[RFC][PATCH 9/9] diglim: Admin guide

Roberto Sassu roberto.sassu at huawei.com
Wed Sep 15 16:31:45 UTC 2021


Introduce a DIGLIM administration guide. Its main purpose is to help users
to configure a system to load to the kernel all the digests of executable
and firmware from the RPM DB, and kernel modules of a custom kernel and a
temporary file mapped as executable as custom digest lists.

With further patch sets, it will be possible to load an execution policy in
IMA and create a measurement list only with digest lists and unknown files,
and to perform secure boot at application level.

Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
 Documentation/admin-guide/diglim.rst | 136 +++++++++++++++++++++++++++
 Documentation/admin-guide/index.rst  |   1 +
 MAINTAINERS                          |   1 +
 3 files changed, 138 insertions(+)
 create mode 100644 Documentation/admin-guide/diglim.rst

diff --git a/Documentation/admin-guide/diglim.rst b/Documentation/admin-guide/diglim.rst
new file mode 100644
index 000000000000..886100cf5a62
--- /dev/null
+++ b/Documentation/admin-guide/diglim.rst
@@ -0,0 +1,136 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+======
+DIGLIM
+======
+
+Digest Lists Integrity Module (DIGLIM) is an integrity extension aiming to
+facilitate the deployment of remote attestation and secure boot solutions
+based on Integrity Measurement Architecture (IMA).
+
+DIGLIM documentation can be retrieved at ``Documentation/security/diglim``.
+
+Kernel Configuration Options
+============================
+
+DIGLIM can be enabled by setting ``CONFIG_DIGLIM=y`` in the kernel
+configuration. Optionally, it is possible to set
+``CONFIG_DIGLIM_DIGEST_LISTS_DIR`` with the directory digest lists are
+taken from by a kernel loader executed at kernel initialization time.
+Finally, with ``CONFIG_DIGLIM_UPLOADER_PATH`` it is possible to specify the
+path of the digest list uploader, which will execute user space parsers to
+process the digest lists in ``CONFIG_DIGLIM_DIGEST_LISTS_DIR`` that are not
+in the format recognized by the kernel.
+
+
+LSM
+===
+
+DIGLIM includes an LSM to protect user space parsers from other processes,
+when the parsers convert a digest list and uploads it to the kernel. As for
+other LSMs, ``diglim`` should be added to the list of enabled LSMs,
+provided with the ``lsm=`` kernel option. If DIGLIM LSM is not enabled,
+digest lists uploaded by the parser will not be marked as processed by IMA
+and will not be suitable for use.
+
+
+Setup
+=====
+
+Digest lists must be loaded as soon as possible, before files are accessed,
+so that IMA finds the digest of those files with a query. More details on
+the benefits of DIGLIM for IMA can be found in
+``Documentation/security/diglim/introduction.rst``.
+
+
+Digest List Generation
+----------------------
+
+Digest lists can be generated with the tools provided in ``tools/diglim``
+in the kernel sources. In order to compile the tools, it is necessary to
+install the ``glibc-static`` and ``rpm-devel`` packages.
+
+``compact_gen`` can be used to generate digest lists in the compact format,
+which can be directly uploaded to the kernel.
+
+In order to upload digests from the RPM database, it is necessary to
+generate three digest lists: one for ``upload_digest_lists``, which is
+responsible to execute the parsers for digest lists not in the compact
+format; two for ``rpm_parser``, which actually loads the RPM digest lists.
+
+``rpm_parser`` requires two digest lists, one for identification by DIGLIM
+LSM, and the other for measurement and appraisal with IMA. The commands
+are::
+
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /usr/libexec/diglim/rpm_parser -t parser
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /usr/libexec/diglim/rpm_parser -t file
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /usr/libexec/diglim/upload_digest_lists -t file
+
+Optionally, an appended signature can be added to the generated digest
+lists, with the sign-file tool included in the kernel sources::
+
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-parser_list-compact-rpm_parser
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-rpm_parser
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-upload_digest_lists
+
+With an appropriate policy, appended signatures can be seen in the
+measurement, by selecting the ``ima-modsig`` template.
+
+Afterwards, digest lists can be generated from the RPM database with the
+command::
+
+ # tools/diglim/rpm_gen -d /etc/digest_lists
+
+If a custom kernel is used, an additional digest list should be generated
+for kernel modules::
+
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /lib/modules/`uname -r` -t file
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-`uname -r`
+
+Finally, in Fedora there is an mmap with execution permission on a file
+with 4K of zeros. A digest list can be generated by executing::
+
+ # dd if=/dev/zero of=/tmp/mmap bs=4096 count=1
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /tmp/mmap -f
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-mmap
+
+
+Initial Ram Disk
+----------------
+
+Generated digest lists should be copied to the initial ram disk in the
+``CONFIG_DIGLIM_DIGEST_LISTS_DIR`` directory. This can be accomplished,
+with dracut, by adding in /etc/dracut.conf::
+
+ install_optional_items+=" /etc/digest_lists/* "
+
+if ``CONFIG_DIGLIM_DIGEST_LISTS_DIR=/etc/digest_lists``.
+
+``upload_digest_lists`` and ``rpm_parser`` can be also copied to the
+initial ram disk by adding the following lines in /etc/dracut.conf::
+
+ install_optional_items+=" /usr/libexec/diglim/upload_digest_lists "
+ install_optional_items+=" /usr/libexec/diglim/rpm_parser "
+
+assuming that the binaries are installed in /usr/libexec/diglim.
+
+Another important option is::
+
+ do_strip="no"
+
+This prevents dracut from stripping the symbols from binaries. If binaries
+are altered, their digest will be different from the reference value and
+will not be found in the DIGLIM hash table.
+
+
+Boot and Digest List Upload
+---------------------------
+
+After generating the initial ram disk and rebooting, digest lists should
+have been added to the DIGLIM hash table. This can be checked by executing::
+
+ # cat /sys/kernel/security/integrity/diglim/digests_count
+ Parser digests: 1
+ File digests: 104273
+ Metadata digests: 0
+ Digest list digests: 2430
diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst
index dc00afcabb95..1cc7d3b3e79c 100644
--- a/Documentation/admin-guide/index.rst
+++ b/Documentation/admin-guide/index.rst
@@ -79,6 +79,7 @@ configure specific aspects of kernel behavior to your liking.
    cputopology
    dell_rbu
    device-mapper/index
+   diglim
    edid
    efi-stub
    ext4
diff --git a/MAINTAINERS b/MAINTAINERS
index 1efc1724376e..953c86915c49 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -5507,6 +5507,7 @@ M:	Roberto Sassu <roberto.sassu at huawei.com>
 L:	linux-integrity at vger.kernel.org
 S:	Supported
 T:	git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
+F:	Documentation/admin-guide/diglim.rst
 F:	Documentation/security/diglim/architecture.rst
 F:	Documentation/security/diglim/implementation.rst
 F:	Documentation/security/diglim/index.rst
-- 
2.25.1



More information about the Linux-security-module-archive mailing list