protecting the integrity of the linux system · 12 linuxcon japan 2014 dm-verity transparent...

34
INTEL CONFIDENTIAL © 2014 SAMSUNG Electronics Co. Protecting the integrity of the Linux system Dmitry Kasatkin Integrity subsystem developer/co-maintainer Samsung Open Source Group Samsung Research UK, Finland branch LinuxCon Japan 2014 Tokyo, Japan, May 20 – 22, 2014

Upload: others

Post on 24-Jul-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

INTEL CONFIDENTIAL1 © 2014 SAMSUNG Electronics Co.

Protecting the integrity of the Linux system

Dmitry KasatkinIntegrity subsystem developer/co-maintainer

Samsung Open Source GroupSamsung Research UK, Finland branch

LinuxCon Japan 2014Tokyo, Japan, May 20 – 22, 2014

Page 2: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 20142

Agenda

● What is the integrity protection?

● Pre-OS integrity protection

● OS integrity protection● Block-level integrity protection● Linux Integrity subsystem

● Summary

● Q&A

Page 3: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 20143

What is the Integrity Protection?

● Runtime system integrity is protected by Access Control (AC) mechanisms, such as Discretionary AC and Mandatory ACs.

● Relies on trustworthiness of the access control/security related attributes, such as file uid, gid, permissions, security labels or account information in /etc/passwd, etc...

● Integrity protection ensures that offline and partially online modification of the data will not remain undetected and access to such data will be forbidden or logged

Page 4: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

Pre-OS Integrity Protection

Page 5: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 20145

UEFI x86 boot process

UEFIBoot ROM

Linux Kernel

TPMPCRs

AttestationClient Attestation

Server

nonce

quote

UEFIboot loader

/init

MeasuredBoot

Secure Boot Trusted Boot (Optional)

Page 6: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 20146

UEFI x86 boot process

● Trusted Boot (TCG, Pre-UEFI)● TPM based measurements● Does not prevent booting if measurement is wrong

● UEFI Secure Boot – PreOS boot ● Root of trust in the firmware (UEFI)● Prevents modified firmware and boot loader from running● Boot loader verifies Linux kernel

● OS Trusted/Secure Boot?● Linux kernel verifies kernel modules● What about user space??

Page 7: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 20147

Embedded System Boot – not-connected

Secure ROMRoot of trust

Linux Kernel

boot loader(u-boot)

/init

Secure Boot

Page 8: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 20148

Embedded System Boot – for connected

Secure ROMRoot of trust

Linux Kernel

TEE basedMobile TPM

PCRs

AttestationClient Attestation

Server

nonce

quote

boot loader(u-boot)

/init

MeasuredBoot

Secure Boot Trusted Boot

Page 9: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 20149

Secure/Trusted u-boot (~2013.07)

● Secure boot extensions since 2013.07● Create FIT kernel image (Flattened uImage Tree)

● mkimage -f kernel.its kernel.itb● Create signed FIT kernel image

● mkimage -f kernel.its -k /path/to/keys -K u-boot.dtb kernel.itb● Resign

● mkimage -F -k /path/to/keys -K u-boot.dtb kernel.itb● TPM support

● TPM library● Drivers for common TPMs

Page 10: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201410

Signature in FIT{

description = "Simple kernel / FDT configuration";images {

kernel@1 {data = /incbin/("../vmlinuz-3.13.0");kernel-version = <1>;signature@1 {

algo = "sha1,rsa2048";key-name-hint = "dev";

};};fdt@1 {

description = "snow";data = /incbin/("exynos5250-snow.dtb");type = "flat_dt";arch = "arm";

};};

};

Page 11: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

Block level Integrity protectionApproaches

Page 12: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201412

dm-verity

● Transparent block-level integrity protection solution for read-only partitions● dm-verity is a device mapper target● Uses hash-tree

● Calculates a hash of every block● Stores hashes in the additional block and calculates hash of that block● Final hash – root hash – hash of the top level hash-block● Root hash is passed as a target parameter

● Used in ChromeOS to protect read-only partition● Update can be done only by overwriting entire partition

Page 13: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201413

dm-integrity

● Transparent block-level integrity protection solution for RW partitions● dm-integrity is a device mapper target

● virtual block device on the top of real● Maintains HMAC for every block in special integrity store

● may be the same or different block device● additional space

● Verify HMAC on every read-request and update HMAC on every write-request (BIO request)

● Keeps a cache of LRU integrity metadata for performance purpose

Page 14: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

Linux Integrity Subsystem

Page 15: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201415

Linux Integrity Subsystem

● Allows to extend Trusted and Secure Boot to the user space● Linux integrity subsystem is the Policy Based VFS level integrity protection● Located under <linux>/security/integrity● Provides several integrity functions such as

