linux-ima-user

[Linux-ima-user] EVM: Using a presigned image

[Martin T. <mto...@gm...>]

Hi,

I want to sign an root filesystem off line using the same private key
for both IMA and EVM, ie using evmctl sign --imasig

This image is read-only and is on an embedded product.  The kernel
automatically loads the public key as I have
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"

set in the kernel configuration

I can't see how to enable this key for verifying EVM as soon as the
kernel passes control to the init process.  Is this possible? Do I
have to write my own init processes which could be a script to load
the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
pass control to systemd?

Many Thanks in advnace,
Martin.

Re: [Linux-ima-user] EVM: Using a presigned image

[Mimi Z. <zo...@li...>]

On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
> Hi,
> 
> I want to sign an root filesystem off line using the same private key
> for both IMA and EVM, ie using evmctl sign --imasig
> 
> This image is read-only and is on an embedded product.  The kernel
> automatically loads the public key as I have
> CONFIG_IMA_TRUSTED_KEYRING=y
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
> 
> set in the kernel configuration
> 
> I can't see how to enable this key for verifying EVM as soon as the
> kernel passes control to the init process.  Is this possible? Do I
> have to write my own init processes which could be a script to load
> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
> pass control to systemd?

There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
specify the same x509 certificate pathname.

Mimi

Re: [Linux-ima-user] EVM: Using a presigned image

[Martin T. <mto...@gm...>]

Thanks Mimi,

A bit of searching in LXR seems to indicate that this went into the
v4.5 kernel, is this correct?

We are currently using 4.1 but will be upgrading to 4.9 LTSI in the
near future so the CONFIG_EVM_X509_PATH looks perfect :)

Many Thanks,
Martin.


On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote:
> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
>> Hi,
>>
>> I want to sign an root filesystem off line using the same private key
>> for both IMA and EVM, ie using evmctl sign --imasig
>>
>> This image is read-only and is on an embedded product.  The kernel
>> automatically loads the public key as I have
>> CONFIG_IMA_TRUSTED_KEYRING=y
>> CONFIG_IMA_LOAD_X509=y
>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
>>
>> set in the kernel configuration
>>
>> I can't see how to enable this key for verifying EVM as soon as the
>> kernel passes control to the init process.  Is this possible? Do I
>> have to write my own init processes which could be a script to load
>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
>> pass control to systemd?
>
> There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
> specify the same x509 certificate pathname.
>
> Mimi
>

Re: [Linux-ima-user] EVM: Using a presigned image

[Martin T. <mto...@gm...>]

Hi,

On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote:
> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
>> Hi,
>>
>> I want to sign an root filesystem off line using the same private key
>> for both IMA and EVM, ie using evmctl sign --imasig
>>
>> This image is read-only and is on an embedded product.  The kernel
>> automatically loads the public key as I have
>> CONFIG_IMA_TRUSTED_KEYRING=y
>> CONFIG_IMA_LOAD_X509=y
>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
>>
>> set in the kernel configuration
>>
>> I can't see how to enable this key for verifying EVM as soon as the
>> kernel passes control to the init process.  Is this possible? Do I
>> have to write my own init processes which could be a script to load
>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
>> pass control to systemd?
>
> There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
> specify the same x509 certificate pathname.
>
> Mimi
>
I upgraded to 4.9 kernel and I tried using the same key pathname and
get the following errors

integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
integrity: Request for unknown key 'id:399171f9' err -11
Starting init: /sbin/init exists but couldn't execute it (error -13)

I've checked and the key is there and is used by IMA.  After debugging
it fails in
restrict_link_by_signature when it calls find_asymmetric_key.

If I use the same key with 4.1 it works fine.  Is there something
special that I need to do with the 4.9 kernel?

Here's some of the kernel configuration in case it helps

#
# Security options
#
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_TRUSTED_KEYS is not set
CONFIG_ENCRYPTED_KEYS=y
# CONFIG_KEY_DH_OPERATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
# CONFIG_SECURITY_PATH is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY is not set
# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_SMACK=y
# CONFIG_SECURITY_SMACK_BRINGUP is not set
# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
# CONFIG_IMA_TEMPLATE is not set
CONFIG_IMA_NG_TEMPLATE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
# CONFIG_IMA_DEFAULT_HASH_WP512 is not set
CONFIG_IMA_DEFAULT_HASH="sha1"
# CONFIG_IMA_WRITE_POLICY is not set
# CONFIG_IMA_READ_POLICY is not set
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_BLACKLIST_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/ima-x509.der"
CONFIG_IMA_APPRAISE_SIGNED_INIT=y
CONFIG_EVM=y
# CONFIG_EVM_ATTR_FSUUID is not set
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="/etc/keys/ima-x509.der"
# CONFIG_DEFAULT_SECURITY_SMACK is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CRYPTO=y

Many Thanks,
Martin.

