linux-ima-user — Q&A for users of IMA

Re: [Linux-ima-user] ima: No TPM chip found

[PAUCHEN C. <pa...@li...>]

  Micka,

     I got the same error when I was working with a TPM card on a Raspberry Pi.

     The cause is that the SPI controller depends on the clock, which is not initialized
     before the SPI controller. So the initialization of the SPI controller is deferred.

     I upgraded to kernel 4.8.y, with Commit 29c7854 "Register the clocks early during the boot process”.
     And this fixed the problem.


 Regards, 

Re: [Linux-ima-user] ima: No TPM chip found

[Micka <mic...@gm...>]

the config file is respecting the wiki
https://sourceforge.net/p/linux-ima/wiki/Home/ .
I think that the problem is the order between the spi init and the init of
the ima . I'm working in the kernel 4.4

but when I look at the initcall there should be no problem :
spi init:
#define postcore_initcall
<http://lxr.free-electrons.com/ident?i=postcore_initcall>(fn)
__define_initcall <http://lxr.free-electrons.com/ident?i=__define_initcall>(fn,
2)

ima:
late_initcall <http://lxr.free-electrons.com/ident?i=late_initcall>(init_ima
<http://lxr.free-electrons.com/ident?i=init_ima>); */* Start IMA after the
TPM is available */*

=> #define late_initcall
<http://lxr.free-electrons.com/ident?v=4.4;i=late_initcall>(fn)
__define_initcall
<http://lxr.free-electrons.com/ident?v=4.4;i=__define_initcall>(fn, 7)

but the log say otherwise :
spi:
[    7.151174] spi register master
ima :
[    3.651373] ima: No TPM chip found, activating TPM-bypass!

I'm using device tree to tell that I have the TPM .... I don't understand
why the call of spi is after ima !



Le lun. 27 févr. 2017 à 11:10, Nayna <na...@li...> a écrit :

>
>
> On 02/27/2017 03:02 PM, Micka wrote:
> > Hi,
> >
> > I 've compiled my kernel with TPM and IMA activated.
> >
> > But I have :
> >
> > [    3.660890] ima: No TPM chip found, activating TPM-bypass!
> >
> > And later :
> >
> > [    9.126292] tpm_tis_spi spi2.0: 1.2 TPM (device-id 0x0, rev-id 78)
> >
> > I've no problem taking the ownership of the TPM, it's working . But for
> > some reason the initialization of the TPM come after the IMA ? How can I
> > fix that ?
>
> Check your .config file. You have a dependency missing for TPM because
> of which TPM driver initialization is deferred to later time.
>
> This should also solve second problem
>
> Thanks & Regards,
>      - Nayna
>
> >
> > an another problem :
> > PCR 10 : for some reason, the sha1 is set to 0 here :
> > su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements'
> > 10 118d532d463c9f8c235d0df7487669a85f039260 ima-ng
> > sha1:0000000000000000000000000000000000000000 boot_aggregate
> >
> >
> > Micka,
> >
> >
> >
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Linux-ima-user mailing list
> > Lin...@li...
> > https://lists.sourceforge.net/lists/listinfo/linux-ima-user
> >
>
>

Re: [Linux-ima-user] ima: No TPM chip found

[Nayna <na...@li...>]

On 02/27/2017 03:02 PM, Micka wrote:
> Hi,
>
> I 've compiled my kernel with TPM and IMA activated.
>
> But I have :
>
> [    3.660890] ima: No TPM chip found, activating TPM-bypass!
>
> And later :
>
> [    9.126292] tpm_tis_spi spi2.0: 1.2 TPM (device-id 0x0, rev-id 78)
>
> I've no problem taking the ownership of the TPM, it's working . But for
> some reason the initialization of the TPM come after the IMA ? How can I
> fix that ?

Check your .config file. You have a dependency missing for TPM because 
of which TPM driver initialization is deferred to later time.

This should also solve second problem

Thanks & Regards,
     - Nayna

>
> an another problem :
> PCR 10 : for some reason, the sha1 is set to 0 here :
> su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements'
> 10 118d532d463c9f8c235d0df7487669a85f039260 ima-ng
> sha1:0000000000000000000000000000000000000000 boot_aggregate
>
>
> Micka,
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>

[Linux-ima-user] ima: No TPM chip found

[Micka <mic...@gm...>]

Hi,

I 've compiled my kernel with TPM and IMA activated.

But I have :

[    3.660890] ima: No TPM chip found, activating TPM-bypass!

