Menu
▾
▴
linux-ima-user — Q&A for users of IMA
This list is closed, nobody may subscribe to it.
| 2007 |
Jan
|
Feb
(10) |
Mar
(26) |
Apr
(8) |
May
(3) |
Jun
|
Jul
(26) |
Aug
(10) |
Sep
|
Oct
|
Nov
(2) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
(13) |
Mar
(4) |
Apr
(3) |
May
(5) |
Jun
|
Jul
(7) |
Aug
(8) |
Sep
(5) |
Oct
(16) |
Nov
|
Dec
(6) |
| 2009 |
Jan
(2) |
Feb
|
Mar
(3) |
Apr
|
May
|
Jun
(19) |
Jul
(4) |
Aug
|
Sep
(13) |
Oct
(10) |
Nov
(12) |
Dec
(2) |
| 2010 |
Jan
|
Feb
(2) |
Mar
(17) |
Apr
(28) |
May
|
Jun
(17) |
Jul
(11) |
Aug
(12) |
Sep
(2) |
Oct
|
Nov
|
Dec
(1) |
| 2011 |
Jan
|
Feb
|
Mar
(20) |
Apr
(10) |
May
(1) |
Jun
|
Jul
|
Aug
(15) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
|
| 2012 |
Jan
(1) |
Feb
(53) |
Mar
(15) |
Apr
(4) |
May
(2) |
Jun
(13) |
Jul
|
Aug
|
Sep
(12) |
Oct
|
Nov
|
Dec
(6) |
| 2013 |
Jan
(7) |
Feb
(8) |
Mar
(4) |
Apr
(5) |
May
|
Jun
|
Jul
|
Aug
(5) |
Sep
(6) |
Oct
|
Nov
(5) |
Dec
(8) |
| 2014 |
Jan
(17) |
Feb
(24) |
Mar
(8) |
Apr
(7) |
May
(18) |
Jun
(15) |
Jul
(5) |
Aug
(2) |
Sep
(49) |
Oct
(28) |
Nov
(7) |
Dec
(30) |
| 2015 |
Jan
(40) |
Feb
|
Mar
(9) |
Apr
(2) |
May
(9) |
Jun
(31) |
Jul
(33) |
Aug
(5) |
Sep
(20) |
Oct
|
Nov
(3) |
Dec
(12) |
| 2016 |
Jan
(14) |
Feb
(29) |
Mar
(10) |
Apr
(4) |
May
(4) |
Jun
|
Jul
(5) |
Aug
(19) |
Sep
(21) |
Oct
(2) |
Nov
(36) |
Dec
(30) |
| 2017 |
Jan
(101) |
Feb
(12) |
Mar
(7) |
Apr
(2) |
May
(29) |
Jun
(22) |
Jul
(7) |
Aug
(93) |
Sep
(27) |
Oct
(39) |
Nov
|
Dec
|
|
From: Mimi Z. <zo...@li...> - 2014-01-14 20:21:33
|
On Tue, 2014-01-14 at 19:30 +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote: > On 14.01.2014 16:59, Peter Jones wrote: > > PCR, as well as having grub2 do so for its config, the kernel, and any > > initramfses to be loaded. Doing so on a UEFI machine isn't a particularly > > difficult change to grub2 - but you may face the same political > > problems. It's probably worth asking Vladimir Serbinenko, who I've > > Cced, as he's the upstream maintainer of grub2. > GRUB2 has RSA/DSA gnupg signature checking. Currently in mainstream it > supports only detached GPG signatures but I have a branch where I work > on PE signatures (phcoder/file_types). For me we could use either. In > the same branch I also work on implementing partial checks (check only > files needed to satisfy EFI stuff). This approach gives similar (if not > better) security gurantees (unless rollback is a problem, usually it's > not and preventing it prevents normal activity as backup restore as > well) but has no political problems. The only part which may be > politically problematic is enforcing this check depending on EFI > variables but this would be a tiny patch remaining. Another advantage of > this approach is easy integration with coreboot (just use GRUB2 as > payload) I didn't finish this approach yet. Missing parts are file types > (I still wait for answer from Peter Jones as to which files needs to be > checked) and PE signatures (WIP). Thanks for responding! In order to verify the signatures, you're already calculating file hashes. Would it be possible to also extend the TPM with these hashes and add them to the measurement list? thanks, Mimi |
|
From: Vladimir 'φ-coder/p. S. <ph...@gm...> - 2014-01-14 18:31:02
|
