Digital Signature support for IMA/EVM
Dmitry Kasatkin / Ryan Ware, Intel
This talk introduces digital signature extensions for IMA/EVM kernel integrity subsystem.
Currently IMA stores the file hash in security.ima to verify integrity of the file’s content and EVM stores the hmac in security.evm to verify integrity of the file’s metadata. This is quite sufficient for manually administered systems, where system administrators perform initial file system labeling. But when thousands or millions of devices are flashed with the same image during manufacturing or when a normal user updates a device by flashing a new software image, administrators are obviously not available. For that reason, the filesystem on the flashable image must be labeled. An HMAC based solution does not work in such a case, because the HMAC key is different on every device.
Digital signature extension for IMA and EVM provides a solution to protect the integrity of the image using a single digital private key and use the same known public to verify its integrity.