linux-ima-user — Q&A for users of IMA

Re: [Linux-ima-user] Question regarding ascii_runtime_measurements

[Till B. <ti...@on...>]

Hello Reiner,

On 2/19/07, Reiner Sailer <sa...@us...> wrote:
>
>
> Hi Till,
>
> there are probably configuration problems in your kernel. Use the SMP
> kernel as we all do; it's not worth debugging configs since the order in the
> measurement list does not really matter. The order of measurements just
> reflects the order modules are loaded or executables are mapped. If this
> order changes, this also affects the measurement list.


But if the order of the measurements change, the resulting  "final" hash
will also change with every boot order, which in turn makes it nearly
impossible to determine if the system is in a good stage... or am I wrong?
The only option I see is to check if every single loaded "thing" is what I
expect by checking all hash values individually.

And if that is the case, it might cause me more problems than it will solve
:(

At the moment I use the boot parameters ima=1 maxcpus=1 noht. The
measurements of the first 77 loaded objects seems to be the same now.

The late init is also not a problem. It simply indicates that on your
> system, other modules / programs are loaded before init (on most systems
> starting with ramdisk, init will be not among the first measurements).
>
> Greetings
> Reiner
> __________________________________________________________
> Reiner Sailer, Research Staff Member, Secure Systems Department
> IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
> Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sa...@us...
> http://www.research.ibm.com/people/s/sailer/
>
>
>  *"Till Bentz" <ti...@on...>*
> Sent by: til...@go...
>
> 02/19/2007 11:32 AM  Please respond to
> ti...@on...
>
>   To
> Reiner Sailer/Watson/IBM@IBMUS  cc
> lin...@li...  Subject
> Re: [Linux-ima-user] Question regarding ascii_runtime_measurements
>
>
>
>
> --
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

Re: [Linux-ima-user] Question regarding ascii_runtime_measurements

[Reiner S. <sa...@us...>]

Hi Till,

there are probably configuration problems in your kernel. Use the SMP 
kernel as we all do; it's not worth debugging configs since the order in 
the measurement list does not really matter. The order of measurements 
just reflects the order modules are loaded or executables are mapped. If 
this order changes, this also affects the measurement list.

The late init is also not a problem. It simply indicates that on your 
system, other modules / programs are loaded before init (on most systems 
starting with ramdisk, init will be not among the first measurements).

Greetings
Reiner
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sa...@us... 
http://www.research.ibm.com/people/s/sailer/



"Till Bentz" <ti...@on...> 
Sent by: til...@go...
02/19/2007 11:32 AM
Please respond to
ti...@on...


To
Reiner Sailer/Watson/IBM@IBMUS
cc
lin...@li...
Subject
Re: [Linux-ima-user] Question regarding ascii_runtime_measurements






Hi Reiner,

I recompiled my kernel. The only option I changed was CONFIG_SMP to "not 
set". Now my system hangs as soon as I add the boot parameter "ima=1 
selinux=0" near some usb-hub settings. If I don't add the boot parameter, 
the system boots, nut obviously I have no IMA. 

Did you encounter a similar problem so far?

Sorry for so many questions and thank you for your help!

On 2/19/07, Till Bentz < ti...@on...> wrote:
Hi Reiner,

I compiled the Kernel with SMP support, I have Pentium D CPU. What would 
be the result if I disable it. Would that be much of a performance loss? 

On 2/17/07, Reiner Sailer <sa...@us...> wrote:

Till, 

the order could be influenced by your SMP setting. Do you have order 
changes when you compile without SMP support? 

That init is missing cannot explained by this.  Init runs later if you use 
a ramdisk.

Sorry, I might have been unclear :) Init is not missing, its just not the 
second measurement. /bin/run-init is number 35 and /sbin/init is number 
36. At least in the 5 tests I recorded. 

Did you run a grep over the measurement list (cat 
/sys/kernel/security/ima/asci* | grep init) ? 

Reiner
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sa...@us...  
http://www.research.ibm.com/people/s/sailer/ 


-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu 
  tolerierende Quelle der Unsicherheit 
********************************************** 



-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu 
  tolerierende Quelle der Unsicherheit 
********************************************** 

Re: [Linux-ima-user] Question regarding ascii_runtime_measurements

[Till B. <ti...@on...>]

Hi Reiner,

I recompiled my kernel. The only option I changed was CONFIG_SMP to "not
set". Now my system hangs as soon as I add the boot parameter "ima=1
selinux=0" near some usb-hub settings. If I don't add the boot parameter,
the system boots, nut obviously I have no IMA.

Did you encounter a similar problem so far?

Sorry for so many questions and thank you for your help!

On 2/19/07, Till Bentz <ti...@on...> wrote:
>
> Hi Reiner,
>
> I compiled the Kernel with SMP support, I have Pentium D CPU. What would
> be the result if I disable it. Would that be much of a performance loss?
>
> On 2/17/07, Reiner Sailer <sa...@us...> wrote:
> >
> >
> > Till,
> >
> > the order could be influenced by your SMP setting. Do you have order
> > changes when you compile without SMP support?
> >
> > That init is missing cannot explained by this.  Init runs later if you
> > use a ramdisk.
>
>
> Sorry, I might have been unclear :) Init is not missing, its just not the
> second measurement. /bin/run-init is number 35 and /sbin/init is number 36.
> At least in the 5 tests I recorded.
>
> Did you run a grep over the measurement list (cat
> > /sys/kernel/security/ima/asci* | grep init) ?
> >
> > Reiner
> > __________________________________________________________
> > Reiner Sailer, Research Staff Member, Secure Systems Department
> > IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
> > Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sa...@us...
> > http://www.research.ibm.com/people/s/sailer/
> >
> >
> --
> MfG
>   Till
>
> **********************************************
>       Der Benutzer ist eine nicht zu
>   tolerierende Quelle der Unsicherheit
> **********************************************
>



-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

Re: [Linux-ima-user] Question regarding ascii_runtime_measurements

[Reiner S. <sa...@us...>]

Till,

the order could be influenced by your SMP setting. Do you have order 
changes when you compile without SMP support?

