← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #38161

[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel

  Thread PreviousDate PreviousThread Next 
For making sure IMA isn't enabled at boot by default, here's some
details From http://sourceforge.net/p/linux-ima/wiki/Home/

Enabling IMA
IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with the boot command line parameter 'ima_tcb'. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.)

To determine if your distro enables IMA by default, mount securityfs
(mount -t securityfs security /sys/kernel/security), if it isn't already
mounted, and then check if '/integrity/ima' exists. If it exists, IMA is
indeed enabled. On systems without IMA enabled, recompile the kernel
with the config option 'CONFIG_IMA' enabled.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1244627

Title:
  Please enable CONFIG_IMA in the ubuntu kernel

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux” source package in Trusty:
  Fix Committed

Bug description:
  I would be doubly happy if this also went into the raring backport
  kernel.

  I chatted with apw and kees on #ubuntu-kernel earlier in the week.
  From a security engineer on our team:

  so I was mistaken. if CONFIG_IMA=y, the default policy is NULL unless
  you boot with ima_tcb=on. without ima_tcb=y, nothing is measured,
  nothing is audited, no performance/memory hit is incurred.

  Same is true for CONFIG_IMA_APPRAISE, except with the
  ima_appraise_tcb=on commandline parameter. ima appraise gives us the
  ability to sign binaries at installation time and check the signature
  at runtime.

  So we are asking that you enable CONFIG_IMA, but to not enable it via
  the kernel command line options. IMA would boot with an empty policy
  and should incur no overhead. Enterprising folks who want to run IMA
  can enable it in grub at their option.

  CONFIG_IMA=y

  and possibly:

  CONFIG_IMA_MEASURE_PCR_IDX=10
  CONFIG_IMA_AUDIT=y
  CONFIG_IMA_LSM_RULES=y

  -A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions
  Thread PreviousDate PreviousThread Next