Re: [Linux-ima-user] Chain of trust in IMA and IMA for Ubuntu!

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I somehow made IMA work on Ubuntu by compiling the kernel. However I can
see the measurements from IMA by using this command "sudo cat
/sys/kernel/security/ima/ascii_runtime_measurements", But I haven't
installed trusted-grub, this again confuses me that how the chain of trust
will establish now and are the measurements trusted in this case. My PCR
values are as follows,

PCR-00: 85 E6 B9 77 94 E3 82 BE 32 4E 41 2D 95 B2 4E 1E AD F9 56 43
PCR-01: B8 BA F4 EE 74 F6 80 D0 D4 CB 63 A0 2F EF EF 8E 47 84 75 40
PCR-02: A8 05 55 7E 91 15 7A 6A 4B BA EA 1A ED 27 24 49 85 B7 C1 53
PCR-03: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
PCR-04: AE BB AA DE 80 69 6A FA A5 C8 FD 3B 7C 7D 20 65 DE D4 76 7A
PCR-05: 45 A3 23 38 2B D9 33 F0 8E 7F 0E 25 6B C8 24 9E 40 95 B1 EC
PCR-06: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
PCR-07: 34 48 2A E9 49 56 72 4C 0D FD C3 EB 58 59 6A D5 43 73 DC A2
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-10: 91 66 AE 16 0D E4 00 44 51 C0 19 71 6B 90 19 BA 08 65 7C D2
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

thanks,

HK

On Mon, Jan 13, 2014 at 3:48 PM, Mimi Zohar <zo...@li...>wrote:

> On Mon, 2014-01-13 at 14:50 +0100, hassan Ahamad wrote:
> > Are the linux - Debian distribution on which IMA is enabled?
> >
> > thanks!
>
> Unless something has recently changed, Debian has not enabled
> IMA/IMA-appraisal.  A direct-io lockdep prevents Debian from even
> booting with 'CONCURENNCY=Makefile' specified in /etc/init.d/rc.  Dmitry
> Kasatkin posted a method for resolving the direct-io lockdep.  I
> recently posted a different method for resolving it -
> http://marc.info/?l=linux-security-module&m=138919062430367&w=2
>
> Still waiting for comments...
>
> thanks,
>
> Mimi
>
> > On Sun, Jan 12, 2014 at 7:19 PM, Peter Moody <pm...@go...> wrote:
> >
> > >
> > > On Sun, Jan 12 2014 at 07:11, Mimi Zohar wrote:
> > > > On Thu, 2014-01-09 at 20:41 +0100, hassan Ahamad wrote:
> > >
> > > >> A second question: is there IMA package available for ubuntu and SE
> > > Linux?
> > > >
> > > > For measurement, the kernel needs to be configured with CONFIG_IMA
> > > > enabled.  The builtin policy 'ima_tcb' needs to be specified on the
> boot
> > > > command line.  There are dracut patches for loading a different
> policy,
> > > > but unlike for appraisal, no other packages are required.
> > >
> > > IMA will be enabled in the ubuntu kernel starting with 14.04 (due to be
> > > released in April). You'll still need to include ima_tcb on the boot
> > > command line.
> > >
> > > Cheers,
> > > peter
>
>