From b6d5660421ea62ce72a266d257c82f565e1a80b2 Mon Sep 17 00:00:00 2001
From: Michael Preisach <michael@preisach.at>
Date: Sat, 8 Aug 2020 14:21:23 +0200
Subject: [PATCH] corrected IMA description in Readme

---
 README.md | 16 +++++++++-------
 tags      |  2 ++
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index ff6476c..f1171d0 100644
--- a/README.md
+++ b/README.md
@@ -17,8 +17,9 @@ This version is tested for Ubuntu 20.04 LTS. It requires TPM-Tools 4.x as the pa
 - Initramfs is updated with the script to ask the TPM for the passphrase
 - A unified kernel is generated (kernel + command line parms + initramfs) as one large EFI blob
 - Therefore during Boot only PCRs 0-7 are written (GRUB uses 8-9)
+- IMA is activated and stores hashes for every accessed file. To enforce IMA, the kernel parameter should be set to `ima_appraise=enforce`. Attention! When IMA file hashes are not available, this option breaks the boot process and ends up in a Kernel panic!
 
-## Details / manual installation
+## Details / manual installation of Trusted Boot
 Ideas taken from 
 - https://threat.tevora.com/secure-boot-tpm-2/
 - https://medium.com/@pawitp/full-disk-encryption-on-arch-linux-backed-by-tpm-2-0-c0892cab9704
@@ -76,6 +77,7 @@ References for IMA:
 - https://wiki.strongswan.org/projects/strongswan/wiki/IMA
 
 Attention! The above Docs are written for different versions of IMA and the Linux Kernel.
+Some tools are not available/working on Ubuntu 20.04.
 
 ### Manual installation
 To enable IMA, the Kernel needs the corresponding parameters as follows:
@@ -95,15 +97,15 @@ To enable IMA, the Kernel needs the corresponding parameters as follows:
   - ...
 - `ima_template=`
   - `ima-ng` (used)
-    - template_hash=hash(filedata-hash length, filedata-hash, pathname length, pathname)
-    - filedata_hash=hash(filedata)
+    - template_hash=sha1(filedata-hash length, filedata-hash, pathname length, pathname)
+    - filedata_hash=sha256(filedata)
   - `ima-sig`
-    - template_hash=hash(filedata-hash length, filedata-hash, pathname length, pathname)
-    - filedata_hash=hash(filedata)
+    - template_hash=sha1(filedata-hash length, filedata-hash, pathname length, pathname)
+    - filedata_hash=sha256(filedata)
     - append signature if present
   - `ima`
-    - template_hash=hash(filedata-hash, filename-hint)
-    - filedata_hash=hash(filedata)
+    - template_hash=sha1(filedata-hash, filename-hint)
+    - filedata_hash=sha1(filedata)
 - `rootflags=i_version` - files are only measured when they are updated on the file system.
 
 The IMA log is a virtual file in `/sys/kernel/security/ima/ascii_runtime_measurements`.
diff --git a/tags b/tags
index cfc9c2d..bca2292 100644
--- a/tags
+++ b/tags
@@ -7,6 +7,8 @@
 !_TAG_PROGRAM_URL	https://ctags.io/	/official site/
 !_TAG_PROGRAM_VERSION	0.0.0	/a3c87ab5/
 Details / manual installation	README.md	/^## Details \/ manual installation$/;"	s
+Integrity Measurement Architecture (IMA)	README.md	/^## Integrity Measurement Architecture (IMA)$/;"	s
+Manual installation	README.md	/^### Manual installation$/;"	S
 Result	README.md	/^## Result$/;"	s
 Usage	README.md	/^## Usage$/;"	s
 trustedboot	README.md	/^# trustedboot$/;"	c