And later :

[    9.126292] tpm_tis_spi spi2.0: 1.2 TPM (device-id 0x0, rev-id 78)

I've no problem taking the ownership of the TPM, it's working . But for
some reason the initialization of the TPM come after the IMA ? How can I
fix that ?

an another problem :
PCR 10 : for some reason, the sha1 is set to 0 here :
su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements'
10 118d532d463c9f8c235d0df7487669a85f039260 ima-ng
sha1:0000000000000000000000000000000000000000 boot_aggregate


Micka,

[Linux-ima-user] Current State of directory & special files integrity verification

[ALTGELT, M. <Max...@be...>]

Hi,

I am currently looking for a way to detect offline tampering in one of our projects and IMA/EVM is currently looking like one of the best ways to do so. However, so far, we don’t have a way to detect attacks that simply move or remove files. Directory and special files integrity verification, as mentioned in some older presentations, could prevent these – however, I am not sure on what its current state is. Is it still in development? If so, is there a timeplan on when it will be officially added to IMA?

Thank you,

Max Altgelt

________________________________
Berner & Mattner Systemtechnik GmbH: Sitz der Gesellschaft | Corporate Headquarters: München
Handelsregister | Commercial Register: Amtsgericht München HRB 83252
Geschäftsführung | Management: Alexander Graf (CEO), Josef Mitterhuber (COO)

Re: [Linux-ima-user] Dual signing for IMA files

[Mimi Z. <zo...@li...>]

On Thu, 2017-02-16 at 21:27 +0000, Jeff Hewett (jhewett) wrote:
> Has anyone considered dual signing for IMA files? I'm exploring a use
> case for this and just wondering if it has been discussed in the past
> or if others have this need. Currently, only a single signature is
> supported on files.

No, it has not been discussed yet on the mailing lists.  Ii realize it's
not the same as having multiple signature support, but the ima-evm-utils
git repo next branch has support for writing a detached signature as a
security.ima xattr.  Refer to commit 233dedf  "Write out .sig file as
security.ima xattr". 

Mimi

[Linux-ima-user] Dual signing for IMA files

[Jeff H. (jhewett) <jh...@ci...>]

Has anyone considered dual signing for IMA files? I'm exploring a use case for this and just wondering if it has been discussed in the past or if others have this need. Currently, only a single signature is supported on files.

Regards,
Jeff H.

Re: [Linux-ima-user] Permission denied on access with IMA when appraise only a particular SELinux obj_type

[Mimi Z. <zo...@li...>]

