Microsoft Contributes Integrity Improvements To Linux 5.12
Written by Michael Larabel in Microsoft on 22 February 2021 at 08:53 AM EST. 31 Comments
MICROSOFT --
Microsoft engineers continue increasing their contributions to the Linux kernel where it makes business sense for them, such as in the case of securing the Azure cloud given that around 50% or more of the instances run Linux. With Linux 5.12 there are integrity subsystem improvements coming from Microsoft.

With the integrity subsystem and its Integrity Measurement Architecture (IMA) that is used for calculating hashes prior to loading programs/files there is some notable additions to find with Linux 5.12. There is now IMA support to measure kernel-critical data based on policy. The initial use-cases of this kernel data measurement is around the in-memory SELinux policy and the kernel version.

The IMA support for measuring the kernel version in early boot was explained by Microsoft's Raphael Gianotti as for ensuring only a good/up-to-date kernel is loaded in terms of security. Raphael noted on the patch, "The integrity of a kernel can be verified by the boot loader on cold boot, and during kexec, by the current running kernel, before it is loaded. However, it is still possible that the new kernel being loaded is older than the current kernel, and/or has known vulnerabilities. Therefore, it is imperative that an attestation service be able to verify the version of the kernel being loaded on the client, from cold boot and subsequent kexec system calls, ensuring that only kernels with versions known to be good are loaded. Measure the kernel version using ima_measure_critical_data() early on in the boot sequence, reducing the chances of known kernel vulnerabilities being exploited. With IMA being part of the kernel, this overall approach makes the measurement itself more trustworthy."

The other initial user of this IMA measurements of kernel critical data is the loaded SELinux policy. Measuring the in-memory SELinux policy through IMA is done as a secure way for the attestation service to be able to remotely validate those policy contents during run-time. That patch was contributed by Microsoft's Lakshmi Ramasubramanian.

These changes and other integrity subsystem improvements are part of this pull request in Linux 5.12.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week