Menu
▾
▴
linux-ima-user
|
From: Kasatkin, D. <dmi...@in...> - 2012-05-18 09:00:20
|
On Fri, May 18, 2012 at 10:46 AM, Kasatkin, Dmitry <dmi...@in...> wrote: > Hello, > > See comments inline... > > You could send question to: lin...@li... > > - Dmitry > > On Tue, May 15, 2012 at 7:45 PM, Sebastian Andrzej Siewior > <bi...@li...> wrote: >> Hi Dmitry, >> >> I just stumbled over security/integrity/evm/ in the linux kernel and it >> looks like something I could use or would like to use :) >> I failed to clone the userland tools from >> >> git://linux-ima.git.sourceforge.net/linux-ima/ima-evm-utils.git/ >> > > Did you try to look the linux-ima project page. > http://sourceforge.net/scm/?type=git&group_id=148288 > It has info how to access gits.... > > It says that repo url is: > git://linux-ima.git.sourceforge.net/gitroot/linux-ima/ima-evm-utils.git > > :) > > >> as git always said that remote closed the connection. In the end I extracted >> the source package from [0]. >> I tried to follow the wiki at [1] and see how it works. Currently I am >> stuck at >> >> | #~ keyctl add trusted kmk-trusted "new 32" @u >> | add_key: No such device >> > > Trusted keys uses TPM.. > > Have a look to source code: > tests/evm_genkey.sh > tests/evm_enable.sh > > It should how to use encrypted keys and public keys... > > Let us know how it works for you > > - Dmitry > >> And the kernel says. >> >> | trusted_key: key_create failed (-19) >> >> Another thing that I noticed is >> >> -r--r-----. 1 root root 0 May 15 18:41 /sys/kernel/security/evm >> >> as you see it is read-only. "echo 1 > evm" works (i.e. no access denied) but >> in dmesg I see >> >> | EVM: initialization failed >> >> So my question here is does it work? Or could it be that it got broken >> in v3.4.0-rc7? >> >> [0] ftp://ftp.nohats.ca/ima/evm-utils-0.1.0-1.fc17.src.rpm >> [1] >> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page >> >> Sebastian Hi, I have also updated Wiki page and added key generation and initramfs-tools/GRUB examples. https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page - Dmitry |
|
From: Mimi Z. <zo...@li...> - 2012-05-21 11:27:00
|
On Fri, 2012-05-18 at 12:00 +0300, Kasatkin, Dmitry wrote: > On Fri, May 18, 2012 at 10:46 AM, Kasatkin, Dmitry > <dmi...@in...> wrote: > > Hello, > > > > See comments inline... > > > > You could send question to: lin...@li... > > > > - Dmitry > > > > On Tue, May 15, 2012 at 7:45 PM, Sebastian Andrzej Siewior > > <bi...@li...> wrote: > >> Hi Dmitry, > >> > >> I just stumbled over security/integrity/evm/ in the linux kernel and it > >> looks like something I could use or would like to use :) > >> I failed to clone the userland tools from > >> > >> git://linux-ima.git.sourceforge.net/linux-ima/ima-evm-utils.git/ > >> > > > > Did you try to look the linux-ima project page. > > http://sourceforge.net/scm/?type=git&group_id=148288 > > It has info how to access gits.... > > > > It says that repo url is: > > git://linux-ima.git.sourceforge.net/gitroot/linux-ima/ima-evm-utils.git > > > > :) > > > > > >> as git always said that remote closed the connection. In the end I extracted > >> the source package from [0]. > >> I tried to follow the wiki at [1] and see how it works. Currently I am > >> stuck at > >> > >> | #~ keyctl add trusted kmk-trusted "new 32" @u > >> | add_key: No such device > >> > > > > Trusted keys uses TPM.. > > > > Have a look to source code: > > tests/evm_genkey.sh > > tests/evm_enable.sh > > > > It should how to use encrypted keys and public keys... > > > > Let us know how it works for you > > > > - Dmitry > > > >> And the kernel says. > >> > >> | trusted_key: key_create failed (-19) > >> > >> Another thing that I noticed is > >> > >> -r--r-----. 