[RFC][PATCH 9/9] diglim: Admin guide
roberto.sassu at huawei.com
Wed Sep 15 16:31:45 UTC 2021
Introduce a DIGLIM administration guide. Its main purpose is to help users
to configure a system to load to the kernel all the digests of executable
and firmware from the RPM DB, and kernel modules of a custom kernel and a
temporary file mapped as executable as custom digest lists.
With further patch sets, it will be possible to load an execution policy in
IMA and create a measurement list only with digest lists and unknown files,
and to perform secure boot at application level.
Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
Documentation/admin-guide/diglim.rst | 136 +++++++++++++++++++++++++++
Documentation/admin-guide/index.rst | 1 +
MAINTAINERS | 1 +
3 files changed, 138 insertions(+)
create mode 100644 Documentation/admin-guide/diglim.rst
diff --git a/Documentation/admin-guide/diglim.rst b/Documentation/admin-guide/diglim.rst
new file mode 100644
@@ -0,0 +1,136 @@
+.. SPDX-License-Identifier: GPL-2.0
+Digest Lists Integrity Module (DIGLIM) is an integrity extension aiming to
+facilitate the deployment of remote attestation and secure boot solutions
+based on Integrity Measurement Architecture (IMA).
+DIGLIM documentation can be retrieved at ``Documentation/security/diglim``.
+Kernel Configuration Options
+DIGLIM can be enabled by setting ``CONFIG_DIGLIM=y`` in the kernel
+configuration. Optionally, it is possible to set
+``CONFIG_DIGLIM_DIGEST_LISTS_DIR`` with the directory digest lists are
+taken from by a kernel loader executed at kernel initialization time.
+Finally, with ``CONFIG_DIGLIM_UPLOADER_PATH`` it is possible to specify the
+path of the digest list uploader, which will execute user space parsers to
+process the digest lists in ``CONFIG_DIGLIM_DIGEST_LISTS_DIR`` that are not
+in the format recognized by the kernel.
+DIGLIM includes an LSM to protect user space parsers from other processes,
+when the parsers convert a digest list and uploads it to the kernel. As for
+other LSMs, ``diglim`` should be added to the list of enabled LSMs,
+provided with the ``lsm=`` kernel option. If DIGLIM LSM is not enabled,
+digest lists uploaded by the parser will not be marked as processed by IMA
+and will not be suitable for use.
+Digest lists must be loaded as soon as possible, before files are accessed,
+so that IMA finds the digest of those files with a query. More details on
+the benefits of DIGLIM for IMA can be found in
+Digest List Generation
+Digest lists can be generated with the tools provided in ``tools/diglim``
+in the kernel sources. In order to compile the tools, it is necessary to
+install the ``glibc-static`` and ``rpm-devel`` packages.
+``compact_gen`` can be used to generate digest lists in the compact format,
+which can be directly uploaded to the kernel.
+In order to upload digests from the RPM database, it is necessary to
+generate three digest lists: one for ``upload_digest_lists``, which is
+responsible to execute the parsers for digest lists not in the compact
+format; two for ``rpm_parser``, which actually loads the RPM digest lists.
+``rpm_parser`` requires two digest lists, one for identification by DIGLIM
+LSM, and the other for measurement and appraisal with IMA. The commands
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /usr/libexec/diglim/rpm_parser -t parser
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /usr/libexec/diglim/rpm_parser -t file
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /usr/libexec/diglim/upload_digest_lists -t file
+Optionally, an appended signature can be added to the generated digest
+lists, with the sign-file tool included in the kernel sources::
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-parser_list-compact-rpm_parser
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-rpm_parser
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-upload_digest_lists
+With an appropriate policy, appended signatures can be seen in the
+measurement, by selecting the ``ima-modsig`` template.
+Afterwards, digest lists can be generated from the RPM database with the
+ # tools/diglim/rpm_gen -d /etc/digest_lists
+If a custom kernel is used, an additional digest list should be generated
+for kernel modules::
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /lib/modules/`uname -r` -t file
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-`uname -r`
+Finally, in Fedora there is an mmap with execution permission on a file
+with 4K of zeros. A digest list can be generated by executing::
+ # dd if=/dev/zero of=/tmp/mmap bs=4096 count=1
+ # tools/diglim/compact_gen -d /etc/digest_lists -i /tmp/mmap -f
+ # scripts/sign-file sha256 certs/signing_key.pem certs/signing_key.pem /etc/digest_lists/0-file_list-compact-mmap
+Initial Ram Disk
+Generated digest lists should be copied to the initial ram disk in the
+``CONFIG_DIGLIM_DIGEST_LISTS_DIR`` directory. This can be accomplished,
+with dracut, by adding in /etc/dracut.conf::
+ install_optional_items+=" /etc/digest_lists/* "
+``upload_digest_lists`` and ``rpm_parser`` can be also copied to the
+initial ram disk by adding the following lines in /etc/dracut.conf::
+ install_optional_items+=" /usr/libexec/diglim/upload_digest_lists "
+ install_optional_items+=" /usr/libexec/diglim/rpm_parser "
+assuming that the binaries are installed in /usr/libexec/diglim.
+Another important option is::
+This prevents dracut from stripping the symbols from binaries. If binaries
+are altered, their digest will be different from the reference value and
+will not be found in the DIGLIM hash table.
+Boot and Digest List Upload
+After generating the initial ram disk and rebooting, digest lists should
+have been added to the DIGLIM hash table. This can be checked by executing::
+ # cat /sys/kernel/security/integrity/diglim/digests_count
+ Parser digests: 1
+ File digests: 104273
+ Metadata digests: 0
+ Digest list digests: 2430
diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst
index dc00afcabb95..1cc7d3b3e79c 100644
@@ -79,6 +79,7 @@ configure specific aspects of kernel behavior to your liking.
diff --git a/MAINTAINERS b/MAINTAINERS
index 1efc1724376e..953c86915c49 100644
@@ -5507,6 +5507,7 @@ M: Roberto Sassu <roberto.sassu at huawei.com>
L: linux-integrity at vger.kernel.org
More information about the Linux-security-module-archive