I am trying to activate IMA appraisal & EVM modules.

After compiling linux kernel 3.10.2 on my bt5R3 and setting kernel boot option in a first time like this:

GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=fix ima_appraise_tcb evm=fix"

and after running this command to generate xattr security.ima and security.evm

find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec head -c 1 '{}' \;

like this:

GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=enforce ima_appraise_tcb evm=enforce"

I try to create digital signature of xattr like it's recommended on tutorial Tutorial to IMA & EVM . Seems to work for immutable file with IMA but not for EVM.

evmctl sign -u - -x --imahash new.sh
Gives Permission Denied when I reboot and try to launch
But when I use
evmctl sign -u - --imahash new.sh
Before reboot hash is well created


root@bt:~/Desktop# getfattr -m . -d new.sh # file: new.sh security.evm=0sAwFGfvtRAABzverB5Wn60QEEAFuDBwwe/Dw4crcy8XYwVFgkKnIDwz4ZwHhwLs0Gf/QPrlJOM/gB1a7NhlCo9NArzbo0cfJxU2j28Amromvlmy6wtdbv3HbAuZbpbZ7JyGI9r3sQXarGV/z764G2Ic2myaUk1B9ADowDhKsQybNjuNVF7xNz2c30DSwLlLweP2gd 
security.ima=0sAasqoo2HlztKurTEoLQjFIpsI9Fn

After reboot, hash is lost...
root@bt:~/Desktop# getfattr -m . -d new.sh 
# file: new.sh
security.evm=0sApBPpCiVtujFqqeUkq5GIhuzX06b
security.ima=0sAasqoo2HlztKurTEoLQjFIpsI9Fn

Every steps have been followed, creating RSA keys, loading them early at boot in initramfs with keyctl.

Session Keyring
       -3 --alswrv      0 65534  keyring: _uid_ses.0
977514165 --alswrv      0 65534   \_ keyring: _uid.0
572301790 --alswrv      0     0       \_ user: kmk-user
126316032 --alswrv      0     0       \_ encrypted: evm-key
570886575 --alswrv      0     0       \_ keyring: _ima
304346597 --alswrv      0     0       \_ keyring: _evm

However as soon as I reboot my OS when I try to read a signed and hashed file I get the error "Permission Denied" Running dmesg tells me :

[ 5461.175996] type=1800 audit(1375262160.913:57): pid=1756 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="**invalid-HMAC**" comm="sh" name="/root/Desktop/new.sh" dev="sda1" ino=546526 res=0

Have you any idea why i get invalid HMAC ? The keys are loaded like the tutorial says...

Maybe there is an issue known between new kernel (3.10.2) using modules IMA & EVM verif functions to check integrity of file and the way on how I hash security.evm xattr  with evmctl? 


Thanks for your help

PS: I'm also looking, if it exists a good doc to explain how and when IMA measurements are done.