integrity protection solutions in linux · 2017. 12. 14. · samsung open source group samsung...
TRANSCRIPT
INTEL CONFIDENTIAL1 © 2013 SAMSUNG Electronics Co.
Integrity Protection Solutions in Linux
Dmitry Kasatkin
Samsung Open Source GroupSamsung Research UK, Finland branch
LinuxCon Europe 2013Edinburgh, UK, October 21 - 23, 2013
LinuxCon Europe 20132
Agenda
● Why integrity protection?
● VFS level integrity protection
● Block level integrity protection
● Other approaches to integrity protection
● Comparison
● Q&A
LinuxCon Europe 20133
Why Integrity protection?
● Runtime system integrity is protected by Access Control mechanism, such as DAC and MACs.
● Assumes trustworthiness of the access control/security related metadata
● Integrity protection ensures that offline modification of the data will not remain undetected and access to such data will be forbidden
● Was achieved by file system encryption
LinuxCon Europe 20134
Boot process
UEFISecure Boot
OSTrusted Boot
TPMPCRs
AttestationClient Attestation
Server
MeasuredBoot
nonce
quote
LinuxCon Europe 20135
Boot process
● TCG Measured Boot● TPM based measurements● Does not prevent booting if measurement is wrong
● UEFI Secure Boot – PreOS boot ● Root of trust in the firmware (UEFI)● Prevents modified firmware and boot loader from running● Boot loader verifies Linux kernel
● OS Trusted Boot● Linux kernel verifies kernel modules● What about user space??
Linux Integrity Subsystem
LinuxCon Europe 20137
Linux Integrity Subsystem
● Linux integrity subsystem is the VFS level integrity protection● Located under <linux>/security/integrity● Provides several integrity functions such as
● Collect, store, attest, apprise, protect, audit● Consists of following components:
● IMA – Integrity Measurement Architecture module– IMA-measurement– IMA-appraisal– Directory integrity verification extension
● EVM – Extended Verification Module● Digital signature verification support
LinuxCon Europe 20138
IMA/EVM hooks
● IMA hooks● int ima_bprm_check();● int ima_file_check();● int ima_file_free();● int ima_file_mmap();● int ima_module_check();
● EVM hooks● int evm_inode_setattr();● void evm_inode_post_setattr();● int evm_inode_setxattr();● void evm_inode_post_setxattr();● int evm_inode_removexattr();● void evm_inode_post_removexattr();
LinuxCon Europe 20139
IMA-measurement
● Since 2.6.30 (CONFIG_IMA)● Can be used to remotely attest system's runtime integrity● Collect: measure a file's content before it is accessed using cryptographic
hash● Store: add the measurement to the runtime measurement list, and if
TPM is present, extend the IMA PCR-10● Incorrect value may “lock” TPM secrets such as keys
● Attest: if TPM is present, sign IMA PCR value to allow remote validation of the measurement list
● Requires attestation server (challenger) to maintain hash database● Also calculates and stores boot aggregate value over the TPM PCRs 0 - 7
LinuxCon Europe 201310
IMA measurement list – original format
● /sys/kernel/security/integrity/ima/ascii_runtime_measurements● Format: PCR template-hash template filedata-hash pathname● Original SHA1 format:
10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init
LinuxCon Europe 201311
IMA measurement list – new format
● PCR template-hash template algo:filedata-hash pathname file-signature● Larger hash algo:
10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-ng sha256:c023470c0fc8aa1dbb95504d5af5d46cad94e8bf5eea8e0ab0eeff7a7fe1697a /sbin/init
● Signatures:10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-sig 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init 030202db1ff72a008016c593387220a2adda990969d87a56a8a24eece51e3689fd229c4c56e7fddd4eb99f360c2ee3ff0f6344de24ecd3263f4c7a74ac6498403d7ce9e9865e4d2f32522de79e96d0cb265d5b2ab8fe54953ce53d5e59a51460f67d18e2cbacb4765ea97f2d9cdd2065816d50fb74e631efd4c2e07c72c01fd9b0f9e3efc6d91a789d
LinuxCon Europe 201312
EVM – extended verification module
● Since 3.2 (CONFIG_EVM)● Protect: protects integrity of file (extended) attributes against offline
modification● attributes: ino, uid, gid, mode● extended attributes: security.{ima,SMACK64,selinux}
● Measures integrity using (keyed) cryptographic hash (hash/HMAC)● Performs local integrity validation and enforcement against a “good”
