Microsoft Contributes Integrity Improvements To Linux 5.12 | #linux | #linuxsecurity


Microsoft engineers continue increasing their contributions to the Linux kernel where it makes business sense for them, such as in the case of securing the Azure cloud given that around 50% or more of the instances run Linux. With Linux 5.12 there are integrity subsystem improvements coming from Microsoft.

With the integrity subsystem and its Integrity Measurement Architecture (IMA) that is used for calculating hashes prior to loading programs/files there is some notable additions to find with Linux 5.12. There is now IMA support to measure kernel-critical data based on policy. The initial use-cases of this kernel data measurement is around the in-memory SELinux policy and the kernel version.

The IMA support for measuring the kernel version in early boot was explained by Microsoft’s Raphael Gianotti as for ensuring only a good/up-to-date kernel is loaded in terms of security. Raphael noted on the patch, “The integrity of a kernel can be verified by the boot loader on cold boot, and during kexec, by the current running kernel, before it is loaded. However, it is still possible that the new kernel being loaded is older than the current kernel, and/or has known vulnerabilities. Therefore, it is imperative that an attestation service be able to verify the version of the kernel being loaded on the client, from cold boot and subsequent kexec system calls, ensuring that only kernels with versions known to be good are loaded. Measure the kernel version using ima_measure_critical_data() early on in the boot sequence, reducing the chances of known kernel vulnerabilities being exploited. With IMA being part of the kernel, this overall approach makes the measurement itself more trustworthy.

The other initial user of this IMA measurements of kernel critical data is the loaded SELinux policy. Measuring the in-memory SELinux policy through IMA is done as a secure way for the attestation service to be able to remotely validate those policy contents during run-time. That patch was contributed by Microsoft’s Lakshmi Ramasubramanian.

These changes and other integrity subsystem improvements are part of this pull request in Linux 5.12.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

− 4 = 4