● Collect, store, attest, apprise, protect, audit● Consists of following components:

● IMA – Integrity Measurement Architecture module– IMA-measurement– IMA-appraisal– Directory integrity verification extension

● EVM – Extended Verification Module● Digital signature verification support

Page 16: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201416

IMA/EVM hooks

● IMA hooks● int ima_bprm_check();● int ima_file_check();● int ima_file_free();● int ima_file_mmap();● int ima_module_check();

● EVM hooks● int evm_inode_setattr();● void evm_inode_post_setattr();● int evm_inode_setxattr();● void evm_inode_post_setxattr();● int evm_inode_removexattr();● void evm_inode_post_removexattr();

Page 17: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201417

IMA-measurement

● Since 2.6.30 (CONFIG_IMA)● Can be used to remotely attest system's runtime integrity● Collect: measure a file's content before it is accessed using cryptographic

hash● Store: add the measurement to the runtime measurement list, and if

TPM is present, extend the IMA PCR-10● Incorrect value may “lock” TPM secrets such as keys

● Attest: if TPM is present, sign IMA PCR value to allow remote validation of the measurement list

● Requires attestation server (challenger) to maintain hash database● Also calculates and stores boot aggregate value over the TPM PCRs 0 - 7

Page 18: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201418

IMA measurement list – original format

● /sys/kernel/security/integrity/ima/ascii_runtime_measurements● Format: PCR template-hash template filedata-hash pathname● Original SHA1-only format:

10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init

Page 19: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201419

IMA measurement list – new format

● PCR template-hash template algo:filedata-hash pathname file-signature● Larger hash algo:

10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-ng sha256:c023470c0fc8aa1dbb95504d5af5d46cad94e8bf5eea8e0ab0eeff7a7fe1697a /sbin/init

● Signatures:10 992676726c30b83e352f7bdb75e1c4dc9bab2067 ima-sig 1f50f71b43752cd541a851a585cba3580902e7a9 /sbin/init 030202db1ff72a008016c593387220a2adda990969d87a56a8a24eece51e3689fd229c4c56e7fddd4eb99f360c2ee3ff0f6344de24ecd3263f4c7a74ac6498403d7ce9e9865e4d2f32522de79e96d0cb265d5b2ab8fe54953ce53d5e59a51460f67d18e2cbacb4765ea97f2d9cdd2065816d50fb74e631efd4c2e07c72c01fd9b0f9e3efc6d91a789d

Page 20: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201420

EVM – extended verification module

● Since 3.2 (CONFIG_EVM)● Protect: protects integrity of file (extended) attributes against offline

modification● attributes: ino, uid, gid, mode● extended attributes: security.{ima,SMACK64,selinux}

● Measures integrity using (keyed) cryptographic hash (hash/HMAC)● Performs local integrity validation and enforcement against a “good”

reference HMAC value● 'security.evm' extended attribute● May contain HMAC or signature

Page 21: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201421

Digital signature extension

● Since 3.3 (CONFIG_INTEGRITY_SIGNATURE)● Protects file attributes using digital signatures

● security.evm may hold signature instead of hmac● signature is replaced with hmac on successful verification

● EVM signatures may be used● When there is no possibility to use device-specific HMAC key during

flashing/copying– No special flashing/update mode (fastboot on Android)

● When raw FS image needs to be created for use on multiple devices– HMAC key is device-specific and cannot be used during image

creation

Page 22: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201422

IMA-appraisal

● Since 3.7 (CONFIG_IMA_APPRAISE)● Appraise: enforce local integrity validation of a file measurement against a

“good” reference value● 'security.ima' extended attribute may hold hash or signature● signature is never replaced with hash – file is immutable● Protected by EVM

● In other words, allows to protect file data from offline modification● IMA signatures may be used

● To protect immutable files from runtime modification● To perform remote attestation without maintaining hash-database

Page 23: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201423

IMA policy# see <linux>/Documentation/ABI/testing/ima_policy

# SYSFS_MAGIC

dont_measure fsmagic=0x62656572

dont_appraise fsmagic=0x62656572

# DEBUGFS_MAGIC

dont_measure fsmagic=0x64626720

dont_appraise fsmagic=0x64626720

…...

measure func=BPRM_CHECK

measure func=FILE_MMAP mask=MAY_EXEC

measure func=FILE_CHECK mask=MAY_READ uid=0

appraise obj_user=sig_t func=FILE_CHECK appraise_type=imasig

appraise fowner=1001 appraise_type=imasig

appraise fowner=0

Page 24: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201424

ima-evm-utils

● Use of digital signatures requires user-space tools● ima-evm-utils (evmctl)

