diff options
| author | Lans Zhang <jia.zhang@windriver.com> | 2017-08-15 09:56:49 +0800 |
|---|---|---|
| committer | Lans Zhang <jia.zhang@windriver.com> | 2017-08-15 10:16:41 +0800 |
| commit | 2c265a6fc3e7df1e8530326c3ec733c2fa34d2f1 (patch) | |
| tree | b485717c55e55399309377eb1e6ad6830e30d915 | |
| parent | 09f1239567b2337d1dbf26d4339ee8b9326b8469 (diff) | |
| download | meta-secure-core-2c265a6fc3e7df1e8530326c3ec733c2fa34d2f1.tar.gz | |
meta-integrity/README.md: update
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
| -rw-r--r-- | meta-integrity/README.md | 68 |
1 files changed, 38 insertions, 30 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 2efb494..9525227 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
| @@ -22,22 +22,49 @@ files and applications to be loaded if the hashes match (and will save the | |||
| 22 | updated hash if the file is modified) but refuse to load it if it doesn't. This | 22 | updated hash if the file is modified) but refuse to load it if it doesn't. This |
| 23 | provides some protection against offline tampering of the files. | 23 | provides some protection against offline tampering of the files. |
| 24 | 24 | ||
| 25 | NOTE: Extended file system attribute is required for IMA appraisal, but not | 25 | By default, the following constraint conditions are applied by design of this |
| 26 | layer: | ||
| 27 | |||
| 28 | - Appraise the files for exec'd (the executables), files mmap'd for exec | ||
| 29 | (shared libraries), kernel modules and firmwares in effective root identity | ||
| 30 | (euid=0). | ||
| 31 | - Enforce verifying the IMA signature when running the executables, shared | ||
| 32 | libraries, kernel modules and firmwares. | ||
| 33 | - Deny to run the newly created executables, shared libraries, kernel modules | ||
| 34 | and firmwares. | ||
| 35 | - Deny to run the tampered executables, shared libraries, kernel modules and | ||
| 36 | firmwares. | ||
| 37 | - Deny to run any executables, shared libraries, kernel modules and firmwares | ||
| 38 | in the filesystems without file extended attribute supported. | ||
| 39 | - Allow to run the manually signed executables, shared libraries, kernel | ||
| 40 | modules and firmwares. | ||
| 41 | - Allow to run the updated executables, shared libraries, kernel modules and | ||
| 42 | firmwares during RPM installation. | ||
| 43 | - Enforce the subsequent policy file write to be verified by a trusted IMA | ||
| 44 | certificate. | ||
| 45 | |||
| 46 | NOTE: | ||
| 47 | - The different behaviors when executing a script, e.g, launching a python | ||
| 48 | script with "./test.py" is allowed only when test.py is signed, and launching | ||
| 49 | a python script with "python test.py" is always allowed as long as the python | ||
| 50 | interpreter is signed. | ||
| 51 | - Extended file system attribute is required for IMA appraisal, but not | ||
| 26 | all file systems can support it. Typically, the pseudo file systems, such as | 52 | all file systems can support it. Typically, the pseudo file systems, such as |
| 27 | sysfs, proc, tmpfs and ramfs, certain disk-based file systems, such as FAT, | 53 | sysfs, proc, tmpfs and ramfs, certain disk-based file systems, such as FAT, |
| 28 | and network file systems, such as NFS, don't support extended attribute, | 54 | and network file systems, such as NFS, don't support extended attribute, |
| 29 | meaning IMA appraisal is not available with them. | 55 | meaning IMA appraisal is not available with them. |
| 30 | 56 | ||
| 31 | ##### Dependency | 57 | ##### Dependency |
| 32 | - meta-tpm | 58 | - meta-tpm |
| 33 | This layer provides the kernel configurations for TPM 1.x enablement. | 59 | This layer provides the kernel configurations and TSS for TPM 1.x enablement. |
| 34 | 60 | ||
| 35 | - meta-tpm2 | 61 | - meta-tpm2 |
