Hello all,
This is my first time posting here.
There was a thread discussing IDS and IDE for dom0, specifically regarding how to attest to the state of a compromise should it occur inside dom0. However, there isn’t much information available on whether users have implemented IMA for signing binaries that run in dom0.
I assume that IMA, paired with Heads firmware (and an IDE), actively improves the attestability of dom0 as it does for /boot. I’m also aware that Heads can attest both /root and /boot. I assume, as well, that using the TPM to store hashes from IMA will require Heads to be re-signed.
I’m curious to hear your thoughts on this. I’ve been testing IMA in various templates and its different modes before deciding if it’s worth pursuing further. My main concern is accidentally setting IMA to enforce mode, misconfiguring it, or forgetting to sign/update its hashes after an update and locking myself out.
I only learned about IMA earlier this year, despite having over 10 years of experience with Linux.
The end goal is to have something like this:
[Heads Firmware]
|
v
[Perform IME and SPI Checks]
|
v
[Trusted?] —> No —> [Stop & Warn]
|
Yes
|
v
[Load /boot]
|
v
[/boot Trusted?] —> No —> [Stop & Warn]
|
Yes
|
v
[Load unmodified Kernel]
|
v
[Run Linux IMA]
|
v
[Code Signed?] —> No —> [Stop & Warn]
|
Yes
|
v
[Initialize dom0]
|
v
[Activate Tripwire (IDS)/binary signed by IMA??]
|
v
[Scan Filesystem]
|
v
[Monitor Changes]
|
v
[Alert on Discrepancies]
If anyone has explored this topic, I’d love to hear about your experiences!
-- Saint