added IMA verification script

4 years ago · 34be460ef0
3 changed files with 15 additions and 1 deletions
--- a/thesis/02_background.tex
+++ b/thesis/02_background.tex
@ -286,7 +286,7 @@ Before a file is accessed by the kernel, IMA creates an integrity log entry as i
 \end{figure}
 Depending on the settings for IMA, a SHA1 or SHA256 hash is created for the file content.
 The resulting \emph{filedata hash} will be concatenated with the corresponding metadata.
-This concatenation will again be hashed into the so called \emph{template hash}.
+This concatenation will again be hashed into the so called \emph{template hash} which is independently of the previous algorithm a SHA1 checksum.
 Finally, the template hash is the single value of the whole computation that will be extended into the PCR.
 The integrity log holds at the end the filedata hash, the metadata and the template hash as well as the PCR index and the logfile format.

--- a/thesis/05_outlook.tex
+++ b/thesis/05_outlook.tex
@ -5,6 +5,20 @@
  \item Trusted boot works perfectly fine---any update needs an additional reboot to generate PCR vales
  \item When IMA is active (appraise or enforce), the boot procedure takes significantly more time, but the OS itself does not seem to be slower.
  \item IMA in enforce mode breaks the package manager apt. It downloads the deb packages from the repository but cannot open it since the files do not get the \texttt{security.ima} attribute.
+\begin{lstlisting}[numbers=none,float, caption={Attempt to recalculate the value of PCR 10}, label={code:verifyimash}]
+  #!/usr/bin/bash
+  set -e
+  tpm2_pcrreset 16
+  cut -d ' ' -f 2 /sys/kernel/security/ascii_runtime_measurements > ima.checksums
+  while read i ;
+  do tpm2_pcrextend 16:sha1=$i ;
+  done < ima.checksums
+  tpm2_pcrread sha1:10,16
+\end{lstlisting}
+  \item The IMA log is not comprehensible. Using \texttt{tpm2\_pcrextend} creates the correct value only when the \texttt{boot\_aggregate} entry is in the IMA log, which means that IMA is not active.
+  When activating IMA, there are immediately after booting several hundred entries in this log and the value of PCR 10 was not reproducible with the script in \autoref{code:verifyimash}.
+  It is furthermore not clear how the SHA256 value of PCR 10 is calculated.
+
  \item When IMA in enforce mode, any access to a filesystem not supporting extended file attributes will be blocked. This includes the EFI boot partition and the boot partition for GRUB which is usually \texttt{ext2}.
  System upgrade is not possible with the policies in use---customized policies are necessary to exclude \texttt{/boot} and to handle \texttt{/var/cache/apt} properly.
 \end{itemize}
--- a/thesis/MAIN.pdf
+++ b/thesis/MAIN.pdf