Extend Linux integrity Metrics IMA/EVM to Android

Source: Internet
Author: User
Tags hmac

1. Overview of completeness metrics

    • The runtime's system integrity is guaranteed by the system's access control mechanisms, such as DAC (Discrete access control, indirect access controls)/mac (Mandatory access control, mandatory access controls, such as SELinux, Smack).
    • DAC/MAC cannot detect offline modification of files, Encrypting File System can protect illegal access, but it is expensive and relatively inefficient.
    • Integrity measures, the file contents and the Properties/extended properties of the file, generated by the cryptographic hash of the corresponding IMA/EVM string, the extended attribute is stored in the file system node, the system runtime before the file is accessed, the kernel IMA/EVM module by verifying the file IMA/EVM string, Determine if the file has been illegally tampered with offline and, if so, returns an illegal result to selinux, thereby preventing access to or running the file.
Linux Integrity Subsystem (quoted from Dmitry PPT):


Ima

    • A cryptographic hash (HMAC) of the contents of the file, Security.ima the extended attribute of the file to verify that the contents of the file have been illegally tampered with.
    • Create and automatically update the Integrity Metrics table (/sys/kernel/security/ima/ascii_runtime_measurements) of all accessed files, read the table remotely or locally to determine which files have been changed.
    • If there is a TPM hardware module in the system, the IMA extends the Metrics table into the TPM to ensure that the metrics table itself cannot be tampered with.
    • Support for local evaluation (IMA appraisal), that is, before the file is accessed by the system runtime, the kernel IMA module determines whether the file has been tampered with offline by verifying the file's IMA string.

Evm

    • EVM is used to detect whether the file's properties (Ino/uid/gid/mode)/Extended attributes (SECURITY.IMA/SELINUX/SMACK64) have been tampered with offline.
    • The protected property, which is encrypted by the EVM module in the form of an encrypted hash (HMAC), is eventually saved to SECURITY.EVM.
    • The EVM string is generated in two ways: HMAC or digital signature.


2. Extend the IMA/EVM to Android

To support integrity Metric IMA/EVM on Android for file-level tamper detection and access control, the main components include the following:

    • Enable IMA/IMA-APPRAISE/EVM in the kernel
    • At compile time, before generating system.img, a pair of RSA key pairs are randomly generated, the private key exists in the compiled directory for subsequent signature use, and the public key is placed in the system root filesystem-specific directory (the IMA/EVM signature used to verify the system files at each boot).
    • Integrated open source Evmctl, a tool for generating IMA/EVM signatures.
    • Integrate open source attr, and at least cross-compile the getfattr and setfattr in them.
    • Modify the SYSTEM/EXTRAS/EXT4_UTILS/MAKE_EXT4FS.C so that when Build_directory_structure, the RSA private key +evmctl is used to generate the files under all system partitions ima/ The EVM signature and writes the signature to the file's extended properties Security.ima/.evm.
    • Before loading the system partition, the kernel obtains the EVM key (either generated from tee or read from the file system) and RSA's public key to verify the HMAC or signature of the IMA/EVM.
    • The EVM key is derived from the device ID in tee, and the advantage is that key will be unique for each device. You can use the device ID + fixed string to encrypt a hash-generated string as a key.
    • In the kernel EVM module, the code that reads the EVM key from the tee is added, and the key is read out to be stored as a global variable, that is, the runtime exists only in memory.
    • Joint commissioning

3. Commissioning Summary

Here are just a few points to note during the debugging process:

    • After IMA/EVM enable, through the Getfattr tool, you can read the extended properties of the file (getfattr-m. -d filename):

The short is the string that the HMAC generates, and the long is the string generated by the signature.
    • Integrity metrics can be read out (cat /sys/kernel/security/ima/ascii_runtime_measurements), and the Metrics table is updated automatically after the file changes. The format is similar to:

    • At the beginning, the IMA/EVM required key can be placed in the file system, plaintext read out as cryptographic hash HMAC key, first tune the IMA/EVM basic function, the subsequent can achieve from tee get EVM key, and IMA/EVM signature can use RSA asymmetric key, The private key is signed at compile time, and the kernel uses the public key to verify the signature file at startup.

    • The kernel's IMA/EVM module automatically identifies whether the IMA/EVM string is an HMAC or a signature, because the first half of the string contains a type string.
    • EVM module to ino/uid/gid/mode/security.ima/security.evm/security.selinux/ Security.capability These fields are in the order of HMAC validation and must be consistent with the order in which Evmctl generated the signature, otherwise the signature check will go wrong; it is important to note the difference between the 32-bit/64-bit, Because this affects the HMAC results of the above fields, it is also easy to cause signature validation to fail.
    • When signing the EVMCTL, you need to know the parameters of this command very well, such as how to specify the key, how to specify 32/64 bits, etc., and also need to make some changes to the tool, such as supporting the use of incoming Ino, UID, GID, mode, security.selinux/ . IMA/.EVM and so on.
    • There are three modes of ima_appraise: Off, enforce, fix. The development is first set to fix mode, if the measurement error, you can see the error in the kernel log. After the development is completed, set to enforce mode, if the system can get up, and kernel log without error, indicating the success.
4. Ultimately, you can achieve
    • All files under the system read-only partition are protected by signature, and files that are tampered with offline in enforce mode cannot be executed and accessed. Note: Offline tampering can be simulated with setfattr.
    • All files under the data read/write partition are protected by HMAC, files that have been tampered with offline in enforce mode cannot be accessed and executed, and files that change at run time are automatically updated by the IMA/EVM string before the next visit.
    • Integrity metrics can be read out and the kernel updates the metrics at any time when the file changes.
5. ReferencesWhat is the Linux integrity metric:http://events.linuxfoundation.org/sites/events/files/slides/Integrity_Protection_LinuxCon_Europe_2013_0.pdf

How to enable IMA/EVM on desktop Linux:

https://sourceforge.net/p/linux-ima/wiki/Home/#extending-trusted-and-secure-boot-to-the-os

Https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture

The ima/evm:https://wiki.tizen.org/wiki/security:integritymeasurement on the TizenThe ima/evm:http://www.webcitation.org/6aqsxtux0 on the Meegoevmctl:https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/Attr:http://git.savannah.gnu.org/cgit/attr.git

Extend Linux integrity Metrics IMA/EVM to Android

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.