* [RFC] IMA: Use Trusted Execution Environment to protect IMA keys and operations
@ 2020-03-18 17:22 Lakshmi Ramasubramanian
0 siblings, 0 replies; only message in thread
From: Lakshmi Ramasubramanian @ 2020-03-18 17:22 UTC (permalink / raw)
To: zohar, James.Bottomley, dhowells, linux-integrity
Cc: sashal, keyrings, James Morris, balajib, Tushar Sugandhi, Roberto Sassu
Linux kernel stores keys, secrets, and other such sensitive and high
value entities in memory. An attacker can exploit a kernel vulnerability
to modify existing entities or inject new ones to gain access to
IMA uses asymmetric keys stored in keyrings such as .ima, .evm to
validate digital signature of system files, kernel modules, etc. An
attacker can utilize a kernel exploit to modify or inject keys into
these system keyrings and hijack integrity operations performed by the
We can tackle this issue by storing such sensitive kernel data in
a secure environment where they cannot be easily tampered with and
performing the integrity operations in this environment.
For instance, ARM platform supports TrustZone (TZ) and Trusted Execution
Environment (TEE), Intel provides Software Guard Extensions (SGX), which
can be leveraged for this purpose.
Loading IMA Keyrings
=> IMA keyrings and the keys in those keyrings will be maintained
=> These keyrings will be created and keys populated in the TZ when
the machine initializes TZ.
=> Write access to these keyrings\keys will be blocked once they
Digital Signature Appraisal
Digital signature stored in security.ima, security.evm, or appended to
the module are verified by functions integrity_digsig_verify() or
The move to TZ\TEE can be done in phases:
Maintain the keyrings\keys in TZ. Integrity functions execute in
the "Normal World" (Untrusted environment). They query the key
from TZ and validate signature.
The integrity functions and their dependencies that validate
signature are executed in TEE.
Integrity measurement, appraisal, and logging are executed in TEE.
KEYS subsystem need to be updated to route the calls to TZ
for queries for IMA keyrings such that callers (such as, user mode
utilities such as KEYCTL, EVMCTL, etc.) work seamlessly.
Please provide comments\feedback on the proposal.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, back to index
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-18 17:22 [RFC] IMA: Use Trusted Execution Environment to protect IMA keys and operations Lakshmi Ramasubramanian
Linux-Integrity Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
Example config snippet for mirrors
Newsgroup available over NNTP:
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git