On Fri, 2021-01-22 at 15:28 -0800, Raphael Gianotti wrote: > The integrity of a kernel can be verified by the boot loader on cold > boot, and during kexec, by the current running kernel, before it is > loaded. However, it is still possible that the new kernel being > loaded is older than the current kernel, and/or has known > vulnerabilities. Therefore, it is imperative that an attestation > service be able to verify the version of the kernel being loaded on > the client, from cold boot and subsequent kexec system calls, > ensuring that only kernels with versions known to be good are loaded. > > Measure the kernel version using ima_measure_critical_data() early on > in the boot sequence, reducing the chances of known kernel > vulnerabilities being exploited. With IMA being part of the kernel, > this overall approach makes the measurement itself more trustworthy. > > To enable measuring the kernel version "ima_policy=critical_data" > needs to be added to the kernel command line arguments. > For example, > BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset ima_policy=critical_data > > If runtime measurement of the kernel version is ever needed, the > following should be added to /etc/ima/ima-policy: > > measure func=CRITICAL_DATA label=kernel_version > > To extract the measured data after boot, the following command can be used: > > grep -m 1 "kernel_version" \ > /sys/kernel/security/integrity/ima/ascii_runtime_measurements > > Sample output from the command above: > > 10 a8297d408e9d5155728b619761d0dd4cedf5ef5f ima-buf > sha256:5660e19945be0119bc19cbbf8d9c33a09935ab5d30dad48aa11f879c67d70988 > kernel_version 352e31312e302d7263332d31363138372d676564623634666537383234342d6469727479 > > The above corresponds to the following (decoded) version string: > > 5.11.0-rc3-16187-gedb64fe78244-dirty > > This patch is based on > commit e58bb688f2e4 "Merge branch 'measure-critical-data' into next-integrity" > in "next-integrity-testing" branch > > Change Log v2: > - Changed the measurement to align with the latest version of > ima_measure_critical_data(), without the need for queueing > - Scoped the measurement to only measure the kernel version, > found in UTS_RELEASE, instead of the entire linux_banner > string > > Signed-off-by: Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx> > --- > security/integrity/ima/ima_main.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 6a429846f90a..0a33f570725c 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -26,6 +26,7 @@ > #include <linux/ima.h> > #include <linux/iversion.h> > #include <linux/fs.h> > +#include <generated/utsrelease.h> > > #include "ima.h" > > @@ -994,8 +995,11 @@ static int __init init_ima(void) > if (error) > pr_warn("Couldn't register LSM notifier, error %d\n", error); > > - if (!error) > + if (!error) { > ima_update_policy_flag(); > + ima_measure_critical_data("kernel_version", "kernel_version", > + UTS_RELEASE, strlen(UTS_RELEASE), false); > + } > > return error; > } Consider defining a new critical data label grouping (e.g. "kernel_info", ...). Please move ima_measure_critical_data() to ima_init() and update the critical data "label:=" in Documentation/ABI/testing/ima_policy. thanks, Mimi