On Tue, 2017-02-07 at 16:38 -0800, Nassim Eddequiouaq wrote:
> Hello,
> 
> Disclaimer: I'm pretty new at IMA/EVM.
> 
> My goal is to have IMA and/or EVM prevent any modification on one or
> several specific portions of my filesystem at runtime. I went for
> labeling this portion with a particular SELinux type and a custom IMA
> policy which would disable measuring and appraising everything except
> the files with this obj_type.
> 
> Problem: I get a "Permission denied" when setting files to the proper
> obj_type when the custom IMA policy is loaded in /etc/ima/ima-policy
> even though it's valid for IMA:
> 
> # echo "lol" > foo
> # evmctl sign --imasig foo
> # evmctl ima_verify foo
> Verification is OK
> # cat foo
> lol
> # chcon -t custom_t foo
> # ls -Z foo
> -rw-r--r--. root root unconfined_u:object_r:custom_t:s0 foo
> # cat foo
> cat: foo: Permission denied
> # restorecon foo
> # cat foo
> lol
> 
> I get the same result if I specify '--key' to 'evmctl sign' and
> 'evmctl ima_verity' with the keys in '/etc/keys/'
> 
> === IMA POLICY ===
> # PROC_SUPER_MAGIC
> dont_appraise fsmagic=0x9fa0
> dont_measure fsmagic=0x9fa0
> # SYSFS_MAGIC
> dont_appraise fsmagic=0x62656572
> dont_measure fsmagic=0x62656572
> # DEBUGFS_MAGIC
> dont_appraise fsmagic=0x64626720
> dont_measure fsmagic=0x64626720
> # TMPFS_MAGIC
> dont_appraise fsmagic=0x01021994
> dont_measure fsmagic=0x01021994
> # RAMFS_MAGIC
> dont_appraise fsmagic=0x858458f6
> dont_measure fsmagic=0x858458f6
> # DEVPTS_SUPER_MAGIC
> dont_appraise fsmagic=0x1cd1
> dont_measure fsmagic=0x1cd1
> # BIFMT
> dont_appraise fsmagic=0x42494e4d
> dont_measure fsmagic=0x42494e4d
> # SECURITYFS_MAGIC
> dont_appraise fsmagic=0x73636673
> dont_measure fsmagic=0x73636673
> # SELINUXFS_MAGIC
> dont_appraise fsmagic=0xf97cff8c
> dont_measure fsmagic=0xf97cff8c
> # NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the
> upstream Linux kernel)
> dont_appraise fsmagic=0x6e736673
> dont_measure fsmagic=0x6e736673
> # SMACK_MAGIC
> dont_appraise fsmagic=0x43415d53
> dont_measure fsmagic=0x43415d53
> # CGROUP_SUPER_MAGIC
> dont_appraise fsmagic=0x27e0eb
> dont_measure fsmagic=0x27e0eb
> # EFIVARFS_MAGIC
> dont_appraise fsmagic=0xde5e81e4
> dont_measure fsmagic=0xde5e81e4
> # TRACEFS_MAGIC
> dont_appraise fsmagic=0x74726163
> dont_measure fsmagic=0xde5e81e4
> # MSDOS_SUPER_MAGIC
> # Excluded for external USB sticks. Does not
> # support xattrs anyway.
> dont_appraise fsmagic=0x4d44
> dont_measure fsmagic=0x4d44
> # Appraise everything with custom_t
> appraise obj_type=custom_t
> measure fowner=0
> =============
> 
> === Boot params ===
> linux   /boot/vmlinuz [..] selinux=1 security=selinux
> ima_appraise=enforce evm=enforce
> =================
> 
> # getfattr -m ^security -e hex --dump foo
> file: foo
> security.evm=0x03020219c5cdb5008089c1d0f8457b5820a8b9ce81f766768a1bf0cdb7ba570c0073847a75ce4299c2700ec55638e0ed269c08d42e261ef8bd71fb3a5fa7f6611f093a72f1946d741f68d3b1348d77e042ddac0b41a00a8aa602468fa57c0ca9bc9ef87536618f7de43bc34c1a2d8e3262fe97074386fcc0a185e9e9ae9416830c1364eb9590b0aab7
> security.ima=0x03020219c5cdb50080db5dfc1aacc549788cc6056a9e4351c90bdcba303238a535d911e0fdd4b98743da1565d66a915a3ef626827c79a4e4e466d8d589ae9d0e3fabdedcdd7702ef8d687aa84a4ed698d7bf13c40fb2341134867328af7d1680bef37011a06319026f57eac708d0d632de1b1d513790c6cb232b073c6c972296f5852ad9ebac9f33c0
> security.selinux=0x756e636f6e66696e65645f753a6f626a6563745f723a61646d696e5f686f6d655f743a733000
> 
> # keyctl show %keyring:.ima
> Keyring
> 590616299 --alswrv      0     0  keyring: .ima

The key 'id:19c5cdb5' needs to be loaded onto the IMA keyring in order
to validate the signature.

The certificate being loaded onto the IMA keyring needs to be signed by
a key on the .builtin_trusted_keys keyring.  There are two ways of
adding keys to the .builtin_trusted_keys keyring:

- build a kernel containing the public key of the "local CA"
- inject the key post build using Mehmet's "Certificate insertion
support for x86 bzImages" patches, assuming memory was reserved in the
initial kernel.

Mimi

> 
> # ls /etc/keys/
> evm-key  kmk  privkey_evm.pem  pubkey_evm.pem  x509_evm.der
> 
> # dmesg | tail
> [ 3388.626049] digsig_asymmetric: Request for unknown key 'id:19c5cdb5' err -11
> 
> # cat /sys/kernel/security/evm
> 0
> 
> Any idea on what's wrong in my configuration?

[Linux-ima-user] Permission denied on access with IMA when appraise only a particular SELinux obj_type

[Nassim E. <edd...@gm...>]

Hello,

Disclaimer: I'm pretty new at IMA/EVM.

My goal is to have IMA and/or EVM prevent any modification on one or
several specific portions of my filesystem at runtime. I went for
labeling this portion with a particular SELinux type and a custom IMA
policy which would disable measuring and appraising everything except
the files with this obj_type.

Problem: I get a "Permission denied" when setting files to the proper
obj_type when the custom IMA policy is loaded in /etc/ima/ima-policy
even though it's valid for IMA:

# echo "lol" > foo
# evmctl sign --imasig foo
# evmctl ima_verify foo
Verification is OK
# cat foo
lol
# chcon -t custom_t foo
# ls -Z foo
-rw-r--r--. root root unconfined_u:object_r:custom_t:s0 foo
# cat foo
cat: foo: Permission denied
# restorecon foo
# cat foo
lol

I get the same result if I specify '--key' to 'evmctl sign' and
'evmctl ima_verity' with the keys in '/etc/keys/'

