The second /init is from the root filesystem (eg. /sbin/init). The IMA ng/nglong template patches will provide additional metadata to help correlate measurement entries and files.
After building a new kernel with EVM/IMA-appraisal enabled, the filesystem must be labeled with 'security.evm' and 'security.ima' extended attributes. After creating an EVM key, boot the new kernel with the 'ima_tcb', 'evm=fix', 'ima-appraisal=fix', and, possibly, 'rootflags=i_version' boot command line options. Refer to labeling the filesystem with 'security.evm'.