How to measure the integrity of the OS (Linux)?

Question

I am working on a project which requires Integrity measurement of OS (Linux). One way to do that is using IMA but I am not sure if it fits in the scenario below.

The scenario of the project is some what like this:

The systems boots up and measurement is done using trusted-grub. So the PCR 0-7 are filled up. Then the OS is loaded (linux). Then I have a software named "Checker". The purpose of this software is to check if something is modified in the system or not. What I am thinking is that I will store the PCRs values for the "checker". Once the system is restarted and new values are extended into the PCRS, the existing (stored) PCRs values are then compared to the new PCRs values.

One thing I did is, I used a check-file feature in trusted-grub to ensure the integrity of my "checker" software as it will be only one executable file.

The problem is that now I want to measure the OS (preferably Linux) and extend the measurement into a PCR. But I am not getting any clue how to do that. I would be great if I can get any comment on how to solve this problem.

Answer 1

Trusted-grub provides this capability.

PCRs 0-7 are filled if you have a TPM aware BIOS. Trusted-grub will fill PCRs 8-14 with grub config, options, kernel, module hashes - see 2.4 Measurements section.

Here's what the PCRs looks like without a TPM aware boot loader:

    # cat /sys/devices/pnp0/00:09/pcrs 
    PCR-00: A8 5A 84 B7 38 FC C0 CF 3A 44 7A 5A A7 03 83 0B BE E7 BD D9 
    PCR-01: 11 40 C1 7D 0D 25 51 9E 28 53 A5 22 B7 1F 12 24 47 91 15 CB 
    PCR-02: A3 82 9A 64 61 85 2C C1 43 ED 75 83 48 35 90 4F 07 A9 D5 2C 
    PCR-03: B2 A8 3B 0E BF 2F 83 78 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 
    PCR-04: 78 93 CF 58 0E E1 A3 8F DA 6F E0 3B C9 53 76 28 12 93 EF 82 
    PCR-05: 72 A7 A9 6C 96 39 38 52 D5 9B D9 12 39 75 86 44 3E 20 10 2F 
    PCR-06: 92 20 EB AC 21 CE BA 8A C0 AB 92 0E D0 27 E4 F8 91 C9 03 EE 
    PCR-07: B2 A8 3B 04 BF 2F 83 74 29 9A 5B 4B DF C3 1E A9 55 AD 72 36 
    PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
    PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
    PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
    PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
    PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
    PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
    PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

As you can see, PCR 0-7 are filled but from PCR 8 to 15 it's empty unless a TPM-aware bootloader (e.g. trusted-grub) extend them (they are still reset to 0). If you don't have those PCR filled, something's wrong with your trusted-grub setup.

Another way would be to use TXT to load a trusted-OS. In which case, PCRs 17-23 would be filled with the trusted OS measurements. Presently, as TXT is not used, the PCRs are filled with 1s (f). They only get reset once TXT is launched. See Intel's tboot.