=== IMA POLICY ===
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_appraise fsmagic=0x62656572
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_appraise fsmagic=0x64626720
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_appraise fsmagic=0x01021994
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_appraise fsmagic=0x858458f6
dont_measure fsmagic=0x858458f6
# DEVPTS_SUPER_MAGIC
dont_appraise fsmagic=0x1cd1
dont_measure fsmagic=0x1cd1
# BIFMT
dont_appraise fsmagic=0x42494e4d
dont_measure fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_appraise fsmagic=0x73636673
dont_measure fsmagic=0x73636673
# SELINUXFS_MAGIC
dont_appraise fsmagic=0xf97cff8c
dont_measure fsmagic=0xf97cff8c
# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the
upstream Linux kernel)
dont_appraise fsmagic=0x6e736673
dont_measure fsmagic=0x6e736673
# SMACK_MAGIC
dont_appraise fsmagic=0x43415d53
dont_measure fsmagic=0x43415d53
# CGROUP_SUPER_MAGIC
dont_appraise fsmagic=0x27e0eb
dont_measure fsmagic=0x27e0eb
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
dont_measure fsmagic=0xde5e81e4
# TRACEFS_MAGIC
dont_appraise fsmagic=0x74726163
dont_measure fsmagic=0xde5e81e4
# MSDOS_SUPER_MAGIC
# Excluded for external USB sticks. Does not
# support xattrs anyway.
dont_appraise fsmagic=0x4d44
dont_measure fsmagic=0x4d44
# Appraise everything with custom_t
appraise obj_type=custom_t
measure fowner=0
=============

=== Boot params ===
linux   /boot/vmlinuz [..] selinux=1 security=selinux
ima_appraise=enforce evm=enforce
=================

# getfattr -m ^security -e hex --dump foo
file: foo
security.evm=0x03020219c5cdb5008089c1d0f8457b5820a8b9ce81f766768a1bf0cdb7ba570c0073847a75ce4299c2700ec55638e0ed269c08d42e261ef8bd71fb3a5fa7f6611f093a72f1946d741f68d3b1348d77e042ddac0b41a00a8aa602468fa57c0ca9bc9ef87536618f7de43bc34c1a2d8e3262fe97074386fcc0a185e9e9ae9416830c1364eb9590b0aab7
security.ima=0x03020219c5cdb50080db5dfc1aacc549788cc6056a9e4351c90bdcba303238a535d911e0fdd4b98743da1565d66a915a3ef626827c79a4e4e466d8d589ae9d0e3fabdedcdd7702ef8d687aa84a4ed698d7bf13c40fb2341134867328af7d1680bef37011a06319026f57eac708d0d632de1b1d513790c6cb232b073c6c972296f5852ad9ebac9f33c0
security.selinux=0x756e636f6e66696e65645f753a6f626a6563745f723a61646d696e5f686f6d655f743a733000

# keyctl show %keyring:.ima
Keyring
590616299 --alswrv      0     0  keyring: .ima

# ls /etc/keys/
evm-key  kmk  privkey_evm.pem  pubkey_evm.pem  x509_evm.der

# dmesg | tail
[ 3388.626049] digsig_asymmetric: Request for unknown key 'id:19c5cdb5' err -11

# cat /sys/kernel/security/evm
0

Any idea on what's wrong in my configuration?

Best,

-- 
Nassim Eddequiouaq

Re: [Linux-ima-user] Compatibility of IMA with TPM 2.0

[Mimi Z. <zo...@li...>]

On Thu, 2017-02-02 at 19:19 +0000, Alfy . wrote:

> Hello, I want to know if IMA is compatible with TPM 2.0 (TSS 2.0 and
> tpm2-tools) on Ubuntu 16.04 LTS (kernel 4.6.0). Precisely I have to
> know if IMA is able to extend the PCR 10 of the TPM 2.0 with his
> measurements. This information is fundamental for my thesis work,
> thank you in advance for supporting my work.

The IMA measurements extend the TPM 2.0 sha1 bank.  With Nayna Jain's
patches that Jarkko is preparing to upstream for 4.11, the sha1 hash
will be padded with 0's and will be used to extend the other banks.

Mimi

[Linux-ima-user] Compatibility of IMA with TPM 2.0

[Alfy . <Ooa...@ho...>]

Hello, I want to know if IMA is compatible with TPM 2.0 (TSS 2.0 and tpm2-tools) on Ubuntu 16.04 LTS (kernel 4.6.0). Precisely I have to know if IMA is able to extend the PCR 10 of the TPM 2.0 with his measurements. This information is fundamental for my thesis work, thank you in advance for supporting my work.