| 36 | This layer provides the kernel configurations for TPM 2.0 enablement. | 62 | This layer provides the kernel configurations and TSS for TPM 2.0 enablement. |
| 37 | 63 | ||
| 38 | ##### Use The External IMA Policy | 64 | ##### Use The External IMA Policy |
| 39 | initramfs is a good place to run some IMA initializations, such as loading | 65 | initramfs is a good place to run some IMA initializations, such as loading |
| 40 | the IMA policy, as well as the public keys used to verify IMA signatures. | 66 | the IMA policy, as well as the trusted IMA certificate used to verify IMA |
| 67 | signatures. | ||
| 41 | 68 | ||
| 42 | ###### The default external IMA policy | 69 | ###### The default external IMA policy |
| 43 | The default external IMA policy enforces appraising all the executable, shared | 70 | The default external IMA policy enforces appraising all the executable, shared |
| @@ -47,34 +74,15 @@ external IMA policy occurs at the end of initramfs initializations, just before | |||
| 47 | switch_root. | 74 | switch_root. |
| 48 | 75 | ||
| 49 | Instead of running switch_root directly from initramfs, a statically linked | 76 | Instead of running switch_root directly from initramfs, a statically linked |
| 50 | switch_root from the real rootfs is called and it must be already signed | 77 | switch_root from the real rootfs is launched and it must be already signed |
| 51 | properly. Otherwise, switch_root will fail to mount the real rootfs and kernel | 78 | properly. Otherwise, switch_root will fail to mount the real rootfs and kernel |
| 52 | panic will happen due to this failure. | 79 | panic will happen due to this failure. |
| 53 | 80 | ||
| 54 | The default external IMA policy is located at `/etc/ima_policy.default` in | 81 | The default external IMA policy is located at `/etc/ima_policy.default` in |
| 55 | initramfs. If a custom external IMA policy file exists, the default external | 82 | initramfs. If a custom external IMA policy file exists at `/etc/ima_policy`, |
| 56 | IMA policy file won't be used any more. | 83 | the default external IMA policy file won't be used. In addition, the IMA |
| 57 | 84 | policies signed by the trusted IMA certificate in the real rootfs is also | |
| 58 | The default external IMA policy enables the following constraint conditions: | 85 | attempted to be loaded if any. |
| 59 | - Appraise the files for exec'd (the executables), files mmap'd for exec | ||
| 60 | (shared libraries), kernel modules and firmwares in effective root identity | ||
| 61 | (euid=0). | ||
| 62 | - Enforce verifying the IMA signature when running the executables, shared | ||
| 63 | libraries, kernel modules and firmwares. | ||
| 64 | - Deny to run the newly created executables, shared libraries, kernel modules | ||
| 65 | and firmwares. | ||
| 66 | - Deny to run the tampered executables, shared libraries, kernel modules and | ||
| 67 | firmwares. | ||
| 68 | - Deny to run any executables, shared libraries, kernel modules and firmwares | ||
| 69 | in the filesystems without file extended attribute supported. | ||
| 70 | - Allow to run the manually signed executables, shared libraries, kernel | ||
| 71 | modules and firmwares. | ||
| 72 | - Allow to run the updated executables, shared libraries, kernel modules and | ||
| 73 | firmwares during RPM installation. | ||
| 74 | - Note the different behaviors when executing a script. | ||
| 75 | e.g, launching a python script with "./test.py" is allowed only when test.py | ||
| 76 | is signed, and launching a python script with "python test.py" is always | ||
| 77 | allowed as long as the python interpreter is signed. | ||
| 78 | 86 | ||
| 79 | ###### The custom external IMA policy | 87 | ###### The custom external IMA policy |
| 80 | If the default external IMA policy cannot meet the protection requirement, it | 88 | If the default external IMA policy cannot meet the protection requirement, it |