Re: [Linux-ima-user] Chain of trust in IMA and IMA for Ubuntu!

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2014-01-14 at 13:40 +0100, hassan Ahamad wrote: 
> I somehow made IMA work on Ubuntu by compiling the kernel. However I can
> see the measurements from IMA by using this command "sudo cat
> /sys/kernel/security/ima/ascii_runtime_measurements", But I haven't
> installed trusted-grub, this again confuses me that how the chain of trust
> will establish now and are the measurements trusted in this case.

You're absolutely correct, something needs to measure the kernel and
initramfs for there to be a measurement chain of trust.  The problem is
that trusted grub has been around for years, but has not been upstreamed
for, lets leave it as, "political" reasons.  The community has moved on
to secure-boot, using grub2.  For secure boot, a hash of the kernel
image has to be calculated.  The question is whether grub2 adds the
measurement to a PCR.

>  My PCR values are as follows,

A hash of the PCR 0 - 7 measurements are included in the IMA measurement
list as the first entry.

thanks,

Mimi