On 14.01.2014 16:59, Peter Jones wrote: > PCR, as well as having grub2 do so for its config, the kernel, and any > initramfses to be loaded. Doing so on a UEFI machine isn't a particularly > difficult change to grub2 - but you may face the same political > problems. It's probably worth asking Vladimir Serbinenko, who I've > Cced, as he's the upstream maintainer of grub2. GRUB2 has RSA/DSA gnupg signature checking. Currently in mainstream it supports only detached GPG signatures but I have a branch where I work on PE signatures (phcoder/file_types). For me we could use either. In the same branch I also work on implementing partial checks (check only files needed to satisfy EFI stuff). This approach gives similar (if not better) security gurantees (unless rollback is a problem, usually it's not and preventing it prevents normal activity as backup restore as well) but has no political problems. The only part which may be politically problematic is enforcing this check depending on EFI variables but this would be a tiny patch remaining. Another advantage of this approach is easy integration with coreboot (just use GRUB2 as payload) I didn't finish this approach yet. Missing parts are file types (I still wait for answer from Peter Jones as to which files needs to be checked) and PE signatures (WIP). |
|
From: Peter J. <pj...@re...> - 2014-01-14 15:59:49
|
On Tue, Jan 14, 2014 at 09:43:16AM -0500, Mimi Zohar wrote:
> On Tue, 2014-01-14 at 13:40 +0100, hassan Ahamad wrote:
> > I somehow made IMA work on Ubuntu by compiling the kernel. However I can
> > see the measurements from IMA by using this command "sudo cat
> > /sys/kernel/security/ima/ascii_runtime_measurements", But I haven't
> > installed trusted-grub, this again confuses me that how the chain of trust
> > will establish now and are the measurements trusted in this case.
>
> You're absolutely correct, something needs to measure the kernel and
> initramfs for there to be a measurement chain of trust. The problem is
> that trusted grub has been around for years, but has not been upstreamed
> for, lets leave it as, "political" reasons. The community has moved on
> to secure-boot, using grub2. For secure boot, a hash of the kernel
> image has to be calculated. The question is whether grub2 adds the
> measurement to a PCR.
So it's not currently /quite/ that simple on a Secure Boot system, but
there's some chance we'll get closer to it being just that. Right now
you'd have to make shim also hash grub2 and add its measurement to a
PCR, as well as having grub2 do so for its config, the kernel, and any
initramfses to be loaded. Doing so on a UEFI machine isn't a particularly
difficult change to grub2 - but you may face the same political
problems. It's probably worth asking Vladimir Serbinenko, who I've
Cced, as he's the upstream maintainer of grub2.
That all being said, on a UEFI machine, the firmware normally starts a
binary using a pair of calls named LoadImage() and StartImage().
During normal operation, if a system is configured to use a TPM, these
calls will be doing the hashing and adding to the PCR. Currently, though,
if you're on a Secure Boot enabled system, shim is being loaded through
those, and then it's emulating those calls when verifying and loading
grub2. Currently shim isn't adding things to the PCR either, so that's
one more place that needs to do better. It's not particularly
difficult, though, we just haven't done it.
