Message ID | 20210108040708.8389-1-tusharsu@linux.microsoft.com (mailing list archive) |
---|---|
Headers | show |
Series | IMA: support for measuring kernel integrity critical data | expand |
On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote: > IMA measures files and buffer data such as keys, command-line arguments > passed to the kernel on kexec system call, etc. While these measurements > are necessary for monitoring and validating the integrity of the system, > they are not sufficient. Various data structures, policies, and states > stored in kernel memory also impact the integrity of the system. > Several kernel subsystems contain such integrity critical data - > e.g. LSMs like SELinux, AppArmor etc. or device-mapper targets like > dm-crypt, dm-verity, dm-integrity etc. These kernel subsystems help > protect the integrity of a system. Their integrity critical data is not > expected to change frequently during run-time. Some of these structures > cannot be defined as __ro_after_init, because they are initialized later. > > For a given system, various external services/infrastructure tools > (including the attestation service) interact with it - both during the > setup and during rest of the system run-time. They share sensitive data > and/or execute critical workload on that system. The external services > may want to verify the current run-time state of the relevant kernel > subsystems before fully trusting the system with business critical > data/workload. For instance, verifying that SELinux is in "enforce" mode > along with the expected policy, disks are encrypted with a certain > configuration, secure boot is enabled etc. > > This series provides the necessary IMA functionality for kernel > subsystems to ensure their configuration can be measured: > - by kernel subsystems themselves, > - in a tamper resistant way, > - and re-measured - triggered on state/configuration change. > > This patch set: > - defines a new IMA hook ima_measure_critical_data() to measure > integrity critical data, > - limits the critical data being measured based on a label, > - defines a builtin critical data measurement policy, > - and includes an SELinux consumer of the new IMA critical data hook. Thanks Tushar, Lakshmi. This patch set is queued in the next- integrity-testing branch. Mimi
On 2021-01-15 4:54 a.m., Mimi Zohar wrote: > On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote: >> IMA measures files and buffer data such as keys, command-line arguments >> passed to the kernel on kexec system call, etc. While these measurements >> are necessary for monitoring and validating the integrity of the system, >> they are not sufficient. Various data structures, policies, and states >> stored in kernel memory also impact the integrity of the system. >> Several kernel subsystems contain such integrity critical data - >> e.g. LSMs like SELinux, AppArmor etc. or device-mapper targets like >> dm-crypt, dm-verity, dm-integrity etc. These kernel subsystems help >> protect the integrity of a system. Their integrity critical data is not >> expected to change frequently during run-time. Some of these structures >> cannot be defined as __ro_after_init, because they are initialized later. >> >> For a given system, various external services/infrastructure tools >> (including the attestation service) interact with it - both during the >> setup and during rest of the system run-time. They share sensitive data >> and/or execute critical workload on that system. The external services >> may want to verify the current run-time state of the relevant kernel >> subsystems before fully trusting the system with business critical >> data/workload. For instance, verifying that SELinux is in "enforce" mode >> along with the expected policy, disks are encrypted with a certain >> configuration, secure boot is enabled etc. >> >> This series provides the necessary IMA functionality for kernel >> subsystems to ensure their configuration can be measured: >> - by kernel subsystems themselves, >> - in a tamper resistant way, >> - and re-measured - triggered on state/configuration change. >> >> This patch set: >> - defines a new IMA hook ima_measure_critical_data() to measure >> integrity critical data, >> - limits the critical data being measured based on a label, >> - defines a builtin critical data measurement policy, >> - and includes an SELinux consumer of the new IMA critical data hook. > > Thanks Tushar, Lakshmi. This patch set is queued in the next- > integrity-testing branch. > > Mimi > Hello Mimi, Paul, Stephen, Tyler, Thanks a lot for reviewing this series and providing all the valuable feedback over the last few months. We really really appreciate it. Thanks, Tushar