From: Roberto Sassu <roberto.sa...@huawei.com> One of the IMA shortcomings over the years has been the availability of reference digest values for appraisal. Recently, the situation improved and some Linux distributions are including file signatures.
The digest_cache LSM takes a different approach. Instead of requiring Linux distributions to include file signatures in their packages, it parses the digests from signed RPM package headers and exposes an API for integrity providers to query a digest. That enables Linux distributions to immediately gain the ability to do integrity checks with the existing packages, lowering the burden for software vendors. In addition, integrating IMA with the digest_cache LSMs has even more benefits. First, it allows generating a new-style masurement list including the RPM package headers and the unknown files, which improves system performance due to the lower usage of the TPM. The cost is the less accuracy of the information reported, which might not suitable for everyone. Second, performance improve for appraisal too. It has been found that verifying the signatures of only the RPM package headers and doing a digest lookup is much less computationally expensive than verifying individual file signatures. For reference, a preliminary performance evaluation has been published here: https://lore.kernel.org/linux-integrity/20240209140917.846878-14-roberto.sa...@huaweicloud.com/ Third, it makes a PCR predictable and suitable for TPM key sealing policies. Finally, it allows IMA to maintain a predictable PCR and to perform appraisal from the very beginning of the boot, in the initial ram disk (of course, it won't recognize automatically generated files, that don't exist in the RPM packages). This patch set has some prerequisites: - KEYS: Introduce user asymmetric keys and signatures (PGP keys and sigs) - security: Move IMA and EVM to the LSM infrastructure - security: digest_cache LSM (+digest_cache_changed(), introduced later) Integration of IMA with the digest_cache LSM is straightforward. Patch 1 lets IMA know when the digest_cache LSM is reading a digest list, to populate a digest cache. Patch 2 allows nested IMA verification of digest lists read by the digest_cache LSM. Patch 3 allows the usage of digest caches with the IMA policy. Patch 4 introduces new boot-time policies, to use digest caches from the very beginning (it allows measurement/appraisal from the initial ram disk). Patch 5 attaches the verification result of the digest list to the digest cache being populated with that digest list. Patch 6-7 enable the usage of digest caches respectively for measurement and appraisal, at the condition that it is authorized with the IMA policy and that the digest list itself was measured and appraised too. Patch 8 detects digest cache changes and consequently resets the IMA cached verification result. Roberto Sassu (8): ima: Introduce hook DIGEST_LIST_CHECK ima: Nest iint mutex for DIGEST_LIST_CHECK hook ima: Add digest_cache policy keyword ima: Add digest_cache_measure and digest_cache_appraise boot-time policies ima: Record IMA verification result of digest lists in digest cache ima: Use digest cache for measurement ima: Use digest cache for appraisal ima: Detect if digest cache changed since last measurement/appraisal Documentation/ABI/testing/ima_policy | 6 +- .../admin-guide/kernel-parameters.txt | 15 ++- security/integrity/ima/Kconfig | 10 ++ security/integrity/ima/ima.h | 24 +++- security/integrity/ima/ima_api.c | 21 +++- security/integrity/ima/ima_appraise.c | 33 +++-- security/integrity/ima/ima_iint.c | 14 ++- security/integrity/ima/ima_main.c | 81 ++++++++++-- security/integrity/ima/ima_policy.c | 118 +++++++++++++++++- 9 files changed, 285 insertions(+), 37 deletions(-) -- 2.34.1
