lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090210202347.GA1382@ucw.cz>
Date:	Tue, 10 Feb 2009 21:23:47 +0100
From:	Pavel Machek <pavel@...e.cz>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:	linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	James Morris <jmorris@...ei.org>,
	David Safford <safford@...son.ibm.com>,
	Serge Hallyn <serue@...ibm.com>, Mimi Zohar <zohar@...ibm.com>
Subject: Re: [PATCH 2/7] integrity: IMA as an integrity service provider

Hi!

> --- /dev/null
> +++ b/security/integrity/ima/Kconfig
> @@ -0,0 +1,49 @@
> +# IBM Integrity Measurement Architecture
> +#
> +config IMA
> +	bool "Integrity Measurement Architecture(IMA)"
> +	depends on ACPI

Ugh?

> +	select SECURITYFS
> +	select CRYPTO
> +	select CRYPTO_HMAC
> +	select CRYPTO_MD5
> +	select CRYPTO_SHA1
> +	select TCG_TPM
> +	select TCG_TIS
> +	help
> +	  The Trusted Computing Group(TCG) runtime Integrity
> +	  Measurement Architecture(IMA) maintains a list of hash
> +	  values of executables and other sensitive system files,
> +	  as they are read or executed. If an attacker manages
> +	  to change the contents of an important system file
> +	  being measured, we can tell.
> +
> +	  If your system has a TPM chip, then IMA also maintains
> +	  an aggregate integrity value over this list inside the
> +	  TPM hardware, so that the TPM can prove to a third party
> +	  whether or not critical system files have been modified.

Sound like 'well use this so people with homegrown distros can't
access our e-shop'...

> +	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
> +	  to learn more about IMA.

Maybe some basic docs should go into Documentation?

> +config IMA_MEASURE_PCR_IDX
> +	int
> +	depends on IMA
> +	range 8 14
> +	default 10
> +	help
> +	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
> +	  that IMA uses to maintain the integrity aggregate of the
> +	  measurement list.  If unsure, use the default 10.

This is quite ugly. How do you expect enduser to get this right?
How do you expect distro to get it right for all users?
								Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