Re: [Linux-ima-user] EVM: Using a presigned image

[Martin T. <mto...@gm...>]

On Fri, Oct 13, 2017 at 5:38 PM, Martin Townsend
<mto...@gm...> wrote:
> Hi,
>
> On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote:
>> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
>>> Hi,
>>>
>>> I want to sign an root filesystem off line using the same private key
>>> for both IMA and EVM, ie using evmctl sign --imasig
>>>
>>> This image is read-only and is on an embedded product.  The kernel
>>> automatically loads the public key as I have
>>> CONFIG_IMA_TRUSTED_KEYRING=y
>>> CONFIG_IMA_LOAD_X509=y
>>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
>>>
>>> set in the kernel configuration
>>>
>>> I can't see how to enable this key for verifying EVM as soon as the
>>> kernel passes control to the init process.  Is this possible? Do I
>>> have to write my own init processes which could be a script to load
>>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
>>> pass control to systemd?
>>
>> There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
>> specify the same x509 certificate pathname.
>>
>> Mimi
>>
> I upgraded to 4.9 kernel and I tried using the same key pathname and
> get the following errors
>
> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
> integrity: Request for unknown key 'id:399171f9' err -11
> Starting init: /sbin/init exists but couldn't execute it (error -13)
>
> I've checked and the key is there and is used by IMA.  After debugging
> it fails in
> restrict_link_by_signature when it calls find_asymmetric_key.
>
> If I use the same key with 4.1 it works fine.  Is there something
> special that I need to do with the 4.9 kernel?
>
> Here's some of the kernel configuration in case it helps
>
> #
> # Security options
> #
> CONFIG_KEYS=y
> # CONFIG_PERSISTENT_KEYRINGS is not set
> # CONFIG_BIG_KEYS is not set
> # CONFIG_TRUSTED_KEYS is not set
> CONFIG_ENCRYPTED_KEYS=y
> # CONFIG_KEY_DH_OPERATIONS is not set
> # CONFIG_SECURITY_DMESG_RESTRICT is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> CONFIG_SECURITY_NETWORK=y
> # CONFIG_SECURITY_NETWORK_XFRM is not set
> # CONFIG_SECURITY_PATH is not set
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
> CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
> # CONFIG_HARDENED_USERCOPY is not set
> # CONFIG_SECURITY_SELINUX is not set
> CONFIG_SECURITY_SMACK=y
> # CONFIG_SECURITY_SMACK_BRINGUP is not set
> # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_LOADPIN is not set
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_INTEGRITY=y
> CONFIG_INTEGRITY_SIGNATURE=y
> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
> CONFIG_INTEGRITY_TRUSTED_KEYRING=y
> CONFIG_INTEGRITY_AUDIT=y
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_LSM_RULES=y
> # CONFIG_IMA_TEMPLATE is not set
> CONFIG_IMA_NG_TEMPLATE=y
> # CONFIG_IMA_SIG_TEMPLATE is not set
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
> CONFIG_IMA_DEFAULT_HASH="sha1"
> # CONFIG_IMA_WRITE_POLICY is not set
> # CONFIG_IMA_READ_POLICY is not set
> CONFIG_IMA_APPRAISE=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> CONFIG_IMA_BLACKLIST_KEYRING=y
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/ima-x509.der"
> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
> CONFIG_EVM=y
> # CONFIG_EVM_ATTR_FSUUID is not set
> CONFIG_EVM_EXTRA_SMACK_XATTRS=y
> CONFIG_EVM_LOAD_X509=y
> CONFIG_EVM_X509_PATH="/etc/keys/ima-x509.der"
> # CONFIG_DEFAULT_SECURITY_SMACK is not set
> CONFIG_DEFAULT_SECURITY_DAC=y
> CONFIG_DEFAULT_SECURITY=""
> CONFIG_CRYPTO=y
>
> Many Thanks,
> Martin.

After reading through the code I could see that I needed to build the
kernel with the root CA certificate using CONFIG_SYSTEM_TRUSTED_KEYS
which is great as now we have a trusted root certificate in the kernel
and the kernel is signed and secured via freescale HAB.

The intermediate keys are now successfully loaded but sadly it hangs.
I know there are 2 firmware files it has to load sdma and brcmfmac so
maybe the problem is there. I see SDMA fails, Here's the trace in case
it helps.

UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB)
UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID
724DF819-1381-41CE-A1C6-5597F29F1067, small LPT model
VFS: Mounted root (ubifs filesystem) readonly on device 0:14.
devtmpfs: mounted
integrity: Loaded X.509 cert 'IMA Certificate Authority:
f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
integrity: Loaded X.509 cert 'IMA Certificate Authority:
f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
Freeing unused kernel memory: 1024K
imx-sdma 20ec000.sdma: external firmware not found, using ROM firmware

INFO: task kworker/u2:1:126 blocked for more than 120 seconds.
      Not tainted 4.9.44-fslc+g8f876e1 #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u2:1    D    0   126    105 0x00000000
[<808425a4>] (__schedule) from [<80842a34>] (schedule+0x4c/0xac)
[<80842a34>] (schedule) from [<808451c8>] (rwsem_down_write_failed+0xf8/0x27c)
[<808451c8>] (rwsem_down_write_failed) from [<803c4c40>]
(process_measurement+0xe0/0x420)
[<803c4c40>] (process_measurement) from [<803c4fa8>] (ima_file_check+0x28/0x30)
[<803c4fa8>] (ima_file_check) from [<802365f4>] (path_openat+0x2a8/0x11c4)
[<802365f4>] (path_openat) from [<802387b0>] (do_filp_open+0x5c/0xc0)
[<802387b0>] (do_filp_open) from [<8022dad8>] (do_open_execat+0x60/0x160)
[<8022dad8>] (do_open_execat) from [<8022fb34>] (do_execveat_common+0x188/0x71c)
[<8022fb34>] (do_execveat_common) from [<802300ec>] (do_execve+0x24/0x2c)
[<802300ec>] (do_execve) from [<80131478>]
(call_usermodehelper_exec_async+0x124/0x1b0)
[<80131478>] (call_usermodehelper_exec_async) from [<80107718>]
(ret_from_fork+0x14/0x3c)
Kernel panic - not syncing: hung_task: blocked tasks
CPU: 0 PID: 14 Comm: khungtaskd Not tainted 4.9.44-fslc+g8f876e1 #2
Hardware name: Freescale i.MX6 Ultralite (Device Tree)
[<8010db5c>] (unwind_backtrace) from [<8010b718>] (show_stack+0x10/0x14)
[<8010b718>] (show_stack) from [<801d8028>] (panic+0xd0/0x244)
[<801d8028>] (panic) from [<801a1298>] (watchdog+0x320/0x3c4)
[<801a1298>] (watchdog) from [<8013a640>] (kthread+0xf4/0x10c)
[<8013a640>] (kthread) from [<80107718>] (ret_from_fork+0x14/0x3c)

I'll try and debug some more at the weekend.

-Martin.

Re: [Linux-ima-user] EVM: Using a presigned image

[Martin T. <mto...@gm...>]

