IMA as a standalone service
July 22nd, 2007 By shazkhan

The following paras are from the linux mailing list which is a mail sent by ibm ima team. They are working out this userspace ima thingy. I am still not satisfied. Mr. TAT can you plz verify it? I can email u the patches and the related mails as well. 

This is a request for comments for a subset of the original integrity
patches. By submitting this subset of the original patches, we hope to
simplify its review and ultimately ease its inclusion into the kernel.
For this reason, neither EVM nor SLIM are included in this patchset.
This patchset contains: Linux Integrity Module(LIM), Integrity
Measurement Architecture (IMA), and patches to the TPM driver. The LIM
patch defines 3 integrity API calls, 7 integrity hooks, placement of
the hooks, and a dummy integrity service provider. There are very minor
changes from the previous release.  The IMA patch is now an independent
integrity service provider, which provides support for a subset of the
integrity API calls.

IBAC, a sample LSM module, which helps clarify the interaction between
LSM and LIM modules, will be posted separately to the LSM mailing list.
In addition, we are working on an SELinux integrity patch to take
advantage of the integrity services, in a similar way to the IBAC
example.

Patch 1/3 integrity: Linux Integrity Module (LIM)
Patch 2/3 integrity: IMA as a stand alone integrity service provider
Patch 3/3 integrity: TPM internal kernel interface

Mimi Zohar
Dave Safford

11 Responses to " IMA as a standalone service "
 
shazkhan
July 22nd, 2007

I am not sure what they are doing with such huge amount of code but they are probably using the same technique which mr mma tried out earlier (file_mmap()). Definitely there are some additions.

 
shazkhan
July 22nd, 2007

Mr mma have u written any formal or informal thingy on this work of urs? I would like to have it for my paper purposes and might need to refference it.

 
TaMLeEk
July 22nd, 2007

its quite interesting field bcoz only ibm guys are working in this area with linux… so they are changing things from one format to another and they mix 2 or 3 things and make a new thing… Thats true that ima needs to be at the user space but hope this effort makes it so… i need some letrature as well on these topics… if u have these patches then send me or send me the url so that i do it myself…

 
alam78
July 22nd, 2007

Its quite interesting to hear this. But this development is not new for me, As I know that SElinux and IBM community is working on this idea from some time.

I already posted my results on the group. Lets talk on this issue tomorrow inshAllah

Best,
MM Alam

 
shazkhan
July 23rd, 2007

Mr tat did u go through those patches that we forwarded to u today? Let me know about ur analysis because i am double minded regarding ima and direct api usage of trousers.
mr mma we had a mismanagement in meeting today so was’nt able discuss this issue with u. I will try my luck on messengers!

 
shazkhan
July 24th, 2007

Mr mma as i have already asked for ur previous work that u presented at the selinux symposium regarding ima + selinux. I would like to have a copy of it. if u have not formally written anything on it plz give me ur drafts or rough work. I would like to pursue it further.

 
alam78
July 24th, 2007

Actually, that was not my work, and I have not presented that work!. That was presented by Xinwen.

Shall i send my copy to you by mail :)

 
shazkhan
July 24th, 2007

Work on ima as a service is being discussed on the Linux mailing lists. Mr tat u should have a look at it. I cannot forward all the mails so we better have a short meeting if u r interested in it. Maybe the others get together also for the past agenda regarding tutorial sessions.

We should also be getting in touch with ibm watson guys if we have to go ahead with their remote attestaion module.

 
shazkhan
July 24th, 2007

I am waiting!

 
shazkhan
July 27th, 2007

mr tat i am waiting for ur expert opinion on this topic. plz shed some light on it so that i take it as my start.

 
shazkhan
July 30th, 2007

The mm patch is andrew mortens more experimental kernels. Its in his own subdirectory in kernel.org. For mr tat.

Leave a Reply


(Required)

(Required)