Open copumpkin opened 8 years ago
cc @ts468, who surprised me by having already packaged ima-evm-utils
when I started adding it myself.
@copumpkin, just to let you know, I've also got a half-way finished nixos module for it...
@ts468 that's awesome! Is the WIP up somewhere I can see it? Are you aiming for a particular feature or are you just modeling the whole feature set of IMA/EVM?
@copumpkin My aim was to model the whole feature set of IMA/EVM. Unfortunately, I couldn't finish it back then, but here is what I currently have: https://github.com/ts468/nixpkgs/blob/upstream.ima/nixos/modules/system/boot/ima.nix
If I remember correctly, then we would also need some extensions for the nix store to save extended file attributes.
And, there is also TrustedGRUB in NixOS, in case you've got a TPM.
@ts468 that looks great, thanks! Do you happen to recall what's missing, if I wanted to pick it up and try to continue working on it? The biggest thing that stands out at first glance is that I don't think it turns on the kernel IMA config flag, right? Would you expect people to enable that manually when setting their machine configuration?
Also, the TrustedGRUB
thing is appealing too, but this is more directly useful to me right now.
@copumpkin Unfortunately, I can't tell you right away what was missing. I probably would have to work through the documentation again as well. But I think if you would look at the documentation of the ima-evm-utils, then you'll quickly see where I derived the module from. Also, there seems to be a good documentation for IMA/EVM in a Gentoo wiki, if I recall correctly---at least it was helpful to me ;).
About the kernel IMA flags, they would have to be enabled through of the appropriate module options. I don't know how many of them could be absorbed in the default kernel configuration to maybe avoid the custom kernel compilation. The list of flags that I was playing with back then is below.
Hope that helps ;). What's your current plan? What are you trying to achieve?
INTEGRITY y INTEGRITY_SIGNATURE y INTEGRITY_ASYMMETRIC_KEYS y IMA y IMA_MEASURE_PCR_IDX 10 IMA_LSM_RULES y IMA_NG_TEMPLATE y IMA_DEFAULT_TEMPLATE "ima-ng" IMA_DEFAULT_HASH_SHA256 y IMA_DEFAULT_HASH "sha256" IMA_APPRAISE y EVM y EVM_ATTR_FSUUID y
KEYS y PERSISTENT_KEYRINGS y BIG_KEYS y TRUSTED_KEYS y ENCRYPTED_KEYS y
TCG_TIS y TCG_TPM y INTEL_TXT y
X509_CERTIFICATE_PARSER y
That's all helpful, thank you! I've also been soaking up the Gentoo Hardened wiki for all this stuff :smile:
My goal is basically to improve the picture for "hardened NixOS". The giant ticket #7220 proposes some measures (which I'll probably help with too), and has lots of attention, but I'm also very interested in auditability beyond straight hardening, and that's where this comes in.
@copumpkin It would be great to see the auditability support to improve in NixOS! I'm excited to see how it goes! :)
I just added a simple module for controlling the linux audit system last night, if you're into that sort of thing! https://github.com/NixOS/nixpkgs/commit/63bfe20b7253fa579ca1c35d07d1d790475f74c5
But yeah, will keep you posted on progress on this front, and will likely tinker with your existing module!
Any progress?
(triage) yes, any progress?
(1 year later) any progress on the PR? It sure looks interesting !
@ts468 Lennart @poettering suggests the following approach in order to make Linux boot secure:
https://0pointer.net/blog/fitting-everything-together.html
What do you think today? Is IMA/EVM still required nowadays?
This could potentially give us better (and more trustworthy) introspection into changes in our systems.
Documentation is here: http://sourceforge.net/p/linux-ima/wiki/Home/