--
Peter
|
|
From: Mimi Z. <zo...@li...> - 2014-01-14 14:43:31
|
On Tue, 2014-01-14 at 13:40 +0100, hassan Ahamad wrote: > I somehow made IMA work on Ubuntu by compiling the kernel. However I can > see the measurements from IMA by using this command "sudo cat > /sys/kernel/security/ima/ascii_runtime_measurements", But I haven't > installed trusted-grub, this again confuses me that how the chain of trust > will establish now and are the measurements trusted in this case. You're absolutely correct, something needs to measure the kernel and initramfs for there to be a measurement chain of trust. The problem is that trusted grub has been around for years, but has not been upstreamed for, lets leave it as, "political" reasons. The community has moved on to secure-boot, using grub2. For secure boot, a hash of the kernel image has to be calculated. The question is whether grub2 adds the measurement to a PCR. > My PCR values are as follows, A hash of the PCR 0 - 7 measurements are included in the IMA measurement list as the first entry. thanks, Mimi |
|
From: hassan A. <has...@gm...> - 2014-01-14 12:41:00
|
I somehow made IMA work on Ubuntu by compiling the kernel. However I can see the measurements from IMA by using this command "sudo cat /sys/kernel/security/ima/ascii_runtime_measurements", But I haven't installed trusted-grub, this again confuses me that how the chain of trust will establish now and are the measurements trusted in this case. My PCR values are as follows, PCR-00: 85 E6 B9 77 94 E3 82 BE 32 4E 41 2D 95 B2 4E 1E AD F9 56 43 PCR-01: B8 BA F4 EE 74 F6 80 D0 D4 CB 63 A0 2F EF EF 8E 47 84 75 40 PCR-02: A8 05 55 7E 91 15 7A 6A 4B BA EA 1A ED 27 24 49 85 B7 C1 53 PCR-03: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 PCR-04: AE BB AA DE 80 69 6A FA A5 C8 FD 3B 7C 7D 20 65 DE D4 76 7A PCR-05: 45 A3 23 38 2B D9 33 F0 8E 7F 0E 25 6B C8 24 9E 40 95 B1 EC PCR-06: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 PCR-07: 34 48 2A E9 49 56 72 4C 0D FD C3 EB 58 59 6A D5 43 73 DC A2 PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-10: 91 66 AE 16 0D E4 00 44 51 C0 19 71 6B 90 19 BA 08 65 7C D2 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 thanks, HK On Mon, Jan 13, 2014 at 3:48 PM, Mimi Zohar <zo...@li...>wrote: > On Mon, 2014-01-13 at 14:50 +0100, hassan Ahamad wrote: > > Are the linux - Debian distribution on which IMA is enabled? > > > > thanks! > > Unless something has recently changed, Debian has not enabled > IMA/IMA-appraisal. A direct-io lockdep prevents Debian from even > booting with 'CONCURENNCY=Makefile' specified in /etc/init.d/rc. Dmitry > Kasatkin posted a method for resolving the direct-io lockdep. I > recently posted a different method for resolving it - > http://marc.info/?l=linux-security-module&m=138919062430367&w=2 > > Still waiting for comments... > > thanks, > > Mimi > > > On Sun, Jan 12, 2014 at 7:19 PM, Peter Moody <pm...@go...> wrote: > > > > > > > > On Sun, Jan 12 2014 at 07:11, Mimi Zohar wrote: > > > > On Thu, 2014-01-09 at 20:41 +0100, hassan Ahamad wrote: > > > > > > >> A second question: is there IMA package available for ubuntu and SE > > > Linux? > > > > > > > > For measurement, the kernel needs to be configured with CONFIG_IMA > > > > enabled. The builtin policy 'ima_tcb' needs to be specified on the > boot > > > > command line. There are dracut patches for loading a different > policy, > > > > but unlike for appraisal, no other packages are required. > > > > > > IMA will be enabled in the ubuntu kernel starting with 14.04 (due to be > > > released in April). You'll still need to include ima_tcb on the boot > > > command line. > > > > > > Cheers, > > > peter > > |
|
From: Mimi Z. <zo...@li...> - 2014-01-13 14:49:10
|