reference HMAC value● 'security.evm' extended attribute● May contain HMAC or signature
LinuxCon Europe 201313
Digital signature extension
● Since 3.3 (CONFIG_INTEGRITY_SIGNATURE)● Protects file attributes using digital signatures
● security.evm may hold signature instead of hmac● signature is replaced with hmac on successful verification
● EVM signatures may be used● When there is no possibility to use device-specific HMAC key during
flashing/copying– No special flashing/update mode (fastboot on Android)
● When raw FS image needs to be created for use on multiple devices– HMAC key is device-specific and cannot be used during image
creation
LinuxCon Europe 201314
Digital signature verification API
● Since 3.3 (CONFIG_SIGNATURE)● Provides API for IMA/EVM to verify RSA signature● Old: linux/lib/digsig.c API: digsig_verify()
● Since 3.7 (CONFIG_ASYMMETRIC_KEY_TYPE)● New: asymmetric keys API: verify_signature()
● Uses cut-down version of MPI library● linux/lib/mpi/*
LinuxCon Europe 201315
IMA-appraisal
● Since 3.7 (CONFIG_IMA_APPRAISE)● Appraise: enforce local integrity validation of a file measurement against a
“good” reference value● 'security.ima' extended attribute may hold hash or signature● signature is never replaced with hash – file is immutable● Protected by EVM
● In other words, allows to protect file data from offline modification● IMA signatures may be used
● To protect immutable files from runtime modification● To perform remote attestation without maintaining hash-database
LinuxCon Europe 201316
IMA policy# see <linux>/Documentation/ABI/testing/ima_policy
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
dont_appraise fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
dont_appraise fsmagic=0x64626720
…...
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
appraise obj_user=sig_t func=FILE_CHECK appraise_type=imasig
appraise fowner=1001 appraise_type=imasig
appraise fowner=0
LinuxCon Europe 201317
What is missing?
● EVM protects integrity of inode metadata● IMA protects integrity of the content of regular files● Inode itself does not have a name associated with it
● Same inode can be hard linked from different directories● EVM cannot include path data
● Name is associated with inode via directory entry – not protected● Offline, files can be deleted, renamed or moved from one directory to
another one● Directory content integrity verification is needed to prevent that● Symlinks, device nodes are not also protected
LinuxCon Europe 201318
Directory & special files integrity protection
● Work in progress (CONFIG_IMA_DIRECTORIES)● New hooks for directory/special files integrity verification in fs/namei.c
● ima_dir_check(), ima_dir_update(), ima_link_check()● Directory measurement is a hash over directory content
● List of (inode number, file name) tuples● Symlink measurement
● Hash of the target path● Device node measurement
● Hash over MAJOR:MINOR● Hash is also stored in 'security.ima'● No EVM changes are required for this
LinuxCon Europe 201319
Kernel key retention service
● IMA/EVM uses key retention service to retrieve symmetric and asymmetric keys
● EVM uses encrypted keys that might be encrypted with user-supplied master key or TPM-based trusted key
● Digital signature verification support uses asymmetric keys from independent keyrings: _ima, _evm, _module
● Each keyring can be “locked” from further key importing● Since 3.12 _ima keyring can be now declared as “Trusted”
● Only keys, signed by a key from “.system_keyring” could be added
LinuxCon Europe 201320
ima-evm-utils
● Use of digital signatures requires user-space tools● ima-evm-utils (evmctl)
● Sign file metadata and content– evmctl sign –imahash foo– evmctl sign –imasig foo
● Verify (for testing purpose)● Import public keys into the kernel keyring
– evmctl import /path/to/key● Supports password protected private keys
LinuxCon Europe 201321
Example: initramfs script
grep -v "^#" /etc/ima_policy >/sys/kernel/security/ima/policy # load IMA policy
keyctl add user kmk "testing123" @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u # import EVM HMAC key
ima_id=`keyctl newring _ima @u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id # import IMA public key
