Re: [Linux-ima-user] Chain of trust in IMA and IMA for Ubuntu!

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

TrustedGRUB is measuring the Linux kernel (see:
http://projects.sirrix.com/trac/trustedgrub/wiki/Documentation). Thus the
chain-of-trust, I was talking about (BIOS->TrustedGRUB->Linux-Kernel (with
IMA)->applications), is complete.

I am curious as IMA is only extending PCR 10. Which piece of code is
extending PCR 0 - 7?

On Tue, Jan 14, 2014 at 3:43 PM, Mimi Zohar <zo...@li...>wrote:

> On Tue, 2014-01-14 at 13:40 +0100, hassan Ahamad wrote:
> > I somehow made IMA work on Ubuntu by compiling the kernel. However I can
> > see the measurements from IMA by using this command "sudo cat
> > /sys/kernel/security/ima/ascii_runtime_measurements", But I haven't
> > installed trusted-grub, this again confuses me that how the chain of
> trust
> > will establish now and are the measurements trusted in this case.
>
> You're absolutely correct, something needs to measure the kernel and
> initramfs for there to be a measurement chain of trust.  The problem is
> that trusted grub has been around for years, but has not been upstreamed
> for, lets leave it as, "political" reasons.  The community has moved on
> to secure-boot, using grub2.  For secure boot, a hash of the kernel
> image has to be calculated.  The question is whether grub2 adds the
> measurement to a PCR.
>
> >  My PCR values are as follows,
>
> A hash of the PCR 0 - 7 measurements are included in the IMA measurement
> list as the first entry.
>
> thanks,
>
> Mimi
>
>