On Thu, 2022-09-15 at 22:36 -0700, Ken Williams wrote: > I am looking at Linux IMA to try and understand how it might be useful > for my application. I am playing around with it a bit now and as I do > so, I am finding myself with questions about the usage model and user > configuration. With that opening, my first question is: > > Is this an acceptable forum for asking user and usage questions? > > If yes, then let me describe my environment; > I am running an older kernel, 4.14.238, on a fsl device in a system > that does not have a TPM although I am running an implementation of > OP-TEE. In my case, I want to do the best I can to prevent file > modification, without considering off-line attacks. My deployment > mechanism is os-tree. > > When I look at the measurement capability, I cannot see how that can > help since I do not have a TPM in which to anchor the measurements so > it looks like I need to implement appraisal. I did find this link, > https://sourceforge.net/p/linux-ima/mailman/linux-ima-user/?viewmonth=201409&viewday=10, > where Mimi says "Enabling IMA-appraisal is anything but simple". and I > actually found that kind of re-assuring as it confirmed that my > learning curve in this area may not be out of line. My plan is to > pre-sign the files prior to installation and I see that effort as > being outside of the scope of my inquiries here. So now, does it lookg > like I am starting in the right direction? > > Thanks for reading through this and I welcome any comments. Let's add some context to the above quote. One of the differences between IMA-appraisal and IMA-measurement is that IMA-appraisal requires quite a bit of configuration (e.g. keys, signing files, and policy). This is in comparison to IMA-measurement, which requires just a policy. As long as the IMA-appraisal policy encompasses just those things that can and should be signed, enforcing the IMA-appraisal policy is straight forward: - Create a local CA key and build it into the kernel. - Create a public/private key pair signed by the local CA key - Sign files. - Load the public key on the IMA keyring. - Load the IMA appraise policy. Examples of the first 2 steps can be seen in the ima-evm-utils README. Examples of the last two steps can be seen in dracut 98integrity modules. systemd can be configured to load an IMA custom policy. -- thanks, Mimi
