Microsoft Contributes Integrity Improvements To Linux 5.12

Written by Michael Larabel in Microsoft on 22 February 2021 at 08:53 AM EST. 31 Comments
MICROSOFT
Microsoft engineers continue increasing their contributions to the Linux kernel where it makes business sense for them, such as in the case of securing the Azure cloud given that around 50% or more of the instances run Linux. With Linux 5.12 there are integrity subsystem improvements coming from Microsoft.

With the integrity subsystem and its Integrity Measurement Architecture (IMA) that is used for calculating hashes prior to loading programs/files there is some notable additions to find with Linux 5.12. There is now IMA support to measure kernel-critical data based on policy. The initial use-cases of this kernel data measurement is around the in-memory SELinux policy and the kernel version.

The IMA support for measuring the kernel version in early boot was explained by Microsoft's Raphael Gianotti as for ensuring only a good/up-to-date kernel is loaded in terms of security. Raphael noted on the patch, "The integrity of a kernel can be verified by the boot loader on cold boot, and during kexec, by the current running kernel, before it is loaded. However, it is still possible that the new kernel being loaded is older than the current kernel, and/or has known vulnerabilities. Therefore, it is imperative that an attestation service be able to verify the version of the kernel being loaded on the client, from cold boot and subsequent kexec system calls, ensuring that only kernels with versions known to be good are loaded. Measure the kernel version using ima_measure_critical_data() early on in the boot sequence, reducing the chances of known kernel vulnerabilities being exploited. With IMA being part of the kernel, this overall approach makes the measurement itself more trustworthy."

The other initial user of this IMA measurements of kernel critical data is the loaded SELinux policy. Measuring the in-memory SELinux policy through IMA is done as a secure way for the attestation service to be able to remotely validate those policy contents during run-time. That patch was contributed by Microsoft's Lakshmi Ramasubramanian.

These changes and other integrity subsystem improvements are part of this pull request in Linux 5.12.
31 Comments
Related News
Linux Patch Updated For Rumble Support On Latest Microsoft Xbox Controllers
Microsoft Increasing Linux Security On Hyper-V With VTL/VSM Support
Microsoft's CBL-Mariner Linux Shows Increasing HPC Interest
Microsoft's CBL-Mariner Adds More Desktop Code, Enables WireGuard & Boots systemd-oomd
Microsoft Officially Launches D3D12 GPU Video Acceleration For WSL Linux Use
Microsoft ONNX Runtime 1.14 Released With A Big Intel AMX Performance Optimization
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Intel Thunder Bay Is Officially Canceled, Linux Driver Code To Be Removed
Linux Kernel Networking Driver Development Impacted By Russian Sanctions
Still Have A Use For Adobe Flash? Ruffle Is Working To Safely Emulate It In Rust
Linux 6.4 AMD Graphics Driver Picking Up New Power Features For The Steam Deck
Codon Looks Very Promising For Super-Fast Python Code
Raja Koduri Departing Intel To Start New Software Company
Steam Deck Goes On Sale For Steam's Spring Sale
Wine 8.4 Released With The Early Wayland Graphics Driver Code, 51 Bug Fixes