Difference between revisions of "Linux Kernel Integrity"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
(Created page with "'''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple s...")
 
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
'''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC them also to '''linux-security-module@vger.kernel.org''' mailing list for more broad screening.
'''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion.
 
* Subscription information is here: http://vger.kernel.org/vger-lists.html#linux-integrity
 
For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the '''linux-security-module@vger.kernel.org''' mailing list for more broad screening.
 


TPM and IMA have have their own maintainers and GIT trees:
TPM and IMA have have their own maintainers and GIT trees:
Line 5: Line 10:
* '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
* '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
* '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git
* '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git
== TPM 2.0 ==
The TPM 2.0 infrastructure in and around linux is currently moving fast.
Here is a link list which tries to capture the current situation.
=== Books & Links ===
* A Practical Guide toTPM 2.0, free PDF, https://link.springer.com/book/10.1007/978-1-4302-6584-9
* TPM2.0 in Context, http://www.springer.com/de/book/9783319087436
* TCG Links https://trustedcomputinggroup.org/resources-using-trusted-platform-module-2-0-library-specification/
* Matthew Garrett's blog https://mjg59.dreamwidth.org/ (not only about tpm)
* James Bottomley's blog https://blog.hansenpartnership.com (not only about tpm)
=== Intel TSS Stack ===
The Intel TSS Stack, compliant with the TCG SAPI specifications consists of
* The Stack: https://github.com/01org/tpm2-tss
* The Tools: https://github.com/01org/tpm2-tools
* The Broker: https://github.com/01org/tpm2-abrmd (Access Broker & Resource Management Daemon)
Interesting Links can be found here:
* https://lenovopress.com/lp0599-technical-introduction-tpm-20-with-linux
* http://www.jwsecure.com/2017/02/07/implementing-platform-protection-for-linux/
* https://github.com/01org/tpm2-tools/wiki/How-to-use-tpm2-tools (needs to be updated)
* RSA signatures with TPM2.0 and OpenSSL https://dguerriblog.wordpress.com/
* https://archive.fosdem.org/2017/schedule/event/tpm2/attachments/slides/1517/export/events/attachments/tpm2/slides/1517/FOSDEM___TPM2_0_practical_usage.pdf
* https://elinux.org/images/6/6e/ELC2017_TPM2-and-TSS_Tricca.pdf
==== Interesting Projects using Intel TSS Stack ====
Automated Full Disk De/Encryption with Clevis/Tang+TPM+Luks
* http://redhat.slides.com/npmccallum/sad
* https://github.com/latchset/clevis/pull/17
* https://github.com/martinezjavier/clevis/blob/tpm2-pin/doc/clevis-bind-luks-tpm2.md
StrongSwan VPN Server + IMA + TPMSupport (Remote Attestation)
* https://wiki.strongswan.org/projects/strongswan/wiki/TPMPlugin
Others:
* Remote Attestation https://01.org/opencit
* https://github.com/irtimmer/tpm2-pk11
* https://github.com/rqou/tpm2-luks
* https://robertou.com/tpm2-sealed-luks-encryption-keys.html
* https://github.com/WindRiver-OpenSourceLabs/cryptfs-tpm2
=== IBM TSS Stack ===
The IBM Stack follows a more pragmatic approach - the code can be found at
* https://sourceforge.net/projects/ibmtpm20tss/
including tools and everything.
James Bottomley has been actively developing against it
* https://blog.hansenpartnership.com/using-your-tpm-as-a-secure-key-store/
* https://blog.hansenpartnership.com/tpm-enabling-gnome-keyring/
* https://blog.hansenpartnership.com/tpm2-and-linux/
It comes with its own
* TPM2.0 Simulator https://sourceforge.net/projects/ibmswtpm2/
* Attestation client/server http://ibmswtpm.sourceforge.net/ibmacs.html
== IMA ==
See https://sourceforge.net/p/linux-ima/wiki/Home/ for details.
IMA namespacing: [[IMA Namespacing design considerations]]

Latest revision as of 14:03, 15 March 2018

linux-integrity@vger.kernel.org is the mailing list for TPM and IMA targeted patches and discussion.

For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the linux-security-module@vger.kernel.org mailing list for more broad screening.


TPM and IMA have have their own maintainers and GIT trees:

TPM 2.0

The TPM 2.0 infrastructure in and around linux is currently moving fast. Here is a link list which tries to capture the current situation.


Books & Links


Intel TSS Stack

The Intel TSS Stack, compliant with the TCG SAPI specifications consists of

Interesting Links can be found here:

Interesting Projects using Intel TSS Stack

Automated Full Disk De/Encryption with Clevis/Tang+TPM+Luks

StrongSwan VPN Server + IMA + TPMSupport (Remote Attestation)

Others:


IBM TSS Stack

The IBM Stack follows a more pragmatic approach - the code can be found at

including tools and everything.

James Bottomley has been actively developing against it

It comes with its own


IMA

See https://sourceforge.net/p/linux-ima/wiki/Home/ for details.

IMA namespacing: IMA Namespacing design considerations