On Mon, 2014-01-13 at 14:50 +0100, hassan Ahamad wrote: > Are the linux - Debian distribution on which IMA is enabled? > > thanks! Unless something has recently changed, Debian has not enabled IMA/IMA-appraisal. A direct-io lockdep prevents Debian from even booting with 'CONCURENNCY=Makefile' specified in /etc/init.d/rc. Dmitry Kasatkin posted a method for resolving the direct-io lockdep. I recently posted a different method for resolving it - http://marc.info/?l=linux-security-module&m=138919062430367&w=2 Still waiting for comments... thanks, Mimi > On Sun, Jan 12, 2014 at 7:19 PM, Peter Moody <pm...@go...> wrote: > > > > > On Sun, Jan 12 2014 at 07:11, Mimi Zohar wrote: > > > On Thu, 2014-01-09 at 20:41 +0100, hassan Ahamad wrote: > > > > >> A second question: is there IMA package available for ubuntu and SE > > Linux? > > > > > > For measurement, the kernel needs to be configured with CONFIG_IMA > > > enabled. The builtin policy 'ima_tcb' needs to be specified on the boot > > > command line. There are dracut patches for loading a different policy, > > > but unlike for appraisal, no other packages are required. > > > > IMA will be enabled in the ubuntu kernel starting with 14.04 (due to be > > released in April). You'll still need to include ima_tcb on the boot > > command line. > > > > Cheers, > > peter |
|
From: hassan A. <has...@gm...> - 2014-01-13 13:50:39
|
Are the linux - Debian distribution on which IMA is enabled? thanks! On Sun, Jan 12, 2014 at 7:19 PM, Peter Moody <pm...@go...> wrote: > > On Sun, Jan 12 2014 at 07:11, Mimi Zohar wrote: > > On Thu, 2014-01-09 at 20:41 +0100, hassan Ahamad wrote: > > >> A second question: is there IMA package available for ubuntu and SE > Linux? > > > > For measurement, the kernel needs to be configured with CONFIG_IMA > > enabled. The builtin policy 'ima_tcb' needs to be specified on the boot > > command line. There are dracut patches for loading a different policy, > > but unlike for appraisal, no other packages are required. > > IMA will be enabled in the ubuntu kernel starting with 14.04 (due to be > released in April). You'll still need to include ima_tcb on the boot > command line. > > Cheers, > peter > |
|
From: Peter M. <pm...@go...> - 2014-01-12 19:13:39
|
On Sun, Jan 12 2014 at 07:11, Mimi Zohar wrote: > On Thu, 2014-01-09 at 20:41 +0100, hassan Ahamad wrote: >> A second question: is there IMA package available for ubuntu and SE Linux? > > For measurement, the kernel needs to be configured with CONFIG_IMA > enabled. The builtin policy 'ima_tcb' needs to be specified on the boot > command line. There are dracut patches for loading a different policy, > but unlike for appraisal, no other packages are required. IMA will be enabled in the ubuntu kernel starting with 14.04 (due to be released in April). You'll still need to include ima_tcb on the boot command line. Cheers, peter |
|
From: Mimi Z. <zo...@li...> - 2014-01-12 15:11:17
|
On Thu, 2014-01-09 at 20:41 +0100, hassan Ahamad wrote: > Hi! > > Does IMA require prior installation of Trusted-Grub? What I have understood > is that IMA starts the measurements from Kernel level, kernel is modified > such that it measures itself and also measures the application loaded (and > eventually gets executed). But in this case where is that immutable code or > in other words the core root of trust which starts the measurement when > system is booted, which measure BIOS and so on.. > > So long story short, how do I maintain this chain of trust (immutable code > (TPM) --> bootloader Stage 1 --> Stage 2 --> kernel ---> Applications) with > out trusted grub? > > *--> means 'measures' Right, each layer is suppose to measure the next layer before transferring control. So the boot loader needs to measure the kernel. As part of UEFI secure boot, grub2 calculates the kernel hash in order to verify the kernel signature. Whether or not the hash is also added to the PCR, I'm not sure. The boot-aggregrate, the first IMA measurement list entry, is a hash of the bios measurements (PCRs 0 - 7). Refer to the IMA LTP test cases for how to verify the boot-aggregate. > A second question: is there IMA package available for ubuntu and SE Linux? For measurement, the kernel needs to be configured with CONFIG_IMA enabled. The builtin policy 'ima_tcb' needs to be specified on the boot command line. There are dracut patches for loading a different policy, but unlike for appraisal, no other packages are required. thanks, Mimi |
|
From: hassan A. <has...@gm...> - 2014-01-09 19:41:58
|
