From: Mimi Z. <zo...@li...> - 2014-03-31 12:59:56
|
On Mon, 2014-03-31 at 14:53 +0300, Dmitry Kasatkin wrote: > On 30/03/14 18:44, Youren Shen wrote: > > Hi, Dmitry: > > > > Thank you for you reply. > > Sorry for so later to reply. > > Even in the early Linux 3.0, there is no apprised module. If the > > apprised module is absent, how did the IMA keep the system secure? > > How did the arrest module work? By integrity reporting? > > "This list can be examined by a (possibly remote) program to ensure > > that no unknown or known-vulnerable applications have been run.", said > > in this page[1]. *What's this program? Is it implement by user space > > application developer or kernel hacker?* > > The IMA will keep the system secure before a program execute, or when > > a program is execute, the IMA will keep the program secure? > > > > Thank you very much. > > > > [1]. https://lwn.net/Articles/137306/ > > > > > > -- > > Best Regards. > > Youren Shen. > > Hi, > > I recommend you to look to Integrity subsystem wiki: > http://sourceforge.net/p/linux-ima/wiki/Home > > I provides lots of information. > > IMA itself does not prevent program from execution. > IMA just measures files, specified by the policy. > Along the runtime IMA is building up measurement list which can be read > via sysfs entry. > > The key component is TPM. > TPM PCR register is extended by IMA measurements. > TPM allows remotely verify measurement list. > TPM allows to sign IMA PCR register with special attestation private key > and that signature can be verified by remote attestation service. > Remote attestation service will have attestation public key. > > > Please have a look to the wiki. In particular, take a look at the overview section, which contains a time line of when the different features were upstreamed and a reference to the whitepaper describing the goals, design, and benefits of these features. Mimi |