Re: [Linux-ima-user] Chain of trust in IMA and IMA for Ubuntu!

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2014-01-09 at 20:41 +0100, hassan Ahamad wrote: 
> Hi!
> 
> Does IMA require prior installation of Trusted-Grub? What I have understood
> is that IMA starts the measurements from Kernel level, kernel is modified
> such that it measures itself and also measures the application loaded (and
> eventually gets executed). But in this case where is that immutable code or
> in other words the core root of trust which starts the measurement when
> system is booted, which measure BIOS and so on..
> 
> So long story short, how do I maintain this chain of trust (immutable code
> (TPM) --> bootloader Stage 1 --> Stage 2 --> kernel ---> Applications) with
> out trusted grub?
> 
> *--> means 'measures'

Right, each layer is suppose to measure the next layer before
transferring control.  So the boot loader needs to measure the kernel.
As part of UEFI secure boot, grub2 calculates the kernel hash in order
to verify the kernel signature.  Whether or not the hash is also added
to the PCR, I'm not sure.  The boot-aggregrate, the first IMA
measurement list entry, is a hash of the bios measurements (PCRs 0 - 7).
Refer to the IMA LTP test cases for how to verify the boot-aggregate.

> A second question: is there IMA package available for ubuntu and SE Linux?

For measurement, the kernel needs to be configured with CONFIG_IMA
enabled.  The builtin policy 'ima_tcb' needs to be specified on the boot
command line.  There are dracut patches for loading a different policy,
but unlike for appraisal, no other packages are required.

thanks,

Mimi