[Linux-ima-user] Compatibility of IMA with TPM 2.0

[Alfy . <Ooa...@ho...>]

Hello, I want to know if IMA is compatible with TPM 2.0 (TSS 2.0 and tpm2-tools) on Ubuntu 16.04 LTS (kernel 4.6.0). Precisely I have to know if IMA is able to extend the PCR 10 of the TPM 2.0 with his measurements. This information is fundamental for my thesis work, thank you in advance for supporting my work.

Re: [Linux-ima-user] ima_inode_post_setattr

[Mimi Z. <zo...@li...>]

Hi Daniel,

On Mon, 2017-01-30 at 20:32 +0100, Daniel Glöckner wrote:
> Hello,
> 
> I'm trying to debug a problem with IMA appraisal where changing a file's
> attributes after something has been written to it and immediately trying
> to open it fails before ima_file_free is called. A simple testcase is:
> 
> $ rm -f testfile
> $ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
> 
> Unfortunately I am stuck with an old kernel and have to manually backport
> fixes. I found 42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b which is trying
> to fix the ima_inode_post_setattr behavior by preserving IMA_NEW_FILE,
> but it doesn't seem to be enough to fix this, since IMA_NEW_FILE is only
> looked at by the DIGSIG parts of IMA (which I don't use), evm_protect_xattr,
> and ima_check_last_writer. Did I miss something?
> 
> If it is still broken in current kernel versions, I'd propose the
> following change to ima_appraise_measurement:
> 
>  		cause = "missing-hash";
>  		status = INTEGRITY_NOLABEL;
> -		if (opened & FILE_CREATED) {
> +		if (opened & FILE_CREATED)
>  			iint->flags |= IMA_NEW_FILE;
> +		if (iint->flags & IMA_NEW_FILE)
>  			status = INTEGRITY_PASS;
> -		}
>  		goto out;
> 
> I can send a proper patch for mainline if you agree that this change is
> still necessary.

Confirmed the problem still exists in upstream and the change fixes the
bug.

Mimi

[Linux-ima-user] ima_inode_post_setattr

[Daniel G. <dg...@em...>]

Hello,

I'm trying to debug a problem with IMA appraisal where changing a file's
attributes after something has been written to it and immediately trying
to open it fails before ima_file_free is called. A simple testcase is:

$ rm -f testfile
$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile

Unfortunately I am stuck with an old kernel and have to manually backport
fixes. I found 42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b which is trying
to fix the ima_inode_post_setattr behavior by preserving IMA_NEW_FILE,
but it doesn't seem to be enough to fix this, since IMA_NEW_FILE is only
looked at by the DIGSIG parts of IMA (which I don't use), evm_protect_xattr,
and ima_check_last_writer. Did I miss something?

If it is still broken in current kernel versions, I'd propose the
following change to ima_appraise_measurement:

 		cause = "missing-hash";
 		status = INTEGRITY_NOLABEL;
-		if (opened & FILE_CREATED) {
+		if (opened & FILE_CREATED)
 			iint->flags |= IMA_NEW_FILE;
+		if (iint->flags & IMA_NEW_FILE)
 			status = INTEGRITY_PASS;
-		}
 		goto out;

I can send a proper patch for mainline if you agree that this change is
still necessary.

Best regards,

  Daniel

Re: [Linux-ima-user] [PATCH 3/3] ima_fs: Move three error code assignments in ima_write_policy()

[James M. <jm...@na...>]

On Fri, 27 Jan 2017, Mimi Zohar wrote:

> On Wed, 2017-01-25 at 10:34 +0100, SF Markus Elfring wrote:
> > From: Markus Elfring <el...@us...>
> > Date: Tue, 24 Jan 2017 22:47:07 +0100
> > 
> > A local variable was set to an error code in three cases before a concrete
> > error situation was detected. Thus move the corresponding assignments into
> > if branches to indicate a software failure there.
> > 
> > This issue was detected by using the Coccinelle software.
> 
> This coding style was pretty common.  I assume the compiler is smart
> enough to do the right thing.  Is this a FYI, letting us know for the
> future the preferred coding style, or are we really upstreaming these
> sorts of coding style changes?

Nope, and I generally don't want cleanup patches from Markus going into 
the security tree.

See also:
https://www.mail-archive.com/lin...@vg.../msg1254425.html


- James
-- 
James Morris
<jm...@na...>

Re: [Linux-ima-user] EVM/IMA invalid hash or public key not found

[Subscription A. <4su...@gm...>]

On Fri, Jan 27, 2017 at 3:18 PM, Mimi Zohar <zo...@li...>
wrote:

> On Fri, 2017-01-27 at 19:42 +0000, Subscription Account wrote:
> > Yup, I did reboot in fix mode and saw folowing errors in dmesg/audit log.
> > But don't know why would the hmac be wrong.
> >
> > All of the files below are signed using imasig option to evmctl.
> >
> > How do I troubleshoot this 😔
>
> [Please inline/bottom post in the future.]
>

Sure


>
> One reason could be that you've replaced the builtin policy with a
> custom policy, that does not include all of the files in the builtin
> policy in the custom policy.  As a result, if a file's metadata changes
> on these files, the EVM hmac would not be updated appropriately.
>
>
I have not written any policy at this point.  I am just using ima_tcb and
ima_appraise_tcb on the kernel commandline.



