What is IMA?
Linux Integrity Measurement Architecture (IMA) is a subsystem in the Linux kernel that provides mechanisms for ensuring the integrity of files, directories, and critical system components. IMA is part of the Linux kernel's security infrastructure and is used to detect and prevent unauthorized changes to the system.
What is EVM?
Linux Extended Verification Module (EVM) is a security feature in the Linux kernel designed to enhance the integrity of the system by protecting extended attributes (xattrs) of files. These attributes often include security-related metadata, such as those used by the Integrity Measurement Architecture (IMA), Linux Security Modules (LSMs) like SELinux or Smack, and other extended attributes.
Exploring some use cases
Enable IMA, EVM and build kernel
$ diff defconfig ./arch/arm/configs/bcm2709_defconfig
672a673
> CONFIG_TCG_TPM=m
1499,1500d1499
< CONFIG_IMA=y
< CONFIG_EVM=y
Boot with the kernel and check that IMA, EVM are present
root@raspberrypi:~# find /sys/kernel/security/
/sys/kernel/security/
/sys/kernel/security/evm
/sys/kernel/security/ima
/sys/kernel/security/integrity
/sys/kernel/security/integrity/evm
/sys/kernel/security/integrity/evm/evm
/sys/kernel/security/integrity/ima
/sys/kernel/security/integrity/ima/policy
/sys/kernel/security/integrity/ima/violations
/sys/kernel/security/integrity/ima/runtime_measurements_count
/sys/kernel/security/integrity/ima/ascii_runtime_measurements
/sys/kernel/security/integrity/ima/binary_runtime_measurements
/sys/kernel/security/lsm
Test digital signature validation of immutable files
The package ima-evm-utils was not available for my version of Raspian
$ apt-cache search ima-evm-utils
$
Download, configure, build, install
$ git clone https://github.com/stefanberger/ima-evm-utils.git
$ cd ima-evm-utils/
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ sudo ldconfig
Generate a key pair
pi@raspberrypi:~ $ openssl genrsa -out rsa_private.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................+++++
.....................+++++
e is 65537 (0x010001)
pi@raspberrypi:~ $ openssl rsa -pubout -in rsa_private.pem -out rsa_public.pem
writing RSA key
Import public key into keyring
pi@raspberrypi:~ $ sudo evmctl import --rsa rsa_public.pem $(keyctl newring _ima @u)
Importing public key F0D70A9FC543B7FD from file rsa_public.pem into keyring 348838330
keyid: 975180608
975180608
Test on hello world executable
pi@raspberrypi:~ $ cat hello.c
#include <stdio.h>
int main()
{
printf("Hello world\n");
return 0;
}
pi@raspberrypi:~ $ gcc hello.c -o hello
pi@raspberrypi:~ $ sudo evmctl ima_sign --key rsa_private.pem hello
hash(sha1): c7a17949155c2e35f0065551f4cc04adaf466eb3
evm/ima signature: 264 bytes
0302029bd7cf87010025f8f15ce309bb25dc27409dce375f01545d7ed7c7096e382ffe7bc1c92faa86056f6d145895a4372bdbe9fd2167475b0be45562d7ffdb3e7d4197263b384087fbb4be62074bff604b8404144de692011ea18d0e8109526500bd07d9e47a9a3192f1c6ffde86d317fd8bebb0d67360785520490b6fa80b358762afce1d11398ddd32a0ae7385921342174110447ccecea0ad1eea663f4acc98fbcfb31db1e7d56fa476ef118021341437511753e1530acd33c0b04875598983aea04cf4c74f5a7cf94419dc3fba0ca60850b3df8fc731c2bf399b7efbf5ccea4bb4d5a6cda0828a688837a709678d41eeeca8d47a3b3808279aae36b489dd0582199b5393b5ce
pi@raspberrypi:~ $ getfattr -m . -d ./hello
# file: hello
security.ima=0sAwICm9fPhwEAJfjxXOMJuyXcJ0CdzjdfAVRdftfHCW44L/57wckvqoYFb20UWJWkNyvb6f0hZ0dbC+RVYtf/2z59QZcmOzhAh/u0vmIHS/9gS4QEFE3mkgEeoY0OgQlSZQC9B9nkepoxkvHG/96G0xf9i+uw1nNgeFUgSQtvqAs1h2Kvzh0ROY3dMqCuc4WSE0IXQRBEfM7OoK0e6mY/SsyY+8+zHbHn1W+kdu8RgCE0FDdRF1PhUwrNM8CwSHVZiYOuoEz0x09afPlEGdw/ugymCFCz34/HMcK/OZt++/XM6ku01abNoIKKaIg3pwlnjUHu7KjUejs4CCearja0id0FghmbU5O1zg==