That init is missing cannot explained by this.  Init runs later if you use 
a ramdisk.

Did you run a grep over the measurement list (cat 
/sys/kernel/security/ima/asci* | grep init) ?

Reiner
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sa...@us... 
http://www.research.ibm.com/people/s/sailer/



"Till Bentz" <ti...@on...> 
Sent by: lin...@li...
02/16/2007 10:36 AM
Please respond to
ti...@on...


To
lin...@li...
cc

Subject
Re: [Linux-ima-user] Question regarding ascii_runtime_measurements






Hello,

I just checked, I dont use prelink, so it cant be the reason.

On 2/16/07, Till Bentz <ti...@on... > wrote:
Hello,

I am using IMA on a Dell Optiplex GX 620 with a STM 1.2 TPM chip. I am 
running Ubuntu 6.10
--
$ uname -a
Linux ri13 2.6.19.2-kernel-tpm #1 SMP Thu Feb 8 15:00:23 CET 2007 i686 
GNU/Linux
--
The measurement of loaded executables seems to work quite well. But I have 
a problem with the order of loaded content. I checked the list for 3 
consecutive bootprocesses and each time I got a different order. 
Furthemore the init process is not my second measurement. 

Is this a result of prelink?

Any help is appreciated.

-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu 
  tolerierende Quelle der Unsicherheit 
********************************************** 



-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu 
  tolerierende Quelle der Unsicherheit 
********************************************** 
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share 
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Linux-ima-user mailing list
Lin...@li...
https://lists.sourceforge.net/lists/listinfo/linux-ima-user

Re: [Linux-ima-user] Question regarding ascii_runtime_measurements

[Till B. <ti...@on...>]

Hello,

I just checked, I dont use prelink, so it cant be the reason.

On 2/16/07, Till Bentz <ti...@on...> wrote:
>
> Hello,
>
> I am using IMA on a Dell Optiplex GX 620 with a STM 1.2 TPM chip. I am
> running Ubuntu 6.10
> --
> $ uname -a
> Linux ri13 2.6.19.2-kernel-tpm #1 SMP Thu Feb 8 15:00:23 CET 2007 i686
> GNU/Linux
> --
> The measurement of loaded executables seems to work quite well. But I have
> a problem with the order of loaded content. I checked the list for 3
> consecutive bootprocesses and each time I got a different order. Furthemore
> the init process is not my second measurement.
>
> Is this a result of prelink?
>
> Any help is appreciated.
>
> --
> MfG
>   Till
>
> **********************************************
>       Der Benutzer ist eine nicht zu
>   tolerierende Quelle der Unsicherheit
> **********************************************




-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

[Linux-ima-user] Question regarding ascii_runtime_measurements

[Till B. <ti...@on...>]

Hello,

I am using IMA on a Dell Optiplex GX 620 with a STM 1.2 TPM chip. I am
running Ubuntu 6.10
--
$ uname -a
Linux ri13 2.6.19.2-kernel-tpm #1 SMP Thu Feb 8 15:00:23 CET 2007 i686
GNU/Linux
--
The measurement of loaded executables seems to work quite well. But I have a
problem with the order of loaded content. I checked the list for 3
consecutive bootprocesses and each time I got a different order. Furthemore
the init process is not my second measurement.

Is this a result of prelink?

Any help is appreciated.

-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

[Linux-ima-user] Introduction to IMA

[Reiner S. <sa...@us...>]

IMA is a software architecture and implementation for Linux that provides 
verifiable evidence regarding the current run-time of a measured system, 
which can be used by another system to derive run-time properties of this 
measured system. Using IMA evidence, the verifying system does not rely on 
the trustworthiness of the software environment of the measured system to 
establish such guarantees but builds instead on a Trusted Platform Module 
(TPM) hardware extension (which is protected against the system software) 
of the measured system. TPMs exist today on most client systems and 
equivalent functions are planned for many server systems as well. IMA 
leverages the TPM as a hardware root of trust on which trust into system 
properties can be build; the TPM is protected against the system software 
of the measured system by providing a slim and well-designed interface 
through which it can be addressed by the system software.

IMA maintains a list of hash values covering all executable content loaded 
into a Linux system run-time since the start (boot) of the system. It 
integrates measurements by the BIOS and bootloader and operating system 
and offers an integrated interface to retrieve these hash values 
(measurements) from a remote system. This list is integrity-protected by 
the TPM chip at all times. IMA offers interfaces to retrieve these 
measurements from the kernel as well as an integrity value over these 
measurements from the TPM chip. Providing the measurements and the TPM 
integrity value over the measurements to a verifier, this verifier can 
establish trust into the measurements and through the measurements trust 
into the run-time properties of the measured system. 

You can find more information here: 
http://domino.research.ibm.com/comm/research_people.nsf/pages/sailer.ima.html