> Included in the EVM hmac calculation, in addition to the security
> xattrs, are some other fields (eg. ino, generation, uid, gid, mode).
>
>
How do I verify or even do a manual calculation of HMAC?

Thanks

--
Raj



> Mimi
>
>

Re: [Linux-ima-user] EVM/IMA invalid hash or public key not found

[Mimi Z. <zo...@li...>]

On Fri, 2017-01-27 at 19:42 +0000, Subscription Account wrote:
> Yup, I did reboot in fix mode and saw folowing errors in dmesg/audit log.
> But don't know why would the hmac be wrong.
> 
> All of the files below are signed using imasig option to evmctl.
> 
> How do I troubleshoot this 😔

[Please inline/bottom post in the future.]

One reason could be that you've replaced the builtin policy with a
custom policy, that does not include all of the files in the builtin
policy in the custom policy.  As a result, if a file's metadata changes
on these files, the EVM hmac would not be updated appropriately.

Included in the EVM hmac calculation, in addition to the security
xattrs, are some other fields (eg. ino, generation, uid, gid, mode). 

Mimi

Re: [Linux-ima-user] EVM + TPM + offline protection

[Kenneth G. <kgo...@us...>]

Patrick Ohly <pat...@in...> wrote on 01/18/2017 10:57:03 AM:
 
> I was following
> http://www.cs.unh.edu/~it666/reading_list/Hardware/tpm_fundamentals.pdf
> which says (on slide 23, "Root of Trust for Storage"):
> 
> Two approaches:
>       * Without using PCR: bind/unbind
>       * With using PCR: seal/unseal
> 
> So the kernel keyring always uses sealing, just sometimes with PCRs,
> sometimes without? From the description I had the (wrong?) impression
> that it must be doing binding unless PCRs are enabled. Thanks for
> clarifying.

The slides do say that, but it's not accurate.  You can definitely seal
to no PCRs.  Just select no PCRs to seal to.

Seal  (1 and 2 are the real differentiators)

1 Data sealed (encrypted) by a key fixed to the TPM.
2 Only unsealed by the same fixed TPM key
3 Data can have password and/or PCR authorization
4 Decryption (unseal) key can also have password and/or PCR authorization

Bind

1 Data encrypted external to the TPM
2 Decryption key can be a migratable key
3 Data does not have authorization
4 Decryption key can have password and/or PCR authorization

Re: [Linux-ima-user] EVM/IMA invalid hash or public key not found

[Subscription A. <4su...@gm...>]

Yup, I did reboot in fix mode and saw folowing errors in dmesg/audit log.
But don't know why would the hmac be wrong.

All of the files below are signed using imasig option to evmctl.

How do I troubleshoot this 😔

Thanks

--
Raj



[ 0.603940] type=2000 audit(1485330148.051:1): initialized
[ 2.565766] type=1800 audit(1485229696.341:2): pid=276 uid=0
auid=4294967295 ses=4294967295 subj=kernel op="appraise_data"
cause="missing-hash" comm="plymouthd"
name="/var/lib/plymouth/boot-duration" dev="dm-0" ino=50468078 res=0
[ 2.604291] type=1800 audit(1485229696.380:3): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=kernel op="appraise_data" cause="invalid-HMAC"
comm="systemd" name="/usr/lib/systemd/systemd" dev="dm-0" ino=16790955 res=0
[ 2.604486] type=1800 audit(1485229696.380:4): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=kernel op="appraise_data" cause="invalid-HMAC"
comm="systemd" name="/usr/lib/systemd/systemd" dev="dm-0" ino=16790955 res=0
[ 2.609136] type=1800
audit(1485229696.385:5): pid=1 uid=0 auid=4294967295 ses=4294967295subj=kernel
op="appraise_data" cause="invalid-HMAC" comm="systemd" name="/usr/lib64/
ld-2.17.so" dev="dm-0" ino=408 res=0
[    2.609473] type=1800 audit(1485229696.385:6): pid=1 uid=0 auid=
4294967295 ses=4294967295subj=kernel op="appraise_data"
cause="invalid-HMAC" comm="systemd" name="/usr/lib/systemd/systemd"
dev="dm-0" ino=16790955 res=0
[    2.609560] type=1800 audit(1485229696.385:7): pid=1 uid=0 auid=
4294967295 ses=4294967295subj=kernel op="appraise_data"
cause="invalid-HMAC" comm="systemd" name="/usr/lib64/ld-2.17.so" dev="dm-0"
ino=408 res=0
[    2.612224] type=1800
[    2.612224] type=1800 audit(1485229696.388:8): pid=1 uid=0 auid=
4294967295 ses=4294967295subj=kernel op="appraise_data"
cause="invalid-HMAC" comm="systemd" name="/etc/ld.so.cache" dev="dm-0" ino=
17172748 res=0
[    2.615910] type=1800 audit(1485229696.391:9): pid=1 uid=0 auid=
4294967295 ses=4294967295subj=kernel op="appraise_data"
cause="invalid-HMAC" comm="systemd" name="/usr/lib64/libselinux.so.1"
dev="dm-0" ino=94855 res=0
[    2.616005] type=1800 audit(1485229696.391:10): pid=1 uid=0 auid=
4294967295 ses=4294967295subj=kernel op="appraise_data"
cause="invalid-HMAC" comm="systemd" name="/usr/lib64/libselinux.so.1"
dev="dm-0" ino=94855 res=0



