Show Your Support: Did you know that you can get Phoronix Premium for under $4 per month? Try it today to view our site ad-free, multi-page articles on a single page, and more while the proceeds allow us to write more Linux hardware reviews. At the very least, please disable your ad-blocker.
Microsoft Contributes Integrity Improvements To Linux 5.12
With the integrity subsystem and its Integrity Measurement Architecture (IMA) that is used for calculating hashes prior to loading programs/files there is some notable additions to find with Linux 5.12. There is now IMA support to measure kernel-critical data based on policy. The initial use-cases of this kernel data measurement is around the in-memory SELinux policy and the kernel version.
The IMA support for measuring the kernel version in early boot was explained by Microsoft's Raphael Gianotti as for ensuring only a good/up-to-date kernel is loaded in terms of security. Raphael noted on the patch, "The integrity of a kernel can be verified by the boot loader on cold boot, and during kexec, by the current running kernel, before it is loaded. However, it is still possible that the new kernel being loaded is older than the current kernel, and/or has known vulnerabilities. Therefore, it is imperative that an attestation service be able to verify the version of the kernel being loaded on the client, from cold boot and subsequent kexec system calls, ensuring that only kernels with versions known to be good are loaded. Measure the kernel version using ima_measure_critical_data() early on in the boot sequence, reducing the chances of known kernel vulnerabilities being exploited. With IMA being part of the kernel, this overall approach makes the measurement itself more trustworthy."
The other initial user of this IMA measurements of kernel critical data is the loaded SELinux policy. Measuring the in-memory SELinux policy through IMA is done as a secure way for the attestation service to be able to remotely validate those policy contents during run-time. That patch was contributed by Microsoft's Lakshmi Ramasubramanian.
These changes and other integrity subsystem improvements are part of this pull request in Linux 5.12.