IMA and EVM Concepts

DRANK

The Linux Integrity Measurement Architecture (IMA) is part of the Linux kernel. IMA is comprised of three features: IMA-Measurement, IMA-Appraisal, and IMA-Audit. These features are triggered based on IMA Policy rule actions.IMA-Measurement maintains a measurement event log and maintains an aggregate integrity value over this event event log in a PCR if the platform has a TPM chip. It typically uses PCR 10. A TPM attestation quote is a signature over the PCR, indirectly providing integrity over the measurement event log.The measurement feature requires both a TPM and an independent verifier.Measurement is similar to the pre-OS trusted boot concept. The first measurement is the boot aggregate, which is a hash of TPM PCR 0-9.IMA keeps a table of the measured hash values. If the hash is seen again, the contents are not re-measured again. CONFIG_IMA_DISABLE_HTABLE offers other options.IMA-Appraisal can check the file’s digital signature or hash and deny access if the signature verificati…