Hi! Does IMA require prior installation of Trusted-Grub? What I have understood is that IMA starts the measurements from Kernel level, kernel is modified such that it measures itself and also measures the application loaded (and eventually gets executed). But in this case where is that immutable code or in other words the core root of trust which starts the measurement when system is booted, which measure BIOS and so on.. So long story short, how do I maintain this chain of trust (immutable code (TPM) --> bootloader Stage 1 --> Stage 2 --> kernel ---> Applications) with out trusted grub? *--> means 'measures' A second question: is there IMA package available for ubuntu and SE Linux? best, HK |
|
From: Mimi Z. <zo...@li...> - 2013-12-29 02:16:01
|
On Sat, 2013-12-28 at 16:52 +0100, hassan khan wrote: > Hi again List! > > I am working on a project which requires measuring the integrity of OS. One > option is IMA but I am not sure if fits in the scenario below. > > The a part of the scenario of the project is some what like this: > > The systems boots up and measurement is done using trusted-grub. So the PCR > 0-7 are filled up. Then the OS is loaded (linux). Then I have a software > named "Checker". The purpose of this software is to check if something is > modified in the system or not. "to check if something is modified in the system or not" is a bit vague. > What I am thinking is that I will store the > PCRs values for the "checker". Once the system is restarted and new values > are extended into the PCRS, the existing (stored) PCRs values are then > compared to the new PCRs values. > > One thing I did is, I used a check-file feature in trusted-grub to ensure > the integrity of my "checker" software as it will be only one executable > file. > > The problem is that now I want to measure the OS (preferably Linux) and > extend the measurement into a PCR. But I am not getting any clue how to do > that. I would be great if I can get any comment on how to solve this > problem. > > Thanks for your help! trusted-grub was never upstreamed and, very unlikely, to be upstreamed. The industry seems to be converging on secure boot. Someone has added support for measuring files to the TPM PCRs to the shim - http://mjg59.dreamwidth.org/28746.html. thanks, Mimi |
|
From: hassan k. <has...@gm...> - 2013-12-28 15:53:00
|
Hi again List! I am working on a project which requires measuring the integrity of OS. One option is IMA but I am not sure if fits in the scenario below. The a part of the scenario of the project is some what like this: The systems boots up and measurement is done using trusted-grub. So the PCR 0-7 are filled up. Then the OS is loaded (linux). Then I have a software named "Checker". The purpose of this software is to check if something is modified in the system or not. What I am thinking is that I will store the PCRs values for the "checker". Once the system is restarted and new values are extended into the PCRS, the existing (stored) PCRs values are then compared to the new PCRs values. One thing I did is, I used a check-file feature in trusted-grub to ensure the integrity of my "checker" software as it will be only one executable file. The problem is that now I want to measure the OS (preferably Linux) and extend the measurement into a PCR. But I am not getting any clue how to do that. I would be great if I can get any comment on how to solve this problem. Thanks for your help! |
|
From: Mimi Z. <zo...@li...> - 2013-12-18 22:11:27
|
On Wed, 2013-12-18 at 21:18 +0100, hassan khan wrote: > I am interested in knowing how the integrity of OS and the applications > running on OS are measured. I am aware of trusted-Grub which measure things > before OS is loaded. > Specifically, I wanted to know, is it the case that user decides for which > application's the user wants its integrity to be measured? In other words, > can he leave out some applications which he does not want to get measured. > From Measurement I mean that the hashes of some application is calculated. > Just digging deeper, what exactly gets measured in applications i.e just > binaries or executables? and same question goes for the OS, that which > files are hashed, loosely saying, OS will have several files in it i.e > libraries, configurations files etc.. Both IMA measurement and appraisal are policy based. If specified on the boot command line, the builtin 'ima_tcb' policy measures all files executed, mmapped, and all files read by root. The builtin 'ima_appraise_tcb' policy verifies the integrity of all files owned by root. For more inforamtion, refer to Documentation/ABI/testing/ima_policy. thanks, Mimi |
