Linux Security Summit 2012/Abstracts/Steffen
The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment
Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland
The Integrity Measurement Architecture (IMA) introduced with the Linux 2.6.30 kernel extends its BIOS measurements taken during the pre-boot phase into the Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM). The IETF Network Endpoint Assessment (NEA) reference model (RFC 5209) defines Posture Attribute (PA), Posture Broker (PB) and Posture Transport (PT) protocols which allow the exchange of security measurement data between a NEA client and a NEA server.
The open source Linux strongSwan VPN software implements the PA-TNC (RFC 5792), PB-TNC (RFC 5793) and PT-EAP (draft-ietf-nea-pt-eap) protocols over a secure IKEv2 EAP TTLS communication channel and can act either as a NEA client collecting IMA measurement data signed by the TPM or as a NEA server validating the received measurements against reference values stored in a database. Based on the assessment result the NEA server either grants or denies network access to the NEA client.
This talk will give a short overview on the IETF NEA framework and will then present the implemented TPM-based IMA BIOS measurements use case. Finally an outlook will be given on how remote attestation could be extended to EVM file measurements.
TPM-based Remote Attestation of the IMA BIOS measurements
- NEA client side:
- NEA server side:
strongSwan’s TNC-based Network Endpoint Assessment capabilities http://www.strongswan.org/tnc/