preisacm
/
masterthesis-trustedboot
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

corrected IMA description in Readme

master
Michael Preisach 5 years ago
parent
0744a2b11d
commit
b6d5660421
2 changed files with 11 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      README.md
  2. 2
      tags

16
README.md
View File

@ -17,8 +17,9 @@ This version is tested for Ubuntu 20.04 LTS. It requires TPM-Tools 4.x as the pa
- Initramfs is updated with the script to ask the TPM for the passphrase
- A unified kernel is generated (kernel + command line parms + initramfs) as one large EFI blob
- Therefore during Boot only PCRs 0-7 are written (GRUB uses 8-9)
- IMA is activated and stores hashes for every accessed file. To enforce IMA, the kernel parameter should be set to `ima_appraise=enforce`. Attention! When IMA file hashes are not available, this option breaks the boot process and ends up in a Kernel panic!
## Details / manual installation
## Details / manual installation of Trusted Boot
Ideas taken from
- https://threat.tevora.com/secure-boot-tpm-2/
- https://medium.com/@pawitp/full-disk-encryption-on-arch-linux-backed-by-tpm-2-0-c0892cab9704
@ -76,6 +77,7 @@ References for IMA:
- https://wiki.strongswan.org/projects/strongswan/wiki/IMA
Attention! The above Docs are written for different versions of IMA and the Linux Kernel.
Some tools are not available/working on Ubuntu 20.04.
### Manual installation
To enable IMA, the Kernel needs the corresponding parameters as follows:
@ -95,15 +97,15 @@ To enable IMA, the Kernel needs the corresponding parameters as follows:
- ...
- `ima_template=`
- `ima-ng` (used)
- template_hash=hash(filedata-hash length, filedata-hash, pathname length, pathname)
- filedata_hash=hash(filedata)
- template_hash=sha1(filedata-hash length, filedata-hash, pathname length, pathname)
- filedata_hash=sha256(filedata)
- `ima-sig`
- template_hash=hash(filedata-hash length, filedata-hash, pathname length, pathname)
- filedata_hash=hash(filedata)
- template_hash=sha1(filedata-hash length, filedata-hash, pathname length, pathname)
- filedata_hash=sha256(filedata)
- append signature if present
- `ima`
- template_hash=hash(filedata-hash, filename-hint)
- filedata_hash=hash(filedata)
- template_hash=sha1(filedata-hash, filename-hint)
- filedata_hash=sha1(filedata)
- `rootflags=i_version` - files are only measured when they are updated on the file system.
The IMA log is a virtual file in `/sys/kernel/security/ima/ascii_runtime_measurements`.

2
tags
View File

@ -7,6 +7,8 @@
!_TAG_PROGRAM_URL https://ctags.io/ /official site/
!_TAG_PROGRAM_VERSION 0.0.0 /a3c87ab5/
Details / manual installation README.md /^## Details \/ manual installation$/;" s
Integrity Measurement Architecture (IMA) README.md /^## Integrity Measurement Architecture (IMA)$/;" s
Manual installation README.md /^### Manual installation$/;" S
Result README.md /^## Result$/;" s
Usage README.md /^## Usage$/;" s
trustedboot README.md /^# trustedboot$/;" c

Write Preview
Loading…
Cancel
Save