Skip to content
/ ima-template-docker-patch Public

This contains a Linux kernel patch which adds a new template to IMA for supporting the Docker container attestation.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

torsec/ima-template-docker-patch

BranchesTags

Repository files navigation

IMA patches for attesting containers

Cloning the Linux Stable Kernel

Install git on the machine:

$ sudo apt-get update
$ sudo apt-get install git

Clone the Linux stable kernel in a new directory linux_stable:

$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux_stable

The stable repository has several branches, starting from linux-2.6.11.y, change to the linux-5.12.y:

$ cd linux_stable
$ git checkout linux-5.12.y

Copy the IMA patches inside the linux_stable directory.

Applying IMA patches

Configure your account's identity:

$ git config user.email "you@example.com"
$ git config user.name "Your Name"

Then apply IMA patches:

$ git am --signoff < 0001-ima_cgn_template.patch
$ git am --signoff < 0002-ima_mns_template.patch
$ git am --signoff < 0003-entry_hash_256_bit.patch
$ git am --signoff < 0004-ima_dep_cgn_template.patch

Compiling the kernel

$ cp /boot/config-$(uname -r) ./.config

For executing make menuconfig, install:

$ sudo apt-get dist-upgrade
$ sudo apt-get install make
$ sudo apt-get install gcc
$ sudo apt-get install libncurses-dev
$ sudo apt-get install flex
$ sudo apt-get install bison

Then launch:

$ make menuconfig

Select Security options --->, then select the following configuration in the Integrity Measurement Architecture(IMA) section:

[*]   Integrity Measurement Architecture(IMA)
	Default template (ima-dep-cgn) --->
	Default integrity hash algorithm (SHA256) --->
	Default template-hash algorithm (SHA256) --->
[*]	IMA cache1 enabled
[*]	IMA cache2 enabled

For compiling the kernel, install:

$ sudo apt-get update
$ sudo apt-get install kernel-package
$ apt-get install libssl-dev

Then compile the kernel:

$ sudo make-kpkg clean
$ sudo fakeroot make-kpkg --initrd --append-to-version=-ima-dep-cgn kernel_image kernel_headers

When the compilation finishes, install the new kernel:

$ cd ..
$ sudo dpkg -i linux*.deb

Once the installation completes, reboot the system with the new kernel.

Generating the whitelist for a specific path by using "whitelist_generator.cpp"

The whitelist_generator.cpp program generates the whitelist corresponding to a specific path received as parameter. It creates the file "whitelist" containing the sha256 hash for all the files found in the specified path. The file "whitelist" is created in the current directory.

Compile the program:

g++ -std=c++17 -L/usr/lib/x86_64-linux-gnu/ -o whitelist_generator whitelist_generator.cpp -lssl -lcrypto

If you want to create the whitelist corresponding to the path /usr/bin/, launch the program as:

./whitelist_generator /usr/bin/

Analysis of directories present in the Measurement Log by using "ML_inspector.cpp"

The ML_inspector.cpp program generates in the current directory a file, called "ML_analysis", containing the list of all the directories present in the current IMA Measurement Log.

Compile the program:

g++ -o ML_inspector ML_inspector.cpp

The program needs the position, starting by zero, of the file-path in the current IMA template. For example, if the current IMA template is "ima-cgn", launch the program as:

./ML_inspector 6

Generating whitelists for host and containers by using "whitelists_host_cont.cpp"

The whitelists_host_cont.cpp program generates whitelists for the host and the containers that run on it, starting from the Measurement Log generated by IMA. Compile the program:

$ g++ -o whitelists_host_con whitelists_host_cont.cpp

This program can receive six parameters (all the positions are considered starting by zero):

  1. an integer: the position of file-hash in the current ML's template;
  2. an integer: the position of file-path in the current ML's template;
  3. an integer (optional): the position of pids in the current ML's template;
  4. an integer (optional): the position of cgn in the current ML's template;
  5. a string (optional): the containers' dependency path;
  6. an integer (optional): the containers' dependency pid position (starting by pid==0).

The program generates in the current directory a list of files:

  • allowlist_host, which is the whitelist for the host with the following format: 
     f31ab9fc2b32ed344c5918915600817224ce32c12258962dc40ab7e1c52319de  /usr/bin/rm
 92a2bade19a90a1bd81e4d2c2de646ddf971aba9c78df6e31b2b567c94fde175  /usr/bin/find
 ...
  • allowlist_containerID, which is the whitelist for the container with ID containerID; for each container running in the host, an allowlist_xxx file is generated;
  • containers_list, which contains the list of all running containers with the corresponding allowlist file, with the following format: 
     1920bbecaec4 ./allowlist_1920bbecaec4
 1df3587abb10 ./allowlist_1df3587abb10
 ...

If we provide to the program only the first two parameters, only the allowlist_host file is generated, considering all the entries in the Measurement Log belonging to the host.

For example, if we suppose that the current IMA template is ima-cgn, then we can launch the program with the following parameters:

$ sudo ./whitelists_host_cont 5 6 3 4 /usr/bin/containerd-shim-runc-v2 2

About

This contains a Linux kernel patch which adds a new template to IMA for supporting the Docker container attestation.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages