--- /dev/null
+---
+nav_order: 10
+---
+
+# Using Linux IMA with OSTree
+{: .no_toc }
+
+1. TOC
+{:toc}
+
+## Linux IMA
+
+The [Linux Integrity Measurement Architecture](https://sourceforge.net/p/linux-ima/wiki/Home/)
+provides a mechanism to cryptographically sign the digest of a regular
+file, and policies can be applied to e.g. require that code executed
+by the root user have a valid signed digest.
+
+The alignment between Linux IMA and ostree is quite strong. OSTree
+provides a content-addressable object store, where files are intended
+to be immutable. This is implemented with a basic read-only bind mount.
+
+While IMA does not actually prevent mutating files, any changed (or unsigned)
+files would (depending on policy) not be readable or executable.
+
+## IMA signatures and OSTree checksum
+
+Mechanically, IMA signatures appear as a `security.ima` extended attribute
+on the file. This is a signed digest of just the file content.
+
+OSTree has first-class support for extended attributes;
+they are included in the object digest along with other key file attributes
+such as uid, gid and mode.
+
+Together, this means that adding an IMA signature to a file in the OSTree
+model appears as a new object (with a new digest).
+
+## Signing
+
+To apply IMA signatures to an OSTree commit, there is an `ima-sign`
+command implemented currently in the [ostree-rs-ext](https://github.com/ostreedev/ostree-rs-ext/)
+project.
+
+### Generating a key
+
+There is documentation for this in `man evmctl` and the upstream IMA
+page; we will not replicate it here.
+
+### Signing a commit
+
+`ima-sign` requires 4 things:
+
+- An OSTree repository (could be any mode; `archive` or e.g. `bare-user`)
+- A ref or commit digest (e.g. `exampleos/x86_64/stable`)
+- A digest algorthim (usually `sha256`, but you may use e.g. `sha512` as well)
+- An RSA private key
+
+You can then add IMA signatures to all regular files in the commit:
+
+```
+$ ostree-ext-cli ima-sign --repo=repo exampleos/x86_64/stable sha256 /path/to/key.pem
+```
+
+Many different choices are possible for the signing model. For example,
+your build system could store individual components/packages in their own
+ostree refs, and sign them at build time. This would avoid re-signing
+all binaries when creating production builds. Although note you
+still likely want to sign generated artifacts from unioning individual
+components, such as a dpkg/rpm database or equivalent and cache files
+such as the `ldconfig` and GTK+ icon caches, etc.
+
+### Applying a policy
+
+Signing a commit by itself will have little to no effect. You will also
+need to include in your builds an [IMA policy](https://sourceforge.net/p/linux-ima/wiki/Home/#defining-an-lsm-specific-policy).
+
+### Linux EVM
+
+The EVM subsystem builds on IMA, and adds another signature which
+covers most file data, such as the uid, gid and mode and selected
+security-relevant extended attributes.
+
+If you've been following along, note this is very, very close to what ostree
+checksums as well!
+
+However, the focus of the EVM design seems to mostly
+be on machine-specific signatures with keys stored in a TPM.
+Note that doing this on a per-machine basis would add a new
+`security.evm` extended attribute, and crucially that
+*changes the ostree digest* - so from ostree's perspective,
+these objects will appear corrupt.
+
+In the future, ostree may learn to ignore the presence of `security.evm`
+extended attributes.
+
+There is also some support for "portable" EVM signatures - by
+default, EVM signatures also include the inode number and generation
+which are inherently machine-specific.
+
+A future ostree enhancement may instead also focus on supporting
+signing commits with these "portable" EVM signatures in addition to IMA.
+
+## Further references
+
+- https://sourceforge.net/p/linux-ima/wiki/Home/
+- https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
+- https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
+- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/enhancing-security-with-the-kernel-integrity-subsystem_managing-monitoring-and-updating-the-kernel
+
+
+###### Licensing for this document:
+`SPDX-License-Identifier: (CC-BY-SA-3.0 OR GFDL-1.3-or-later)`
projects / ostree.git / commitdiff