Microsoft Contributes Integrity Improvements To Linux 5.12

Written by Michael Larabel in Microsoft on 22 February 2021 at 08:53 AM EST. 31 Comments
MICROSOFT
Microsoft engineers continue increasing their contributions to the Linux kernel where it makes business sense for them, such as in the case of securing the Azure cloud given that around 50% or more of the instances run Linux. With Linux 5.12 there are integrity subsystem improvements coming from Microsoft.

With the integrity subsystem and its Integrity Measurement Architecture (IMA) that is used for calculating hashes prior to loading programs/files there is some notable additions to find with Linux 5.12. There is now IMA support to measure kernel-critical data based on policy. The initial use-cases of this kernel data measurement is around the in-memory SELinux policy and the kernel version.

The IMA support for measuring the kernel version in early boot was explained by Microsoft's Raphael Gianotti as for ensuring only a good/up-to-date kernel is loaded in terms of security. Raphael noted on the patch, "The integrity of a kernel can be verified by the boot loader on cold boot, and during kexec, by the current running kernel, before it is loaded. However, it is still possible that the new kernel being loaded is older than the current kernel, and/or has known vulnerabilities. Therefore, it is imperative that an attestation service be able to verify the version of the kernel being loaded on the client, from cold boot and subsequent kexec system calls, ensuring that only kernels with versions known to be good are loaded. Measure the kernel version using ima_measure_critical_data() early on in the boot sequence, reducing the chances of known kernel vulnerabilities being exploited. With IMA being part of the kernel, this overall approach makes the measurement itself more trustworthy."

The other initial user of this IMA measurements of kernel critical data is the loaded SELinux policy. Measuring the in-memory SELinux policy through IMA is done as a secure way for the attestation service to be able to remotely validate those policy contents during run-time. That patch was contributed by Microsoft's Lakshmi Ramasubramanian.

These changes and other integrity subsystem improvements are part of this pull request in Linux 5.12.
31 Comments
Related News
Microsoft Helping Out In Making The Linux Kernel Language More Inclusive
Microsoft Engineer Sends Rust Linux Kernel Patches For In-Place Module Initialization
Microsoft Enables DNS Tunneling By Default For WSL - More Reliable Networking
Microsoft Better Seeds The RNG For Hyper-V VMs In Linux 6.9
Microsoft's DirectX Shader Compiler Sees Improved Linux Build Support
Microsoft Rebranding CBL-Mariner Linux Distribution To "Azure Linux"
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.10 To Merge NTSYNC Driver For Emulating Windows NT Synchronization Primitives
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora 41 Looks To "-O3" Optimizations For Its Python Build
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
APT 2.9 Released: Debian's APT 3.0 To Have A New UI With Colors, Columnar Display & More
Ubuntu 24.04 Beta Now Available For Testing
Proposed "LibGodot" Lets You Embed Godot Game Engine Into Other Apps