Re: [Linux-ima-user] [Help]How to start learning IMA source code?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 2014-03-22 at 21:55 +0800, Youren Shen wrote: 
> Hi,everyone:
> 
> I'm a student in college and I'm trying to leaning IMA in linux. I have
> read the the part about integrity measurement in [1].

Have you looked at the linux-ima or Gentoo wiki.  There are also a
number of LWN articles and Linux Security Summit(LSS) slides as well.

> Now I suffer some problem when I start to reading the IMA's  source code in
> Linux 2.6.30,(I consider a previous version maybe simple and more suitable
> to start learning). I can easily understand the relations between
> ima_template_entry and ima_queue_entry, But I don't understand the use of
> iint. I am also confused the digests and their relations. Why we need so
> much digest (If I'm right ,There is four
> digest,ima->digest,ima->template.digest,iint->digest,and one in PCR). I
> thought I should figure this out so I can understand how IMA assert one
> file is not safe by compare digests.

The iint contains integrity information associated with an inode, but is
freed along with the inode.

ima_collect_measurement(): calculates the file data hash, storing it in
the iint.
ima_store_measurement(): the file hash stored in the iint is preserved
by copying it to the measurement list and extending the PCR value.
ima_appraise_measurement(): compares the file hash stored in the iint
with the existing 'good' value stored in the extended attribute.

Mimi