A presentation on using Measured Boot, TPM and IMA/EVM on Linux

1. Dmitry Eremin-Solenikov
Ivan Nikolaenko
Measured Boot for
embedded devices
Open Source Software Engineer
DI SW
December, 2019

2. Restricted © 2019 Mentor Graphics Corporation
Approaching authentic execution
environment
 Usually device manufacturer would like to be sure that
deployed device executes authentic code:
— Because it might be a medical device,
— Or a safety-critcal device
— Or just to insure generic platform integrity
 We need to authenticate image contents!
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,2

3. Restricted © 2019 Mentor Graphics Corporation
Traditional approaches
 No authentication at all.
– Oops
 Verify image signature before flashing it.
– Any intruder can still modify image contents after flashing
 Or just verify whole image each boot.
– So slooow.
 We have to authenticate image contents in runtime!
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,3

4. Restricted © 2019 Mentor Graphics Corporation
Measured boot
 Measured boot is a technique of securely calculating a log of all boot
components
 Measured boot is typically thought as related to x86 platform only
 However nothing stops us from employing the same technique for
embedded devices
 TPM chip is a hardware component that assists Measured Boot process
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,4

5. Restricted © 2019 Mentor Graphics Corporation
Measured Boot for embedded devices
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,5
Boot time
 Digest all boot
components
 Optionally use calculated
boot state to unencrypt
next stage
Runtime
 Digest selected set of files as
they are accessed
– E.g. digest all root-owned
executable files
– Or digest all root-owned files
– Or anything you can come
up with
 Use digested information to
unlock encryption keys
 Use digested information to
remotely verify device state

6. Restricted © 2019 Mentor Graphics Corporation
Measuring boot components
 TPM provides at least 24 PCRs (platform configuration register) to store
boot log information
 These registers are reset only at board reset time
 The only way to change them is to Extend:
– PCR[i] = Hash ( PCR[i] || ExtendArgument )
 The code to access TPM is less than 500 lines of code
 Modify your bootloader to Extend PCRs with the digests of next boot image
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,6

7. Restricted © 2019 Mentor Graphics Corporation
Measuring inside Linux
 Linux provides IMA (Integrity Measurement Architecture) and EVM
(Extended Verification Module) subsystems
 IMA maintains a runtime list of files measurements
– Policy controlled
– Can be anchored in TPM to provide aggregate integrity value
 Steps to enable:
– Enable in kernel
– Mount filesystems with iversions option
– Provide a signed policy
– Load a policy at boot time
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,7

8. Restricted © 2019 Mentor Graphics Corporation
Measuring inside Linux: protecting from
tampering
 Linux EVM subsystem protects against filsystem tampering
 It can use either HMAC or digital signature to verify security attributes:
– security.ima (IMA's stored “good” hash for the file)
– security.selinux (the selinux label/context on the file)
– security.SMACK64 (Smack's label on the file)
– security.capability (Capability's label on executables)
 Steps to enable:
– Enable in kernel
– Load certificate or HMAC key
– Enable in securityfs
D. Eremin-Solenikov, I. Nikolaenko, Measured Boot for embedded devices,8

9. Restricted © 2019 Mentor Graphics Corporation
Using measured state: local attestation
 Use aggregated state to seal next state keys
– Seal EVM HMAC key with bootloader data
●
Attacker can not get HMAC key by tampering with
bootloaders
– Seal rootfs encryption key with bootloader and kernel
data
●
One can not access rootfs if any of boot components
are changed!
Your Initials, Presentation Title, Month Year9

10. Restricted © 2019 Mentor Graphics Corporation
Using measured state: remote attestation
 Remote attestation is a method by which a host
authenticates it's hardware and software configuration to a
remote host (server)
 Use TPM capability to cryptographically sign
measurements log and provide such log to remote server
Your Initials, Presentation Title, Month Year10

11. Restricted © 2019 Mentor Graphics Corporation
Deploying in embedded device
 Patch your bootloader
 Using MEL/Yocto/OE use one of 3 layers:
– meta-secure-core (complex solution)
– meta-measured (a bit outdated)
– meta-security (optimal after receiving all our patches)
 Use initramfs to load IMA policy and EVM certificate
Your Initials, Presentation Title, Month Year11

12. Restricted © 2019 Mentor Graphics Corporation
Deploying in embedded device #2
 Choose a solution for remote attestation
– OpenAttestation is an SDK for developing custom
complex solutions
– We recommend using strongSwan’s TNC (trusted
network connect) capability to maintain a DB of devices
– We ourselves ended up with a set of scripts to
provisioning keys, gathering data and verifying the log
Your Initials, Presentation Title, Month Year12

13. Restricted © 2019 Mentor Graphics Corporation
What can we do without TPM
TPM chips are cheap, but what if hardware is already
finalized?
Enable IMA/EVM!
– Verifying all executable files to be signed by you
– EPERM for all other binaries
Your Initials, Presentation Title, Month Year13

14. Restricted © 2019 Mentor Graphics Corporation
QUESTIONS?

15. Restricted © 2019 Mentor Graphics Corporation
www.mentor.com