IMA

The integrity measurement architecture (IMA) is an integrity measurement subsystem of the Linux kernel. It compares the pre-stored file baseline value with the real-time measurement value of a file to determine whether the file in the system is unintentionally or maliciously tampered with. In this way, the system integrity is protected.

Fundamentals

As an integrity measurement framework provided in the Linux system, the IMA can measure the integrity of executable files, dynamic libraries, scripts, and configuration files. Using SELinux tags can enable IMA measurement for certain file types. The IMA performs measurement through file content encryption through the encryption hash algorithm (such as SHA256) for files during the loading, thereby recording and verifying system file integrity. The IMA can record the tampering behavior on files in the system, and the remote server performs verification and reports alarms. The IMA also uses the Trusted Platform Module (TPM) compliant with the TCG standard as the trusted hardware root. During measurement, the result is extended to the TPM to ensure the trustworthiness of the IMA measurement.

The IMA supports the following functions: measure, appraisal, and audit.

Measure: Before a file is loaded and started, the hash value of the file content is calculated, and the value is added to the measurement list.
Appraisal: The system compares the pre-stored file baseline value with the measurement value of the current file. If they are the same, the file is not tampered with. If they are different, the file is tampered with.
Audit: The system adds file measurement values to audit logs.

Benefits

IMA can detect whether files in the system are tampered with, providing a measurement method for other security functions.

The measurement result can be used as a reference for remote attestation.
The appraisal result can be used to support the secure boot verification above the kernel.
Audit logs can be used for security audit and analysis.