openEuler Innovation Project – Integrity Measurement Architecture

The Integrity Measurement Architecture (IMA) is a mandatory access control (MAC) #subsystem that provides file integrity protection in #Linux kernel 2.6 and later. With #IMA digest lists, the IMA generates and protects file measurement digest base values in the build phase, verifies imported measurement base values in the boot phase, and protects the integrity of key system files during the running phase.

?

Challenges

As the operating environment on the #network is complex, it may be exposed to various types of attacks when they are running. Attackers can replace the executable files carried by the system or implant unknown malicious programs, causing unpredictable damage to the system. The IMA is an extension to the trusted boot mechanism and provides enhanced usermode file integrity protection based on kernel-mode trustworthiness.

?

The IMA can measure files accessed through #systemcalls such as execve() and mmap() based on user-defined policies. The measurement result can be used for measurement and appraisal:

• Measurement: Detects accidental or malicious modifications to files, with local or remote attestation.
• Appraisal: Measures a file and compares it with a pre-stored reference value to protect the integrity of the local file.

?

The native IMA feature of the Linux kernel is confronted with the following shortcomings:

• Complicated deployment: The native IMA stores file integrity information through file extended attributes. To enable IMA verification, you need to set the system to fix mode, generate and mark the extended attributes, and then reboot the system to enter the enforce mode.
• Performance deterioration: In the native IMA, each time file measurement is triggered, the Platform Configuration Registers (PCRs) of the trusted platform module (TPM) are extended. The #TPM is a low-speed chip, and the extension process is very time consuming. Besides, each time file verification is triggered, the signature or hash-based message authentication #code (HMAC) stored in the file extended attributes is verified. The verification process is also long and deteriorates performance.

Project Introduction

Features

The IMA is a trusted computing implementation method in #openEuler, connecting trusted applications to the trusted #OS along the trust chain. IMA digest lists are provided by openEuler to enhance the native kernel integrity protection mechanism, replacing the native IMA mechanism for greater file integrity protection.

?

Digest lists are binary data files in a special format. Each digest list corresponds to an #RPM package and records the #hash values of protected files (executable files and dynamic library files) in the RPM package.

?

After the boot parameters are correctly configured, the #kernel maintains a hash table (invisible to users) and provides interfaces (digest_list_data and digest_list_data_del) that update the hash table through securityfs. The digest lists are signed using a private key when they are built. When uploaded to the kernel through interfaces, the digest lists are verified by a public key in the kernel.

When IMA appraisal is enabled, each time an executable file or dynamic library file is accessed, the hook in the kernel is invoked to calculate the hash values of the file content and extended attributes, and search the kernel hash table for the hash values. If the calculated hash values match the hash table, the file is executed. Otherwise, the file access is denied.

IMA #digest lists are used in #datacenter, #cloud computing, #edge, and #embedded scenarios to protect system file integrity, representing a key technology in trusted computing. IMA digest lists help set up a trusted local environment so that the trust chain of trusted computing can be extended to the application layer. In addition, measurement logs can be used for remote attestation to verify whether the files loaded to the tested platform and the system running status are trusted.

?

Repositories

https://gitee.com/src-openEuler/digest-list-tools

https://gitee.com/openeuler/digest-list-tools

https://gitee.com/openeuler/kernel