Menu
▾
▴
Re: [Linux-ima-user] [Help]How to start learning IMA source code?
|
From: Dmitry K. <d.k...@sa...> - 2014-03-31 11:55:37
|
On 30/03/14 18:44, Youren Shen wrote: > Hi, Dmitry: > > Thank you for you reply. > Sorry for so later to reply. > Even in the early Linux 3.0, there is no apprised module. If the > apprised module is absent, how did the IMA keep the system secure? > How did the arrest module work? By integrity reporting? > "This list can be examined by a (possibly remote) program to ensure > that no unknown or known-vulnerable applications have been run.", said > in this page[1]. *What's this program? Is it implement by user space > application developer or kernel hacker?* > The IMA will keep the system secure before a program execute, or when > a program is execute, the IMA will keep the program secure? > > Thank you very much. > > [1]. https://lwn.net/Articles/137306/ > > > -- > Best Regards. > Youren Shen. Hi, I recommend you to look to Integrity subsystem wiki: http://sourceforge.net/p/linux-ima/wiki/Home I provides lots of information. IMA itself does not prevent program from execution. IMA just measures files, specified by the policy. Along the runtime IMA is building up measurement list which can be read via sysfs entry. The key component is TPM. TPM PCR register is extended by IMA measurements. TPM allows remotely verify measurement list. TPM allows to sign IMA PCR register with special attestation private key and that signature can be verified by remote attestation service. Remote attestation service will have attestation public key. Please have a look to the wiki. - Dmitry |