|
From: hassan k. <has...@gm...> - 2013-12-18 20:18:51
|
I am interested in knowing how the integrity of OS and the applications running on OS are measured. I am aware of trusted-Grub which measure things before OS is loaded. Specifically, I wanted to know, is it the case that user decides for which application's the user wants its integrity to be measured? In other words, can he leave out some applications which he does not want to get measured. >From Measurement I mean that the hashes of some application is calculated. Just digging deeper, what exactly gets measured in applications i.e just binaries or executables? and same question goes for the OS, that which files are hashed, loosely saying, OS will have several files in it i.e libraries, configurations files etc.. thanks, HK On Wed, Dec 18, 2013 at 1:21 AM, Mimi Zohar <zo...@li...>wrote: > On Tue, 2013-12-17 at 21:50 +0100, hassan khan wrote: > > Thanks for the earlier reply regarding installation of IMA. > > > > Is there any tutorial which states how IMA works and how to use it? > > Other than the links that Sven mentioned and Dave Safford's "Integrity > Overview whitepaper", I'm not aware of other documentation/tutorial. > > Basically, IMA extends the trusted boot measurement list with > measurements from the running OS; while IMA-appraisal extends secure > boot's enforcing file data integrity to the OS. > > Andreas Steffen, from the University of Applied Sciences Rapperswil, > gave a talk at LSS2012 called "The Linux Integrity Subsystem and > TPM-based Network Endpoint Assessment". > > What, in particular, are you interested in doing? > > thanks, > > Mimi > > |
|
From: Mimi Z. <zo...@li...> - 2013-12-18 00:21:28
|
On Tue, 2013-12-17 at 21:50 +0100, hassan khan wrote: > Thanks for the earlier reply regarding installation of IMA. > > Is there any tutorial which states how IMA works and how to use it? Other than the links that Sven mentioned and Dave Safford's "Integrity Overview whitepaper", I'm not aware of other documentation/tutorial. Basically, IMA extends the trusted boot measurement list with measurements from the running OS; while IMA-appraisal extends secure boot's enforcing file data integrity to the OS. Andreas Steffen, from the University of Applied Sciences Rapperswil, gave a talk at LSS2012 called "The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment". What, in particular, are you interested in doing? thanks, Mimi |
|
From: hassan k. <has...@gm...> - 2013-12-17 20:50:18
|
Thanks for the earlier reply regarding installation of IMA. Is there any tutorial which states how IMA works and how to use it? best, HK |
|
From: Sven V. <sve...@si...> - 2013-12-16 07:39:08
|
Hi Hassan The main documentation is available at http://sourceforge.net/p/linux-ima/wiki/Home/. Some distributions also provide instructions for IMA on their platform. Gentoo has it at https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture. Considering that IMA (and EVM) are more core kernel subsystems than userspace utilities, I think all distribution documentation will be quite similar (only some packages, if any, will differ). Wkr, Sven Vermeulen On Sun, Dec 15, 2013 at 8:48 PM, hassan khan <has...@gm...> wrote: > Hi All, > > is there any document which list the instructions for installing IMA and the > requirement of installing it. > > > best, > HK > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > |
|
From: hassan k. <has...@gm...> - 2013-12-15 19:48:39
|
Hi All, is there any document which list the instructions for installing IMA and the requirement of installing it. best, HK |
|
From: Andreas S. <and...@st...> - 2013-11-18 17:57:50
|
