ostree/docs/ima.md
Colin Walters 614d30acf3 docs: Add new IMA document
Now that the fixed code for `ima-sign` landed in
https://github.com/ostreedev/ostree-rs-ext/pull/283
2022-04-21 12:04:33 -04:00

4.1 KiB

nav_order
10

Using Linux IMA with OSTree

{: .no_toc }

  1. TOC {:toc}

Linux IMA

The Linux Integrity Measurement Architecture provides a mechanism to cryptographically sign the digest of a regular file, and policies can be applied to e.g. require that code executed by the root user have a valid signed digest.

The alignment between Linux IMA and ostree is quite strong. OSTree provides a content-addressable object store, where files are intended to be immutable. This is implemented with a basic read-only bind mount.

While IMA does not actually prevent mutating files, any changed (or unsigned) files would (depending on policy) not be readable or executable.

IMA signatures and OSTree checksum

Mechanically, IMA signatures appear as a security.ima extended attribute on the file. This is a signed digest of just the file content.

OSTree has first-class support for extended attributes; they are included in the object digest along with other key file attributes such as uid, gid and mode.

Together, this means that adding an IMA signature to a file in the OSTree model appears as a new object (with a new digest).

Signing

To apply IMA signatures to an OSTree commit, there is an ima-sign command implemented currently in the ostree-rs-ext project.

Generating a key

There is documentation for this in man evmctl and the upstream IMA page; we will not replicate it here.

Signing a commit

ima-sign requires 4 things:

  • An OSTree repository (could be any mode; archive or e.g. bare-user)
  • A ref or commit digest (e.g. exampleos/x86_64/stable)
  • A digest algorthim (usually sha256, but you may use e.g. sha512 as well)
  • An RSA private key

You can then add IMA signatures to all regular files in the commit:

$ ostree-ext-cli ima-sign --repo=repo exampleos/x86_64/stable sha256 /path/to/key.pem

Many different choices are possible for the signing model. For example, your build system could store individual components/packages in their own ostree refs, and sign them at build time. This would avoid re-signing all binaries when creating production builds. Although note you still likely want to sign generated artifacts from unioning individual components, such as a dpkg/rpm database or equivalent and cache files such as the ldconfig and GTK+ icon caches, etc.

Applying a policy

Signing a commit by itself will have little to no effect. You will also need to include in your builds an IMA policy.

Linux EVM

The EVM subsystem builds on IMA, and adds another signature which covers most file data, such as the uid, gid and mode and selected security-relevant extended attributes.

If you've been following along, note this is very, very close to what ostree checksums as well!

However, the focus of the EVM design seems to mostly be on machine-specific signatures with keys stored in a TPM. Note that doing this on a per-machine basis would add a new security.evm extended attribute, and crucially that changes the ostree digest - so from ostree's perspective, these objects will appear corrupt.

In the future, ostree may learn to ignore the presence of security.evm extended attributes.

There is also some support for "portable" EVM signatures - by default, EVM signatures also include the inode number and generation which are inherently machine-specific.

A future ostree enhancement may instead also focus on supporting signing commits with these "portable" EVM signatures in addition to IMA.

Further references

Licensing for this document:

SPDX-License-Identifier: (CC-BY-SA-3.0 OR GFDL-1.3-or-later)