From: Roberto Sassu <roberto.sassu@huawei.com>
To: "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>
Subject: DIGLIM demo
Date: Thu, 30 Sep 2021 14:54:55 +0000 [thread overview]
Message-ID: <48cd737c504d45208377daa27d625531@huawei.com> (raw)
Hi everyone
recently I published some patch sets about a new kernel
component called Digest Lists Integrity Module (DIGLIM),
which has the ability to store reference values of files
from Linux distributions (currently only RPM-based ones
are supported), and to use them for measurement and
appraisal with IMA.
I prepared a demo, to show how easy is to change an
existing distribution (I tested Fedora 34 and openSUSE
Leap 15.3) to check the integrity of executables and
shared libraries.
The basic changes are (I suggest to test them in a VM):
- install a new kernel which includes the patches I sent to
the kernel mailing lists plus some not yet published (mainly
for supporting PGP appended signatures)
- write RPM headers and PGP appended signatures to files
- regenerate initial ram disk to include the RPM headers
- reconfigure the boot loader to add IMA-specific options
I would discourage to test in on a real system, as IMA would
prevent execution of anything that has not been shipped
with the Linux distribution.
Instructions:
1) Add my repository with the modified kernel and
DIGLIM-specific package:
(Fedora) # dnf copr enable robertosassu/DIGLIM
(openSUSE) # zypper addrepo https://download.opensuse.org/repositories/home:/roberto.sassu:/branches:/Kernel:/stable/15.3/home:roberto.sassu:branches:Kernel:stable.repo
2) Install required packages:
(Fedora) # dnf install kernel-5.14.8-300.local.fc34.x86_64 kernel-diglim-5.14.8-300.local.fc34.x86_64
(openSUSE) # zypper in kernel-default kernel-default-diglim
3) Write RPM headers and PGP appended signatures to
the /etc/digest_lists directory:
# /usr/libexec/diglim/rpm_gen -d /etc/digest_lists
4) Tell DIGLIM to upload to the kernel only the digests
of immutable files:
# touch /etc/digest_lists/.immutable
5) Modify dracut configuration to include DIGLIM-related files:
# echo "install_optional_items+=\" /etc/digest_lists/* /etc/digest_lists/.immutable \"" >> /etc/dracut.conf
# echo "install_optional_items+=\" /usr/libexec/diglim/upload_digest_lists \"" >> /etc/dracut.conf
# echo "install_optional_items+=\" /usr/libexec/diglim/rpm_parser \"" >> /etc/dracut.conf
# echo "do_strip=\"no\"" >> /etc/dracut.conf
6) Regenerate the initial ram disk:
(Fedora) # dracut -f --kver 5.14.8-300.local.fc34.x86_64
(openSUSE) # dracut -f --kver 5.14.8-lp153.11.g4ae263c-default
7) Add IMA-specific options to the kernel command line
(WARNING: it turns on IMA appraisal in enforcing mode,
other kernels may become unbootable)
(Fedora) # echo "GRUB_CMDLINE_LINUX_DEFAULT=\"\$GRUB_CMDLINE_LINUX_DEFAULT slab_nomerge ima_template=ima-modsig ima_policy=\\\\\\\"exec_tcb|tmpfs|diglim|appraise_exec_tcb|appraise_tmpfs|appraise_diglim|secure_boot\\\\\\\" module.sig_enforce\"" >> /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
(openSUSE) # echo "GRUB_CMDLINE_LINUX_DEFAULT=\"\$GRUB_CMDLINE_LINUX_DEFAULT slab_nomerge ima_template=ima-modsig ima_policy=\\\"exec_tcb|tmpfs|diglim|appraise_exec_tcb|appraise_tmpfs|appraise_diglim|secure_boot\\\" module.sig_enforce\"" >> /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
8) Update the boot loader configuration:
# grub2-mkconfig -o /boot/grub2/grub.cfg
9) Reboot
After reboot, IMA will deny execution of files not from
the distribution. For example, it is possible to execute:
# cp /usr/bin/cat .
# ./cat
# echo test >> cat
# ./cat
bash: ./cat: Permission denied
With the following command, it is possible to see which
RPM headers have been measured by IMA:
# cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
The execution policy enforced by IMA can be seen with:
# cat /sys/kernel/security/integrity/ima/policy
DIGLIM statistics can be obtained with:
# cat /sys/kernel/security/integrity/diglim/digests_count
Parser digests: 1
File digests: 11365
Metadata digests: 0
Digest list digests: 508
Memory usage by DIGLIM (indexes) can be seen with:
# slabtop --once |grep digest
13056 13056 100% 0.03K 102 128 408K digest_list_item_ref_cache
12032 12032 100% 0.03K 94 128 376K digest_item_cache
546 546 100% 0.09K 13 42 52K digest_list_item_cache
Uploaded digest lists (binary and ASCII format) can be seen
in the /sys/kernel/security/integrity/diglim/digest_lists_loaded.
Finally, all the applied patches are available at:
https://github.com/robertosassu/linux/tree/digest-lists-full-ima-pgp-v1-devel-v3
The sources used to create the RPMs are available at:
https://src.fedoraproject.org/fork/robertosassu/rpms/kernel/tree/diglim
https://build.opensuse.org/package/show/home:roberto.sassu:branches:Kernel:stable/kernel-source
Any suggestion or feedback is very appreciated. If you have
troubles trying the demo, let me know.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
reply other threads:[~2021-09-30 14:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48cd737c504d45208377daa27d625531@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).