Unfortunately Fedora 19 hasn't enabled CONFIG_IMA in their signed kernel, so that neither ima=on nor ima_tcp has any effect. So if you depend on Secure Boot to work there is currently no way to test the IMA features. Kind regards Andreas On 18.11.2013 16:24, Mimi Zohar wrote: > On Mon, 2013-11-18 at 15:47 +0100, Nicolae Paladi wrote: >> The IMA wiki actually mentions this: >> >> IMA was first included in the 2.6.30 kernel. For distros that enable IMA by >> default in their kernels, collecting IMA measurements simply requires >> rebooting the kernel with the boot command line parameter 'ima_tcb'. >> (Fedora/RHEL may also require the boot command line parameter 'ima=on'.) >> >> http://sourceforge.net/p/linux-ima/wiki/Home/ >> >> So this is something (potentially) applicable to Fedora/RHEL/CentOS > > Yes, thanks for the reminder. > > Mimi > > > ------------------------------------------------------------------------------ > DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps > OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access > Free app hosting. Or install the open source package on any LAMP server. > Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! > http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk > _______________________________________________ ====================================================================== Andreas Steffen and...@st... strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== |
|
From: Mimi Z. <zo...@li...> - 2013-11-18 15:24:53
|
On Mon, 2013-11-18 at 15:47 +0100, Nicolae Paladi wrote: > The IMA wiki actually mentions this: > > IMA was first included in the 2.6.30 kernel. For distros that enable IMA by > default in their kernels, collecting IMA measurements simply requires > rebooting the kernel with the boot command line parameter 'ima_tcb'. > (Fedora/RHEL may also require the boot command line parameter 'ima=on'.) > > http://sourceforge.net/p/linux-ima/wiki/Home/ > > So this is something (potentially) applicable to Fedora/RHEL/CentOS Yes, thanks for the reminder. Mimi |
|
From: Nicolae P. <n.p...@gm...> - 2013-11-18 14:47:51
|
The IMA wiki actually mentions this: IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with the boot command line parameter 'ima_tcb'. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.) http://sourceforge.net/p/linux-ima/wiki/Home/ So this is something (potentially) applicable to Fedora/RHEL/CentOS On 18 November 2013 13:47, Mimi Zohar <zo...@li...> wrote: > On Mon, 2013-11-18 at 12:07 +0100, Nicolae Paladi wrote: > > For the record: > > > > > > On CentOS 6.4, the correct set of boot options is: > > > > ima=on ima_tcb > > > > Using only ima=on results in an ima runtime measurement that only > contains > > the boot aggregate > > Using only ima_tcb results in no ima runtime measurement log. > > Interesting, there is no upstreamed boot command line parameter named > 'ima='. Refer to Documentation/kernel-parameters.txt for a list of > options. > > Mimi > > |
|
From: Mimi Z. <zo...@li...> - 2013-11-18 12:47:46
|
On Mon, 2013-11-18 at 12:07 +0100, Nicolae Paladi wrote: > For the record: > > > On CentOS 6.4, the correct set of boot options is: > > ima=on ima_tcb > > Using only ima=on results in an ima runtime measurement that only contains > the boot aggregate > Using only ima_tcb results in no ima runtime measurement log. Interesting, there is no upstreamed boot command line parameter named 'ima='. Refer to Documentation/kernel-parameters.txt for a list of options. Mimi |
|
From: Nicolae P. <n.p...@gm...> - 2013-11-18 11:08:02
|
For the record: On CentOS 6.4, the correct set of boot options is: ima=on ima_tcb Using only ima=on results in an ima runtime measurement that only contains the boot aggregate Using only ima_tcb results in no ima runtime measurement log. /Nicolae. On 25 September 2013 18:51, Mimi Zohar <zo...@li...> wrote: > On Wed, 2013-09-25 at 18:36 +0200, Nicolae Paladi wrote: > > TCG_TPM is enabled: > > cat /usr/src/kernels/2.6.32-358.118.1.openstack.el6.x86_64/.config | grep > > CONFIG_TCG_TPM > > CONFIG_TCG_TPM=y > > > > A possibly related issues I've noticed (after the system is restarted) is > > this: > > service tcsd start > > insmod: error inserting > > > '/lib/modules/2.6.32-358.118.1.openstack.el6.x86_64/kernel/drivers/char/tpm/tpm_atmel.ko': > > -1 No such device > > Starting tcsd: [ OK ] > > > > , however this issue should not be related to my problem as it it's > > explained here: > > http://support.lenovo.com/en_US/detail.page?DocID=HT076606 > > <http://support.lenovo.com/en_US/detail.page?DocID=HT076606> > > > > > > tpm_selftest returns: > > TPM Test Results: 00 > > At this point, I suggest you make sure that your Kconfig and kernel > match. > > Mimi > > |