1 root root 0 May 15 18:41 /sys/kernel/security/evm > >> > >> as you see it is read-only. "echo 1 > evm" works (i.e. no access denied) but > >> in dmesg I see > >> > >> | EVM: initialization failed > >> > >> So my question here is does it work? Or could it be that it got broken > >> in v3.4.0-rc7? > >> > >> [0] ftp://ftp.nohats.ca/ima/evm-utils-0.1.0-1.fc17.src.rpm > >> [1] > >> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page > >> > >> Sebastian > > Hi, > > I have also updated Wiki page and added key generation and > initramfs-tools/GRUB examples. > > https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page > > - Dmitry > Thanks Dmitry for updating the wiki with key generation support. Sebastian, if you're using dracut, it already has support for loading the EVM symmetric key and updating the IMA policy, but needs to be enabled. To enable any dracut module, requires changing the module_setup.sh: module_check() to return 0. Dracut is available from: git://git.kernel.org/pub/scm/boot/dracut/dracut.git. Current versions of Fedora, enable the SELinux policy in systemd, not dracut. If SELinux is enabled on your system, and you want to update the default IMA policy based on SELinux labels, then replacing the IMA policy should be delayed to systemd as well. Roberto Sassu upstreamed the systemd patch. The patch, below, adds dracut support for enabling EVM/IMA digital signatures, but still needs to be tested some, before being upstreamed. thanks, Mimi diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index a4cdf45..4bceebb 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -54,6 +54,52 @@ load_evm_key() return 0 } +load_evm_ima_pubkey() +{ + # read the configuration from the config file + #[ -f "${EVMCONFIG}" ] && \ + # . ${EVMCONFIG} + + # override the EVM key path name from the 'evmpubkey=' parameter in + # the kernel command line + EVMPUBKEYARG=$(getarg evmpubkey=) + [ $? -eq 0 ] && \ + EVMPUBKEY=${EVMPUBKEYARG} + + # set the default value + [ -z "${EVMPUBKEY}" ] && \ + EVMPUBKEY="/etc/keys/pubkey_evm.pem"; + + # set the EVM public key path name + EVMPUBKEYPATH="${NEWROOT}${EVMPUBKEY}" + + # check for EVM public key's existence + if [ ! -f "${EVMPUBKEYPATH}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: EVM public key file not found: ${EVMPUBKEYPATH}" + fi + return 0 + fi + + # load the EVM public key onto the EVM keyring + evm_pubid=`keyctl newring _evm @u` + EVMPUBKEYID=$(evmctl import ${EVMPUBKEYPATH} ${evm_pubid}) + [ $? -eq 0 ] || { + info "integrity: failed to load the EVM public key"; + return 0; + } + + # load the same public key onto the IMA keyring + ima_pubid=`keyctl newring _ima @u` + IMAPUBKEYID=$(evmctl import ${EVMPUBKEYPATH} ${ima_pubid}) + [ $? -eq 0 ] || { + info "integrity: failed to load the IMA public key"; + return 0; + } + + return 0 +} + unload_evm_key() { # unlink the EVM encrypted key @@ -78,6 +124,9 @@ enable_evm() # load the EVM encrypted key load_evm_key || return 1 + # load the EVM public key + load_evm_ima_pubkey + # initialize EVM info "Enabling EVM" echo 1 > ${EVMSECFILE} diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh index ff1b4aa..69addb2 100755 --- a/modules.d/98integrity/module-setup.sh +++ b/modules.d/98integrity/module-setup.sh @@ -3,7 +3,7 @@ # ex: ts=8 sw=4 sts=4 et filetype=sh check() { - return 255 + return 0 } depends() { @@ -12,6 +12,7 @@ depends() { } install() { + inst_binary keyctl inst_hook pre-pivot 61 "$moddir/evm-enable.sh" inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh" } |