evm_id=`keyctl newring _evm @u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id # import EVM public key
echo "1" > /sys/kernel/security/evm # enable EVM
LinuxCon Europe 201322
Example: labeling with signatures
Label one file:
$ echo Hello >foo
$ sudo evmctl sign --imahash foo
$ getfattr -e hex -m security -d foo
# file: foo
security.evm=0x030155475e4e0000bc16a96303fd3e7901040060bab44648764dca46ad71827a48c3e171b7e9444b47b79b7bd7c7f1783852be9b4f038f2c1dd57320b257619b9fa3a9cadea2c679faf83a9755f2a015995ec43332fdedcc2c72cb87f2eb25a8ef524c3ec78134aaa5b6dd18c8c1bf5e16d886a03dd36587aa927e07154c0009cdaf71c1fcbc37fa15a8bd153ba360bf73bafb
security.ima=0x011d229271928d3f9e2bb0375bd6ce5db6c6d348d9
Label whole file system:
$ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
Block level Integrity protection
LinuxCon Europe 201324
dm-verity & dm-integrity
block device
dm-integrity / dm-verity
VFS
File system driver (e.g. ext4)
sda
Device Mapper
block device
sdb
LinuxCon Europe 201325
dm-verity
● Transparent block-level integrity protection solution for read-only partitions● dm-verity is a device mapper target● Uses hash-tree
● Calculates a hash of every block● Stores hashes in the additional block and calculates hash of that block● Final hash – root hash – hash of the top level hash-block● Root hash is passed as a target parameter
● Used in ChromeOS to protect read-only partition● Update can be done only by overwriting entire partition
LinuxCon Europe 201326
dm-integrity
● Transparent block-level integrity protection solution for RW partitions● dm-integrity is a device mapper target
● virtual block device on the top of real● Maintains HMAC for every block in special integrity store
● may be the same or different block device● additional space
● Verify HMAC on every read-request and update HMAC on every write-request (BIO request)
● Keeps a cache of LRU integrity metadata for performance purpose
LinuxCon Europe 201327
Example: target setup
#!/bin/sh
bdev=$1
dsize=`blockdev --getsz $bdev` # get size of the block device
dsize=$((dsize & ~7)) # round down the size to 4k blocks
size=$((dsize*204/205)) # trim the size to get space for hmac store at the end of the block device
size=$((size & ~7)) # round down the size to 4k blocks
# load the key - in this example we just use test key
keyctl add user kmk "testing123" @u
keyctl add encrypted dm-int-key "load `cat /etc/keys/dm-int-key`" @u
# creating the target
dmsetup create dm-int --table "0 $size integrity $bdev 0 $bdev $size hmac(sha1) dm-int-key"
mount /dev/mapper/dm-int /mnt # mount the target
LinuxCon Europe 201328
Other approaches
Block level encryption
● Encryption also implicitly provides integrity protection● More computation resources needed for encryption/decryption
File System level approach
● There is some work to bring integrity checks using CRC32 to the file system
● Hashes/hmacs can be used instead of crc32 to achieve desired level of protection
LinuxCon Europe 201329
Comparison of methods
● Linux integrity subsystem● Policy based● Can be used for remote attestation● Supports digital signatures● Requires less space for integrity metadata
● Block based integrity protection● Can be used only for local integrity enforcement● Good when it is just necessary to protect entire block device
LinuxCon Europe 201330
Performance comparison
Ubuntu on Intel Atom
No IntegrityIMA/EVM(with dir)
IMA/EVM dm-integrity dm-crypt
Boot time
(w/o readahead)48.5 s 47 s 46 s 61 s 60 s
Boot time
(w/ readahead)30 s 37.7 s 37.4 s 36 s 33 s
File copy 13.3 MBs 10.9 MBs 12.1 MBs 12.4 MBs 9.3 MBs
● CPU utilization when using encryption is very high without HW acceleration
● Overhead of dm-integrity on Tizen was only 1 second with 25 seconds boot time
LinuxCon Europe 201331
Links
IMA/EVM● Integrity tree: http://git.kernel.org/?p=linux/kernel/git/zohar/linux-integrity.git● Dir tree: http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git● Linux IMA project page: http://sourceforge.net/projects/linux-ima● Linux IMA/EVM wiki: http://sourceforge.net/p/linux-ima/wiki/Home● Utils: http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree
● dm-integrity● git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git#dm-integrity
INTEL CONFIDENTIAL32 © 2013 SAMSUNG Electronics Co.
Questions?