IMA-Appraisal 中相关的知识点

ima_appraise

The ima_appraise= argument can change the default enforce appraise mode.

Note

The mode can only be changed if secure boot in the UEFI firmware is disabled. If UEFI secure boot is enabled, the default enforce cannot be changed. See Built-in Policy Rules. This is not the same as the ima_policy=secure_boot command line argument.

This command line argument is only available if CONFIG_IMA_APPRAISE_BOOTPARAM is set.

This specifies the effect of the policy rule appraise action. The four values are:

enforce causes IMA to appraise files . Access is denied to the appraised file if the stored hash is missing or does not match the collected value.
log is similar to enforce except access is not denied but only logged to /var/log/audit/audit.log.
off disables all appraisal. The stored hashes aren’t checked or logged. New stored hashes are not generated or updated.
fix enables the IMA repair mode. The stored hash reference value of a protected file can be created or updated. The file hash is (re)calculated and stored.

fix is often used on first boot. This will allow the system to boot up even when no (or wrong) hashes are registered.

fix only creates and updates hashes on files that would otherwise be appraised. If using a custom IMA policy, that policy must be loaded first. If neither ima_policy=appraise_tcb nor a custom policy is loaded, the default policy is to not appraise anything, and fix will have no effect. Additionally, this process may need to be repeated if there’s a change in the IMA policy.

fix only updates hashes on files that have no signatures. It cannot create a file signature.

A typical procedure for adding file data hashes and meta-data HMAC is:

boot first in fix mode

open for read all files that will be appraised

Example

find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \;

When done, the stored hash value should show as an extended attribute:

Example

getfattr -m - -d /sbin/init
# file: sbin/init
security.ima=0sAXr7Qmun5mkGDS286oZxCpdGEuKT
security.selinux="system_u:object_r:init_exec_t"

reboot in appraise mode

The system should now run with appraisal enabled, causing the system to validate the hash against the stored value before using it. If it doesn’t match, then the file is not loaded and any access will be denied.

Note: Appraisal can be verified by booting with ima_appraise= off , changing the contents of a root-owned file (or the value of the extended attribute), and rebooting with ima_appraise= enforce

sig

This field contains the file Signature. This field describes the Hash Algorithm. The signature algorithm is derived from the public key, which is in turn derived from the Public Key Identifier.

This field holds the extended attribute signature, never the appended signature. See modsig.

For the Extended Verification Module (EVM), it holds the signature over the meta-data.

If security.ima has a file data signature, it is used.
Else, if security.ima has a hash, then
- If security.evm is a portable signature, it is used.
- Else there is no signature.

The security.evm portable signature is over the file meta-data.

An example for add a security.evm portable signature is at evmctl portable signature.

IMA supports several signature algorithms, including:

RSA-2048
ECDSA
ECRDSA (GOST)
SM2

Signature Length

This is a 4-byte integer representing the total length of the Signature Header and Signature fields. The value may be zero, indicating that those two fields are not present.

Signature Header

This field is fixed at 9 bytes, consisting of 5 fields.

These fields do not encode the signature algorithm. That is determined by mapping the Public Key Identifier to the signing certificate, which contains the signature algorithm.

Signature Type

This is a 1-byte field.

The legal values are:

0x03 EVM_IMA_XATTR_DIGSIG

For this value, the Signature Version is always 0x02.
0x05 EVM_XATTR_PORTABLE_DIGSIG

This indicates that the signature is the portable signature of EVM file meta-data.
0x06 IMA_VERITY_DIGSIG

This introduces a level of indirection. Instead of directly signing the fs-verity digest, the signature is of the hash of the type of data (e.g. fs-verity) and the digest. Signature Version is always 0x03.

Signature Version

This is a 1-byte field.

The legal values are:

0x02 file digest
0x03 verity file digest

Hash Algorithm

This is a 1-byte field representing the hash algorithm used for the File Data Hash.

The values are:

0x00: MD4
0x01: MD5
0x02: SHA-1
0x03: RIPEMD-160
0x04: SHA-256
0x05: SHA-384
0x06: SHA-512
0x07: SHA-225
0x08: RIPEMD-128
0x09: RIPEMD-256
0x0a: RIPEMD-320
0x0b: Whirlpool-256
0x0c: Whirlpool-384
0x0d: Whirlpool-512
0x0e: Tiger-128 (removed from kernel)
0x0f: Tiger-160 (removed from kernel)
0x10: Tiger-192 (removed from kernel)
0x11: SM3-256
0x12: Streebog-256
0x13: Streebog-512

Note that there is redundancy, in that this field must be consistent with the Hash Algorithm field on the Template Data.

Public Key Identifier

This is a 4-byte field that identifies the public key. It is the last 4 bytes of the key’s X.509 certificate Subject Key Identifier.

Signature Size

This is a 2-byte integer representing the size of the Signature field in big endian format.

Note that there is redundancy, in that this field must be consistent with the signing public key pointed to by the Public Key Identifier.

Signature

This field represents the signature over the File Data Hash using the key specified by the Public Key Identifier and the hash algorithm represented by the (two) Hash Algorithm fields, the signature Hash Algorithm and the file data Hash Algorithm.

RSA - a raw RSA signature
ECC - a DER encoded SEQUENCE containing the R and S integers.

evmsig

evmsig follows the format of sig. The Signature Type is 0x05 EVM_XATTR_PORTABLE_DIGSIG.

If a signature exists in security.ima it is stored. Otherwise, the signature in security.evm is stored.

posted @ 2025-07-30 13:42 云long 阅读(12) 评论(0) 收藏举报

刷新页面返回顶部