The kernel integrity sub-system can be used to detect if a file has been altered (accidently or maliciously), both remotely and/or locally. It does that by appraising a file’s measurement (its hash value) against a “good” value stored previously as an extended attribute (on file systems which support extended attributes like ext3, ext4. etc.). Similar, but complementary, mechanisms are provided by other security technologies like SELinux which depending on policy can attempt to protect file integrity.
The Linux IMA (Integrity Measurement Architecture) subsystem introduces hooks within the Linux kernel to support creating and collecting hashes of files when opened, before their contents are accessed for read or execute. The IMA measurement subsystem was added in linux-2.6.30 and is supported by Red Hat Enterprise Linux 8.
The kernel integrity subsystem consists of two major components. The Integrity Measurement Architecture (IMA) is responsible for collecting file hashes, placing them in kernel memory (where userland applications cannot access/modify it) and allows local and remote parties to verify the measured values. The Extended Verification Module (EVM) detects offline tampering (this could help mitigate evil-maid attacks) of the security extended attributes.
IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list is difficult to compromise by a software attack, without it being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system’s runtime integrity.
IMA-measurement can be enabled by adding the parameters “ima=on ima_policy=” to the kernel command line and rebooting the system. The policy parameter takes one of the below values:
tcb
- measures all executables run, all mmap’d files for execution (such as shared libraries), all kernel modules loaded, and all firmware loaded. Additionally, all files read by root are measured as well.appraise_tcb
- appraises all files owned by root.secure_boot
- appraises all loaded modules, firmware, kexec’d kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the kernel in “secure boot” scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.#linux