|
From: Mimi Z. <zo...@li...> - 2013-09-25 16:52:13
|
On Wed, 2013-09-25 at 18:36 +0200, Nicolae Paladi wrote: > TCG_TPM is enabled: > cat /usr/src/kernels/2.6.32-358.118.1.openstack.el6.x86_64/.config | grep > CONFIG_TCG_TPM > CONFIG_TCG_TPM=y > > A possibly related issues I've noticed (after the system is restarted) is > this: > service tcsd start > insmod: error inserting > '/lib/modules/2.6.32-358.118.1.openstack.el6.x86_64/kernel/drivers/char/tpm/tpm_atmel.ko': > -1 No such device > Starting tcsd: [ OK ] > > , however this issue should not be related to my problem as it it's > explained here: > http://support.lenovo.com/en_US/detail.page?DocID=HT076606 > <http://support.lenovo.com/en_US/detail.page?DocID=HT076606> > > > tpm_selftest returns: > TPM Test Results: 00 At this point, I suggest you make sure that your Kconfig and kernel match. Mimi |
|
From: Nicolae P. <n.p...@gm...> - 2013-09-25 16:37:00
|
TCG_TPM is enabled: cat /usr/src/kernels/2.6.32-358.118.1.openstack.el6.x86_64/.config | grep CONFIG_TCG_TPM CONFIG_TCG_TPM=y A possibly related issues I've noticed (after the system is restarted) is this: service tcsd start insmod: error inserting '/lib/modules/2.6.32-358.118.1.openstack.el6.x86_64/kernel/drivers/char/tpm/tpm_atmel.ko': -1 No such device Starting tcsd: [ OK ] , however this issue should not be related to my problem as it it's explained here: http://support.lenovo.com/en_US/detail.page?DocID=HT076606 <http://support.lenovo.com/en_US/detail.page?DocID=HT076606> tpm_selftest returns: TPM Test Results: 00 thank you /Nico P.S. OK, apparently the tpm0 measurements were an RTFM issue -- after executing mount -t securityfs security /sys/kernel/security the directory /sys/kernel/security/tpm0 contains the measurements; however, the ima directory with measurements is still missing On 25 September 2013 17:41, Mimi Zohar <zo...@li...> wrote: > On Wed, 2013-09-25 at 17:10 +0200, Nicolae Paladi wrote: > > On 25 September 2013 16:52, Mimi Zohar <zo...@li...> wrote: > > > > > On Wed, 2013-09-25 at 14:33 +0200, Nicolae Paladi wrote: > > > > Hi, > > > > > > > > I'm using a CentOS 6.4 platform with the 2.6.32 kernel; > > > > > > > > I boot with the following arguments: > > > > > > > > ro root=/dev/mapper/myhost-root rd_NO_LUKS rd_LVM_LV=myhost/root > > > > LANG=en_US.UTF-8 KEYBOARDTYPE=pc KEYTABLE=sv-latin1 rd_NO_MD > > > SYSFONT=lata > > > > rcyrheb-sun16 ima_tcb ima=on crashkernel=129M@0M rd_NO_DM rhgb quiet > > > > > > > > tpm_version show the following: > > > > TPM 1.2 Version Info: > > > > Chip Version: 1.2.8.28 > > > > Spec Level: 2 > > > > Errata Revision: 3 > > > > TPM Vendor ID: STM > > > > TPM Version: 01010000 > > > > > > > > > > > > However, there is no output in the /sys/kernel/security/ directory; > > > > The BIOS settings are correct since there WAS an expected output when > > > > I was running on a Ubuntu platform. > > > > > > > > Am I badly missing something here? Or is this a bug? > > > > > > > > Thank you, > > > > /Nico > > > > > > Make sure the TPM is builtin, not as a module, and IMA,EVM are enabled. > > > > > > IMA is enabled, as far as I see: > > > > cat /usr/src/kernels/2.6.32-358.118.1.openstack.el6.x86_64/.config | grep > > CONFIG_IMA > > CONFIG_IMA=y > > CONFIG_IMA_MEASURE_PCR_IDX=10 > > CONFIG_IMA_AUDIT=y > > CONFIG_IMA_LSM_RULES=y > > > > How can I see that the TPM is 'builtin'? The machine was shipped with the > > TPM, it's a dell rack server; > > Check that 'CONFIG_TCG_TPM=y' is enabled. > > Even without the TPM enabled, there should be a measurement list. > 'ima_tcb' is the only boot command line parameter needed. (Try removing > ima=on.) > > thanks, > > Mimi > > |
32 messages has been excluded from this view by a project administrator.
