linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Roberto Sassu <roberto.sassu@huawei.com>
To: "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>
Subject: DIGLIM demo
Date: Thu, 30 Sep 2021 14:54:55 +0000	[thread overview]
Message-ID: <48cd737c504d45208377daa27d625531@huawei.com> (raw)

Hi everyone

recently I published some patch sets about a new kernel
component called Digest Lists Integrity Module (DIGLIM),
which has the ability to store reference values of files
from Linux distributions (currently only RPM-based ones
are supported), and to use them for measurement and
appraisal with IMA.

I prepared a demo, to show how easy is to change an
existing distribution (I tested Fedora 34 and openSUSE
Leap 15.3) to check the integrity of executables and
shared libraries.

The basic changes are (I suggest to test them in a VM):
- install a new kernel which includes the patches I sent to
   the kernel mailing lists plus some not yet published (mainly
   for supporting PGP appended signatures)
- write RPM headers and PGP appended signatures to files
- regenerate initial ram disk to include the RPM headers
- reconfigure the boot loader to add IMA-specific options

I would discourage to test in on a real system, as IMA would
prevent execution of anything that has not been shipped
with the Linux distribution.

Instructions:

1) Add my repository with the modified kernel and
     DIGLIM-specific package:

(Fedora) # dnf copr enable robertosassu/DIGLIM
(openSUSE) # zypper addrepo https://download.opensuse.org/repositories/home:/roberto.sassu:/branches:/Kernel:/stable/15.3/home:roberto.sassu:branches:Kernel:stable.repo

2) Install required packages:

(Fedora) # dnf install kernel-5.14.8-300.local.fc34.x86_64 kernel-diglim-5.14.8-300.local.fc34.x86_64
(openSUSE) # zypper in kernel-default kernel-default-diglim

3) Write RPM headers and PGP appended signatures to
     the /etc/digest_lists directory:

# /usr/libexec/diglim/rpm_gen -d /etc/digest_lists

4) Tell DIGLIM to upload to the kernel only the digests
     of immutable files:

# touch /etc/digest_lists/.immutable

5) Modify dracut configuration to include DIGLIM-related files:

# echo "install_optional_items+=\" /etc/digest_lists/* /etc/digest_lists/.immutable \"" >> /etc/dracut.conf
# echo "install_optional_items+=\" /usr/libexec/diglim/upload_digest_lists \"" >> /etc/dracut.conf
# echo "install_optional_items+=\" /usr/libexec/diglim/rpm_parser \"" >> /etc/dracut.conf
# echo "do_strip=\"no\"" >> /etc/dracut.conf

6) Regenerate the initial ram disk:

(Fedora) # dracut -f --kver 5.14.8-300.local.fc34.x86_64
(openSUSE) # dracut -f --kver 5.14.8-lp153.11.g4ae263c-default

7) Add IMA-specific options to the kernel command line
     (WARNING: it turns on IMA appraisal in enforcing mode,
      other kernels may become unbootable)

(Fedora) # echo "GRUB_CMDLINE_LINUX_DEFAULT=\"\$GRUB_CMDLINE_LINUX_DEFAULT slab_nomerge ima_template=ima-modsig ima_policy=\\\\\\\"exec_tcb|tmpfs|diglim|appraise_exec_tcb|appraise_tmpfs|appraise_diglim|secure_boot\\\\\\\" module.sig_enforce\"" >> /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
(openSUSE)  # echo "GRUB_CMDLINE_LINUX_DEFAULT=\"\$GRUB_CMDLINE_LINUX_DEFAULT slab_nomerge ima_template=ima-modsig ima_policy=\\\"exec_tcb|tmpfs|diglim|appraise_exec_tcb|appraise_tmpfs|appraise_diglim|secure_boot\\\" module.sig_enforce\"" >> /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg

8) Update the boot loader configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

9) Reboot

After reboot, IMA will deny execution of files not from
the distribution. For example, it is possible to execute:

# cp /usr/bin/cat .
# ./cat
# echo test >> cat
# ./cat
bash: ./cat: Permission denied


With the following command, it is possible to see which
RPM headers have been measured by IMA:

# cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements


The execution policy enforced by IMA can be seen with:

# cat /sys/kernel/security/integrity/ima/policy


DIGLIM statistics can be obtained with:

# cat /sys/kernel/security/integrity/diglim/digests_count
Parser digests: 1
File digests: 11365
Metadata digests: 0
Digest list digests: 508


Memory usage by DIGLIM (indexes) can be seen with:

# slabtop --once |grep digest
 13056  13056 100%    0.03K    102      128       408K digest_list_item_ref_cache
 12032  12032 100%    0.03K     94      128       376K digest_item_cache
   546    546 100%    0.09K     13       42        52K digest_list_item_cache


Uploaded digest lists (binary and ASCII format) can be seen
in the /sys/kernel/security/integrity/diglim/digest_lists_loaded.

Finally, all the applied patches are available at:

https://github.com/robertosassu/linux/tree/digest-lists-full-ima-pgp-v1-devel-v3


The sources used to create the RPMs are available at:

https://src.fedoraproject.org/fork/robertosassu/rpms/kernel/tree/diglim
https://build.opensuse.org/package/show/home:roberto.sassu:branches:Kernel:stable/kernel-source

Any suggestion or feedback is very appreciated. If you have
troubles trying the demo, let me know.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua


                 reply	other threads:[~2021-09-30 14:54 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48cd737c504d45208377daa27d625531@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=linux-integrity@vger.kernel.org \
    --subject='Re: DIGLIM demo' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).