Hi Mimi and others and thanks for responding. My primary goal right now is to develop an understanding of IMA for the purpose of determining if and how it can be useful for my application. For that, I have outlined below a few implementation scenarios. I have played around with IMA a bit so as to get some understanding of the process, configuration and capabilities. This included creating a policy file for measurements as well as signing files and enabling appraisal. All of this was done on-target and obviously putting a private key on the target is not right but this was a familiarization exercise. In any case, my current understanding is that options available to me, without a TPM device, are: - Measure files which have no security.ima=<HASH> xattr In this case I can detect if a previously measured file has changed. This is a nice exercise for getting my feet wet but without a TPM, it is hard to embrace this alone as being a security tool that can work for me. - Measure files which do have a security.ima=<HASH> xattr This is a good step up but I cannot see how this enables the detection of a 'bad' but properly labeled file without a link to some kind of file validation server. Again, I have no TPM. - Attest to files which have been signed with a private key prior to installation With this, I understand that as long as I have control over the file installation process, I have a level of protection equal to that of the signing algorithm. If I am correct, I also understand that this applies only to immutable files, typically executable binaries. The process of signing the files would be off-target and outside the scope of my questions and comments here. Again, I do not have a TPM so I understand that an off-line attack is still possible but it looks like this might be the best I can get out of IMA for the environment I have. Russell, regarding your comment regarding inclusion of the i-node in the signing, I understood that to be included in signing for EVM, not for the attestation part of IMA. Thanks for any comments. Ken > Let's add some context to the above quote. One of the differences > between IMA-appraisal and IMA-measurement is that IMA-appraisal > requires quite a bit of configuration (e.g. keys, signing files, and > policy). This is in comparison to IMA-measurement, which requires just > a policy. > > As long as the IMA-appraisal policy encompasses just those things that > can and should be signed, enforcing the IMA-appraisal policy is > straight forward: > - Create a local CA key and build it into the kernel. > - Create a public/private key pair signed by the local CA key > - Sign files. > - Load the public key on the IMA keyring. > - Load the IMA appraise policy. > > Examples of the first 2 steps can be seen in the ima-evm-utils README. > Examples of the last two steps can be seen in dracut 98integrity > modules. systemd can be configured to load an IMA custom policy. > > -- > thanks, > > Mimi >
