[opensuse-kernel] IMA support in Tumbleweed kernel
Hi, I'm currently evaluating the IMA (Integrity Measurement Architecture) for the security team. This is basically enabled in our current Leap and SLE-12 kernels but not in Tumbleweed. For harmonization and because I'd like to test IMA with a current kernel on Tumbleweed, could you please enable the following kernel configuration options: CONFIG_IMA=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" CONFIG_IMA_DEFAULT_HASH="sha256" CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y But *without* CONFIG_IMA_TRUSTED_KEYRING and CONFIG_INTEGRITY_TRUSTED_KEYRING (those don't make sense as long as we have no possibility to sign third party keys). See bnc#1075517. For more information about what IMA does I've written up documentation in https://en.opensuse.org/SDB:Ima_evm. Thank you Matthias -- Matthias Gerstner <matthias.gerstner@suse.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg)
On 2/14/18 11:18 AM, Matthias Gerstner wrote:
Hi,
I'm currently evaluating the IMA (Integrity Measurement Architecture) for the security team. This is basically enabled in our current Leap and SLE-12 kernels but not in Tumbleweed.
For harmonization and because I'd like to test IMA with a current kernel on Tumbleweed, could you please enable the following kernel configuration options:
CONFIG_IMA=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" CONFIG_IMA_DEFAULT_HASH="sha256" CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y
But *without* CONFIG_IMA_TRUSTED_KEYRING and CONFIG_INTEGRITY_TRUSTED_KEYRING (those don't make sense as long as we have no possibility to sign third party keys). See bnc#1075517.
For more information about what IMA does I've written up documentation in https://en.opensuse.org/SDB:Ima_evm.
Hi Matthias - I'm looking at integrating this. It looks like this is an older list of config options. I'm getting questions on: IMA_WRITE_POLICY EVM_LOAD_X509 What should these be? -Jeff -- Jeff Mahoney SUSE Labs
Hello Jeff,
I'm looking at integrating this. It looks like this is an older list of config options. I'm getting questions on:
IMA_WRITE_POLICY EVM_LOAD_X509
What should these be?
we should keep them disabled for now: IMA_WRITE_POLICY=n EVM_LOAD_X509=n Thank you! Matthias
On 2/19/18 5:35 AM, Matthias Gerstner wrote:
Hello Jeff,
I'm looking at integrating this. It looks like this is an older list of config options. I'm getting questions on:
IMA_WRITE_POLICY EVM_LOAD_X509
What should these be?
we should keep them disabled for now:
IMA_WRITE_POLICY=n EVM_LOAD_X509=n
Ok, enabled. -Jeff -- Jeff Mahoney SUSE Labs
participants (2)
-
Jeff Mahoney -
Matthias Gerstner