Hi Ken, On Sun, 2022-09-18 at 16:47 -0700, Ken Williams wrote: > Hi Mimi and others and thanks for responding. > > My primary goal right now is to develop an understanding of IMA for > the purpose of determining if and how it can be useful for my application. > For that, I have outlined below a few implementation scenarios. > > I have played around with IMA a bit so as to get some understanding of > the process, configuration and capabilities. This included creating a > policy file > for measurements as well as signing files and enabling appraisal. > All of this was done on-target and obviously putting a private key on the target > is not right but this was a familiarization exercise. In any case, my current > understanding is that options available to me, without a TPM device, are: > > - Measure files which have no security.ima=<HASH> xattr > In this case I can detect if a previously measured file has changed. > This is a nice exercise for getting my feet wet but without a TPM, > it is hard to embrace this alone as being a security tool that can > work for me. > > - Measure files which do have a security.ima=<HASH> xattr > This is a good step up but I cannot see how this enables the > detection of a 'bad' but properly labeled file without a link to > some kind of file validation server. Again, I have no TPM. In either case, the TPM is needed for remote attestation. The 'ima- sig' template includes the file signature, if available, in the measurement list. With just the public key, the remote attestation server can verify the file signature. > > - Attest to files which have been signed with a private key prior to > installation > With this, I understand that as long as I have control over the file > installation > process, I have a level of protection equal to that of the signing algorithm. > If I am correct, I also understand that this applies only to immutable files, > typically executable binaries. The process of signing the files would be > off-target and outside the scope of my questions and comments here. > > Again, I do not have a TPM so I understand that an off-line attack > is still possible > but it looks like this might be the best I can get out of IMA for > the environment > I have. IMA file hashes are used for mutable files, which cannot be signed. When file hashes are stored as security.ima, EVM HMAC must be used to detect off line file metadata changes. -- thanks, Mimi
