[Linux-ima-user] Is this a chicken and egg problem or am I taking the wrong approach?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I have been experimenting a little with IMA and there seems to be 
several chicken and egg problems...
(I am working on a system without TPM. I am not certain if having a TPM would 
change the result.)

First chicken and egg problem encountered:
I attempted to start a kernel with "ima_tcb and ima_appraise_tcb" on the 
command line (no files have been hashed or signed)
The kernel complains that init cannot be executed. (This was expected.)

So I rebooted with kernel args = "ima_tcb and ima_appraise_tcb ima_appraise=fix"
And of course the system operated correctly (and made hashes for items used 
during boot looked at the ascii list of hashes and did other development 
tasks on the system.)

I changed the command line back to "ima_tcb and ima_appraise_tcb".
Interesting enough the kernel seemed to freeze at
[  9.705228] hrtimer:interrupt took 26204054 ns

I waited a bit and then hit "return" key. This gave a prompt.
#
So I tried
#whoami
I got an audit error with cause="missing hash"

So I tried
#ls -l
And got a directory listing

I successfully tried quite a number of things. The system is in a relatively 
functional state. So I tried loading my test policy (which only prevents 
executables owned by user 1000 from running) 
#cat my_policy > /sys/kernel/security/ima/policy
Too bad that directory does not exist. Nothing is mounted on /sys yet.

I am not certain why we have enough hashes to allow an incomplete boot into 
an almost working  system. While other hashes that I know I must have 
generated in the previous boot seem to be gone.

I apparently have missed something important.

If I cannot have all my hashes available across reboots on a system without a 
TPM then the default policy will pose a problem for booting a production 
system. (Note that the TPM may have nothing to do with this...)
The only other thing I can think of is that I may have forgotten 
i_version support in mounting. Need to check that tomorrow. Any comments and 
suggestions would be welcomed.

Another thought. When does IMA actually become active when booting with 
and without an initrd/initramfs? (If using an initramfs delays ima becoming 
active then perhaps that give a window for cleaning up? If so my booting 
without might be contribting to the problem.

next issue to be continued in another post.