● Sign file metadata and content– evmctl sign –imahash foo– evmctl sign –imasig foo

● Verify (for testing purpose)● Import public keys into the kernel keyring

– evmctl import /path/to/key● Supports password protected private keys

Page 25: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201425

Example: initramfs script

grep -v "^#" /etc/ima_policy >/sys/kernel/security/ima/policy # load IMA policy

keyctl add user kmk "testing123" @u

keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u # import EVM HMAC key

ima_id=`keyctl newring _ima @u`

evmctl import /etc/keys/pubkey_evm.pem $ima_id # import IMA public key

evm_id=`keyctl newring _evm @u`

evmctl import /etc/keys/pubkey_evm.pem $evm_id # import EVM public key

echo "1" > /sys/kernel/security/evm # enable EVM

Page 26: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201426

Example: labeling with signatures

Label one file:

$ echo Hello >foo

$ sudo evmctl sign --imahash foo

$ getfattr -e hex -m security -d foo

# file: foo

security.evm=0x030155475e4e0000bc16a96303fd3e7901040060bab44648764dca46ad71827a48c3e171b7e9444b47b79b7bd7c7f1783852be9b4f038f2c1dd57320b257619b9fa3a9cadea2c679faf83a9755f2a015995ec43332fdedcc2c72cb87f2eb25a8ef524c3ec78134aaa5b6dd18c8c1bf5e16d886a03dd36587aa927e07154c0009cdaf71c1fcbc37fa15a8bd153ba360bf73bafb

security.ima=0x011d229271928d3f9e2bb0375bd6ce5db6c6d348d9

Label whole file system:

$ evmctl -r sign --imahash /

Page 27: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201427

What is missing?

● EVM protects integrity of inode metadata● IMA protects integrity of the content of regular files● Inode itself does not have a name associated with it

● Same inode can be hard linked from different directories● EVM cannot include path data

● Name is associated with inode via directory entry – not protected● Offline, files can be deleted, renamed or moved from one directory to

another one● Directory content integrity verification is needed to prevent that● Symlinks, device nodes are not also protected

Page 28: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201428

Directory & special files integrity protection

● Work in progress (CONFIG_IMA_DIRECTORIES)● New hooks for directory/special files integrity verification in fs/namei.c

● ima_dir_check(), ima_dir_update(), ima_link_check()● Directory measurement is a hash over directory content

● List of (inode number, file name) tuples● Symlink measurement

● Hash of the target path● Device node measurement

● Hash over MAJOR:MINOR● Hash is also stored in 'security.ima'● No EVM changes are required for this

Page 29: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201429

Kernel key retention service

● IMA/EVM uses key retention service to retrieve symmetric and asymmetric keys

● EVM uses encrypted keys that might be encrypted with user-supplied master key or TPM-based trusted key

● Digital signature verification support uses asymmetric keys from independent keyrings: _ima, _evm, _module

● Each keyring can be “locked” from further key importing

Page 30: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201430

What's coming (1)

● Directory & special files integrity verification● Trusted integrity keyrings

● Only signed keys can be loaded● Integrity subsystem initialization without initramfs

● In-kernel IMA/EVM X509 loading● In-kernel EVM encrypted key loading● In-kernel signed policy loading

● New IMA locking (without heavy use of i_mutex)● O_DIRECT support● sparse file handling

Page 31: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201431

What's coming (2)

● Asynchronous hash API support● HW acceleration

● Path support for the policy● Protect filesystem subtree

● Dynamic measurement format● ima-fmt:d|n|status● addition of appraisal status into measurement list

● Kernel API to retrieve appraisal status● If binary was digitally signed

Page 32: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201432

Summary

● Integrity protection can be implemented in most systems● Main requirement is HW root of trust: Secure ROM

● UEFI/U-boot provide support for secure/trusted boot● Linux kernel provides support for protecting integrity of the storage

● Linux Integrity Subsystem● policy, local appraisal, remote attestation

● Block-level integrity protection● dm-verity● dm-integrity

Page 33: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

LinuxCon Japan 201433

Links

IMA/EVM● Integrity tree: http://git.kernel.org/?p=linux/kernel/git/zohar/linux-integrity.git● Dir tree: http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git● Linux IMA project page: http://sourceforge.net/projects/linux-ima● Utils: http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree

dm-integrity● git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git#dm-

integrity

U-Boot● http://www.denx.de/wiki/U-Boot

Page 34: Protecting the integrity of the Linux system · 12 LinuxCon Japan 2014 dm-verity Transparent block-level integrity protection solution for read-only partitions dm-verity is a device

INTEL CONFIDENTIAL34 © 2014 SAMSUNG Electronics Co.

Questions?