On Fri, Jan 27, 2017 at 2:25 PM Mimi Zohar <zo...@li...> wrote:

On Fri, 2017-01-27 at 19:14 +0000, Subscription Account wrote:
> Thanks. So what can I do to check why metadata verification using evm is
> failing?

Look in the dmesg/audit log?

Mimi

Re: [Linux-ima-user] EVM/IMA invalid hash or public key not found

[Mimi Z. <zo...@li...>]

On Fri, 2017-01-27 at 19:14 +0000, Subscription Account wrote:
> Thanks. So what can I do to check why metadata verification using evm is
> failing?

Look in the dmesg/audit log?

Mimi

Re: [Linux-ima-user] EVM/IMA invalid hash or public key not found

[Subscription A. <4su...@gm...>]

Thanks. So what can I do to check why metadata verification using evm is
failing?

--
Raj
On Fri, Jan 27, 2017 at 9:23 AM Mimi Zohar <zo...@li...> wrote:

On Tue, 2017-01-24 at 14:12 -0500, Subscription Account wrote:
> Little more progress. If I remove the line during my initrd setting up the
> key script
>
> echo "1" > /sys/kernel/security/evm
>
> i.e. not enable evm and just ima (or at least that's what I understand it
> means)

That's always an option.

> I can reboot successfully. So basically security.ima attribute is being
> validated properly but security.evm attribute shows wrong HMAC for systemd
> and associated libraries which prevents the boot. So not sure what is
> special about the systemd and may be I can get away with not signing evm
> attribute for systemd?

There is no EVM policy per-se.  If the file is in the IMA policy, and
EVM is enabled, then EVM will be called to verify the file's metadata.

Mimi

Re: [Linux-ima-user] EVM/IMA invalid hash or public key not found

[Mimi Z. <zo...@li...>]

On Tue, 2017-01-24 at 14:12 -0500, Subscription Account wrote:
> Little more progress. If I remove the line during my initrd setting up the
> key script
> 
> echo "1" > /sys/kernel/security/evm
> 
> i.e. not enable evm and just ima (or at least that's what I understand it
> means)

That's always an option.

> I can reboot successfully. So basically security.ima attribute is being
> validated properly but security.evm attribute shows wrong HMAC for systemd
> and associated libraries which prevents the boot. So not sure what is
> special about the systemd and may be I can get away with not signing evm
> attribute for systemd?

There is no EVM policy per-se.  If the file is in the IMA policy, and
EVM is enabled, then EVM will be called to verify the file's metadata.

Mimi

Re: [Linux-ima-user] [PATCH] ima: allow to check MAY_APPEND

[Mimi Z. <zo...@li...>]

On Fri, 2017-01-06 at 12:38 +0800, Lans Zhang wrote:
> Otherwise some mask and inmask tokens with MAY_APPEND flag may not work
> as expected.

Thank you.  In the future, please make sure scripts/checkpatch.pl
doesn't complain.

