Porting IMA plus SELinux on Openmoko

Below are the Steps that we preformed to port IMA plus SELinux on Openmoko. The main idea was to extract patches from the kernel 2.6.30 provided by Mimi Zohar.

See the Details Below.

1. Porting SELinux:

  • We used kernel 2.6.29-rc3 because it is the latest being used by the OM kernel community and good support can be taken.
  • We cross-compiled it for ARM architecture.
  • To enable SELinux, the following modules were enabled in kernel
    • In Security menu we enabled [*] NSA SELinux Support
      [*]    NSA SELinux boot parameter
      (1)    NSA SELinux boot parameter default value
      [*]    NSA SELinux runtime disable
      [*]    NSA SELinux Development Support
      [*]    NSA SELinux AVC Statistics
      (1)    NSA SELinux checkreqprot default value
      [ ]    NSA SELinux maximum supported policy format version
    • Maximum policy support was not enabled because it hangs the system.
    • In file system we enabled <M> Second extended fs support
      Ext2 extended attributes
      Ext2 Security Labels
      Ext2 execute in place support<*> Ext3 journalling file system support
      Ext3 extended attributes
      Ext3 Security Labels
  • The kernel was cross compiled using openmoko toolchain.$make ARCH=arm CROSS_COMPILE=arm-angstrom-linux-gnueabi-

2. Porting IMA:

  • To Add IMA support, IMA Patches were added to the kernel.
  • These patches were extracted from kernel 2.6.30 which were provided by Mimi Zohar.
  • Patches where extracted using git.
  • The Command is#git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git linux-2.6 #git checkout -b v2.6.30_local v2.6.30
    #git log –since ”Feb 4” –grep ”Mimi Zohar” — reverse -p > ../ima.patch
  • Now we get OM kernel#git clone git://git.openmoko.org/git/kernel.git linux-om-2.6#git-checkout -b andy-tracking origin/andy-tracking
  • Patches were applied by using command#patch -p1 <../ima.patch
  • We had namei.c Problem, which we solved, but i forgot how we did, Didnt documented it that time, If remember then I will post it here.
  • After apply patches successfully we disabled selinux and enabled IMA for testing purpose.
  • The kernel was cross compiled and was tested on openmoko.
  • After checking that IMA is working fine, we also enabled selinux and was tested again.

3. Problems that we faced:

  • First selected kernel 2.6.29-rc3 and patched it with 2.6.26-rc8 patch for LIM/IMA. The patches didnt applied automatically so we applied them manually.
  • While compiling, the manual patches conflicted with original code and reported errors.
  • Then we extracted LIM/IMA patch from 2.6.30 and applied to the same kernel.
  • This time it worked.
  • ”depends on ACPI” in Kconfig file in /security/integrity/ima was removed which is for x86 architecture (we are working on arm)and after its removal IMA appeared in the security list.
Advertisements

16 thoughts on “Porting IMA plus SELinux on Openmoko

  1. Assalam u Alaikum.

    I am trying to use IMA with Ubuntu. I have tried many versions of kernels including (2.6.35.7, 2.6.29.1) and applied respective patches given at sourceforge website. I am using system with TPM 1.2.
    After applying the patch and compiling the kernel when i execute command “dmesg | grep IMA ” it returns nothing.
    Could you please guide me how to use IMA?
    Your quick response will be of great value.

    Thanks & Regards,

    Luqman

  2. You Don’t need these patches any more, they are part of kernel Now, Just enable IMA in kernel and then compile and Install that kernel, then go to Grub settings and Add the parameter ima_tcb=1 to that kernel entry. Now reboot the System and and run the Dmesg to check for IMA. Hope this will Work.

    • Thank you so much for replying. Does (linux-2.6.30) supports IMA. And whats is the procedure for enabling IMA in kernel?

      Regards,

      Luqman

      • Yes 2.6.30 has IMA, To enable IMA in kernel Download its source, then the command
        #make menuconfig
        then I dont remember the Exact path but I guess its

        security/ima [*]

        Enable it

        then save Settings make and then make install and do other related stuff.
        If you are using kernel 2.6.30 then IMA will be up and running else you need to Add IMA_TCB=1 in kernel parameters.

  3. Thanks for guidance. I will try it.
    Recently, I have downloaded kernel 2.6.29.1.
    Applied respective patch.
    Compiled and installed kernel.
    Following are commands and their outputs:
    #dmesg | grep ima

    [ 3.284176] checking if image is initramfs… it is
    [ 8.555234] PM: Checking hibernation image.
    [ 16.764633] EXT3-fs warning: maximal mount count reached, running e2fsck is recommended

    # mount -t securityfs securityfs /sys/kernel/security

    ount: securityfs already mounted or /sys/kernel/security busy
    mount: according to mtab, securityfs is already mounted on /sys/kernel/security

    Am getting above errors and moreover their is no folder namely (ima) in /sys/kernel/security.
    If you can identify my mistakes?

    Regards,

    Luqman

  4. Aoa

    I have enabled IMA in kernel 2.6.30 and its working fine. But when I enabled IMA it included the TPM modules as part of kernel not as modules.
    And now when I try to access TPM through jtss it throws error. If you can suggest some solution to this problem.

    Thanks in advance.

    Regards,
    Luqman

  5. There’s no folder ‘tpm0’ in /sys/kernel/security, but only ima. And there’s no /dev/tpm0. It seems something like tpm_bios.ko has been build in kernel. And how can I use tpm?

    I can use ‘head -5 /sys/kernel/security/ima/ascii_runtime_measurements’, but it shows many zero in pcr-10.

    Thanks very much.

    Enjoy everyday.

    • Clearly your TPM isnt enable also the ZEROs above means that there is no chain of trust and hence you are getting

      Follow these steps

      1. If already not enabled enable ima by passing ima_tcb=1 parameter to grub
      also mount the securityfs.

      2. Enable tpm, I am currently using a windows system but I guess the using the following steps will get u through, If not correct use Google, I must be making mistakes somewhere.

      edit grub.cfg or menu.lst and add the following parameters

      tpm_bios tpm tpm_tis force=1 interrupts=0

      and then boot the system, If this does not work, open terminal and type the following

      $sudo modprobe tpm_bios
      $sudo modprobe tpm
      $sudo modprobe tpm_tis force=1 interrupts=0

      your tpm must be enabled now.

      • I can’t find tpm_bios.ko, tpm.ko and tpm_tis.ko in my system. Because if I select the option ‘IMA’ when “make menuconfig”, CONFIG_TCG_TPM will be ‘y’, and then because of “obf-$(CONFIG_TCG_TPM) += tpm_bios.o”, tpm_bios would be build in kernel.

        root@emos-desktop:/sys/kernel/security/ima# modprobe tpm_bios
        FATAL: Module tpm_bios not found.

        And in my menu.lst, I add ‘ima_tcb=1’ in kernel line.

        Thanks in advance.

      • Could U help me?
        When I enabled IMA it included the TPM modules as part of kernel not as modules.I can’t find tpm(or tpm0) in /dev.
        My kernel is linux-2.6-xen.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s