The main goal of this series is to provide the opportunity for retrieving integrity information from containters (namespaces) in case of remote attestation requests and requests from another servers querying the state of integrity for any given container. The detailed description and architecture can be found here: https://www.usenix.org/system/files/raid2019-luo.pdf, this paper shows the basics for how it works in general but did not solve the some practical issues related to memoy allocation, TPM interaction etc. Summary: Let Ih is host integrity, and Ic1, Ic2, Icn the integrity of the first, second and etc container. Then the whole integrity of system would be: Ih = Ic1 + Ic2 + ... + Icn; where Ic1, Ic2 ... are integrity of corresponding containers (namespaces) Each container integrity consists of measurement lists and the value of virtual PCR (container PCR). vPCR = cPCR. Architecture scheme .---------. .---------. .---------. | C1 with | | C2 with | | Cn with | | IMA-ns | | IMA-ns | | IMA-ns | |---------| |---------| |---------| | vPCR1 |<--->| vPCR2 |... <---> | vPCRn | |---------| |---------| |---------| | | | | | | '---------' '---------' '---------' C1, C2, Cn - containers (with IMA namespaces) vPCRi - virtual PCR (in other words cPCR - container PCRs) Each IMA namespace which belongs to container should store its own PCR value (virtual vPCR or in other words container PCR = cPCR = vPCR, virtual PCR) and should perform a number of operation. Measurement: 1. records the history value of a specific PCR (historyPCR) which is not used in the current system. In our prototype based on TPM 2.0, we choose PCR12. 2. records the digest of all cPCRs (cPCR - container PCR or virtual PCR that is stored for namespace). During measurement perform: tempValue := cPCRi.value xor cPCRi.secret; tempPCR := HASH(tempPCR || tempValue); Where cPCRi.value - is a value of a given namespaces, cPCRi.secret - random generated sequence of bytes for namespace, || - concatenation. 3. extends the physical PCR12 with the final tempPCR. PCR12 := PCR_Extend(PCR12,tempPCR) Attestation: When receiving this request, the IMA (and TPM) should provide the following data: 1. the related PCR values, in our case this is PCR12 2. sendcPCRs list where sendcPCR for each namespace is calculated as: sendcPCRs = cPCRi.value xor cPCRi.secret 3. Measurement lists for namespace. This work is also based on Stefan Berger's patches from: https://github.com/stefanberger/linux-ima-namespaces Denis Semakin (4): ima: Introduce PCR virtualization for IMA namespace. ima: Use tpm_chip from init IMA namespace. ima: Create vpcr file on securityfs. ima: Extend the real PCR12 with tempPCR value. security/integrity/ima/ima.h | 12 +- security/integrity/ima/ima_fs.c | 166 +++++++++++++++++++++++ security/integrity/ima/ima_init_ima_ns.c | 22 +++ security/integrity/ima/ima_ns.c | 3 + security/integrity/ima/ima_queue.c | 55 ++++++++ 5 files changed, 257 insertions(+), 1 deletion(-) -- 2.25.1