Mimi

> Signed-off-by: Lans Zhang <jia...@wi...>
> ---
>  security/integrity/ima/ima_api.c  | 3 ++-
>  security/integrity/ima/ima_main.c | 5 +++--
>  2 files changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> index 9df26a2..b827875 100644
> --- a/security/integrity/ima/ima_api.c
> +++ b/security/integrity/ima/ima_api.c
> @@ -157,7 +157,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
>  /**
>   * ima_get_action - appraise & measure decision based on policy.
>   * @inode: pointer to inode to measure
> - * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
> + * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
> + *        MAY_APPEND)
>   * @func: caller identifier
>   * @pcr: pointer filled in if matched measure policy sets pcr=
>   *
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 50818c6..9fbcd8c 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -307,7 +307,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
>  /**
>   * ima_path_check - based on policy, collect/store measurement.
>   * @file: pointer to the file to be measured
> - * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
> + * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
>   *
>   * Measure files based on the ima_must_measure() policy decision.
>   *
> @@ -317,7 +317,8 @@ int ima_bprm_check(struct linux_binprm *bprm)
>  int ima_file_check(struct file *file, int mask, int opened)
>  {
>  	return process_measurement(file, NULL, 0,
> -				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
> +				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
> +				           MAY_APPEND),
>  				   FILE_CHECK, opened);
>  }
>  EXPORT_SYMBOL_GPL(ima_file_check);

Re: [Linux-ima-user] [PATCH 3/3] ima_fs: Move three error code assignments in ima_write_policy()

[Mimi Z. <zo...@li...>]

On Wed, 2017-01-25 at 10:34 +0100, SF Markus Elfring wrote:
> From: Markus Elfring <el...@us...>
> Date: Tue, 24 Jan 2017 22:47:07 +0100
> 
> A local variable was set to an error code in three cases before a concrete
> error situation was detected. Thus move the corresponding assignments into
> if branches to indicate a software failure there.
> 
> This issue was detected by using the Coccinelle software.

This coding style was pretty common.  I assume the compiler is smart
enough to do the right thing.  Is this a FYI, letting us know for the
future the preferred coding style, or are we really upstreaming these
sorts of coding style changes?

Mimi

> 
> Signed-off-by: Markus Elfring <el...@us...>
> ---
>  security/integrity/ima/ima_fs.c | 15 +++++++++------
>  1 file changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 98304411915d..a50c26f9772c 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -317,21 +317,24 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
> 
>  	/* No partial writes. */
>  	result = -EINVAL;
> -	if (*ppos != 0)
> +	if (*ppos != 0) {
> +		result = -EINVAL;
>  		goto reset_validity;
> +	}
> 
> -	result = -ENOMEM;
>  	if (datalen >= PAGE_SIZE)
>  		datalen = PAGE_SIZE - 1;
>  	data = kmalloc(datalen + 1, GFP_KERNEL);
> -	if (!data)
> +	if (!data) {
> +		result = -ENOMEM;
>  		goto reset_validity;
> +	}
> 
>  	*(data + datalen) = '\0';
> -
> -	result = -EFAULT;
> -	if (copy_from_user(data, buf, datalen))
> +	if (copy_from_user(data, buf, datalen)) {
> +		result = -EFAULT;
>  		goto out_free;
> +	}
> 
>  	result = mutex_lock_interruptible(&ima_write_mutex);
>  	if (result < 0)

Re: [Linux-ima-user] [PATCH 1/3] ima_fs: One check less in ima_write_policy() after error detection

[Mimi Z. <zo...@li...>]

On Wed, 2017-01-25 at 10:31 +0100, SF Markus Elfring wrote:
> From: Markus Elfring <el...@us...>
> Date: Tue, 24 Jan 2017 20:30:55 +0100
> 
> Move the jump label directly before the desired assignment for the
> variable "valid_policy" at the end so that the variable "result" will not
> be checked once more after it was determined that a received input
> parameter was not zero or a memory allocation failed.
> Use the identifier "reset_validity" instead of the label "out".
> 
> Signed-off-by: Markus Elfring <el...@us...>
> ---
>  security/integrity/ima/ima_fs.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index ca303e5d2b94..c1c8d34d111d 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -321,12 +321,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>  	/* No partial writes. */
>  	result = -EINVAL;
>  	if (*ppos != 0)
> -		goto out;
> +		goto reset_validity;
> 
>  	result = -ENOMEM;
>  	data = kmalloc(datalen + 1, GFP_KERNEL);
>  	if (!data)
> -		goto out;
> +		goto reset_validity;
> 
>  	*(data + datalen) = '\0';
> 
> @@ -353,8 +353,8 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>  	mutex_unlock(&ima_write_mutex);
>  out_free:
>  	kfree(data);
> -out:
>  	if (result < 0)
> +reset_validity:

Really?!   Do you really think this makes the code more readable?   A
more common, readable approach is to have two exit points - a normal
exit and an error exit.   Let's leave it to the compiler to do the
optimization.

Mimi

>  		valid_policy = 0;
> 
>  	return result;