On Fri, Oct 13, 2017 at 9:48 PM, Martin Townsend
<mto...@gm...> wrote:
> On Fri, Oct 13, 2017 at 5:38 PM, Martin Townsend
> <mto...@gm...> wrote:
>> Hi,
>>
>> On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote:
>>> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
>>>> Hi,
>>>>
>>>> I want to sign an root filesystem off line using the same private key
>>>> for both IMA and EVM, ie using evmctl sign --imasig
>>>>
>>>> This image is read-only and is on an embedded product.  The kernel
>>>> automatically loads the public key as I have
>>>> CONFIG_IMA_TRUSTED_KEYRING=y
>>>> CONFIG_IMA_LOAD_X509=y
>>>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
>>>>
>>>> set in the kernel configuration
>>>>
>>>> I can't see how to enable this key for verifying EVM as soon as the
>>>> kernel passes control to the init process.  Is this possible? Do I
>>>> have to write my own init processes which could be a script to load
>>>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
>>>> pass control to systemd?
>>>
>>> There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
>>> specify the same x509 certificate pathname.
>>>
>>> Mimi
>>>
>> I upgraded to 4.9 kernel and I tried using the same key pathname and
>> get the following errors
>>
>> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
>> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
>> integrity: Request for unknown key 'id:399171f9' err -11
>> Starting init: /sbin/init exists but couldn't execute it (error -13)
>>
>> I've checked and the key is there and is used by IMA.  After debugging
>> it fails in
>> restrict_link_by_signature when it calls find_asymmetric_key.
>>
>> If I use the same key with 4.1 it works fine.  Is there something
>> special that I need to do with the 4.9 kernel?
>>
>> Here's some of the kernel configuration in case it helps
>>
>> #
>> # Security options
>> #
>> CONFIG_KEYS=y
>> # CONFIG_PERSISTENT_KEYRINGS is not set
>> # CONFIG_BIG_KEYS is not set
>> # CONFIG_TRUSTED_KEYS is not set
>> CONFIG_ENCRYPTED_KEYS=y
>> # CONFIG_KEY_DH_OPERATIONS is not set
>> # CONFIG_SECURITY_DMESG_RESTRICT is not set
>> CONFIG_SECURITY=y
>> CONFIG_SECURITYFS=y
>> CONFIG_SECURITY_NETWORK=y
>> # CONFIG_SECURITY_NETWORK_XFRM is not set
>> # CONFIG_SECURITY_PATH is not set
>> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
>> CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
>> # CONFIG_HARDENED_USERCOPY is not set
>> # CONFIG_SECURITY_SELINUX is not set
>> CONFIG_SECURITY_SMACK=y
>> # CONFIG_SECURITY_SMACK_BRINGUP is not set
>> # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> # CONFIG_SECURITY_LOADPIN is not set
>> # CONFIG_SECURITY_YAMA is not set
>> CONFIG_INTEGRITY=y
>> CONFIG_INTEGRITY_SIGNATURE=y
>> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
>> CONFIG_INTEGRITY_TRUSTED_KEYRING=y
>> CONFIG_INTEGRITY_AUDIT=y
>> CONFIG_IMA=y
>> CONFIG_IMA_MEASURE_PCR_IDX=10
>> CONFIG_IMA_LSM_RULES=y
>> # CONFIG_IMA_TEMPLATE is not set
>> CONFIG_IMA_NG_TEMPLATE=y
>> # CONFIG_IMA_SIG_TEMPLATE is not set
>> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
>> CONFIG_IMA_DEFAULT_HASH_SHA1=y
>> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
>> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
>> # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
>> CONFIG_IMA_DEFAULT_HASH="sha1"
>> # CONFIG_IMA_WRITE_POLICY is not set
>> # CONFIG_IMA_READ_POLICY is not set
>> CONFIG_IMA_APPRAISE=y
>> CONFIG_IMA_TRUSTED_KEYRING=y
>> CONFIG_IMA_BLACKLIST_KEYRING=y
>> CONFIG_IMA_LOAD_X509=y
>> CONFIG_IMA_X509_PATH="/etc/keys/ima-x509.der"
>> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
>> CONFIG_EVM=y
>> # CONFIG_EVM_ATTR_FSUUID is not set
>> CONFIG_EVM_EXTRA_SMACK_XATTRS=y
>> CONFIG_EVM_LOAD_X509=y
>> CONFIG_EVM_X509_PATH="/etc/keys/ima-x509.der"
>> # CONFIG_DEFAULT_SECURITY_SMACK is not set
>> CONFIG_DEFAULT_SECURITY_DAC=y
>> CONFIG_DEFAULT_SECURITY=""
>> CONFIG_CRYPTO=y
>>
>> Many Thanks,
>> Martin.
>
> After reading through the code I could see that I needed to build the
> kernel with the root CA certificate using CONFIG_SYSTEM_TRUSTED_KEYS
> which is great as now we have a trusted root certificate in the kernel
> and the kernel is signed and secured via freescale HAB.
>
> The intermediate keys are now successfully loaded but sadly it hangs.
> I know there are 2 firmware files it has to load sdma and brcmfmac so
> maybe the problem is there. I see SDMA fails, Here's the trace in case
> it helps.
>
> UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB)
> UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID
> 724DF819-1381-41CE-A1C6-5597F29F1067, small LPT model
> VFS: Mounted root (ubifs filesystem) readonly on device 0:14.
> devtmpfs: mounted
> integrity: Loaded X.509 cert 'IMA Certificate Authority:
> f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
> integrity: Loaded X.509 cert 'IMA Certificate Authority:
> f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
> Freeing unused kernel memory: 1024K
> imx-sdma 20ec000.sdma: external firmware not found, using ROM firmware
>
> INFO: task kworker/u2:1:126 blocked for more than 120 seconds.
>       Not tainted 4.9.44-fslc+g8f876e1 #2
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> kworker/u2:1    D    0   126    105 0x00000000
> [<808425a4>] (__schedule) from [<80842a34>] (schedule+0x4c/0xac)
> [<80842a34>] (schedule) from [<808451c8>] (rwsem_down_write_failed+0xf8/0x27c)
> [<808451c8>] (rwsem_down_write_failed) from [<803c4c40>]
> (process_measurement+0xe0/0x420)
> [<803c4c40>] (process_measurement) from [<803c4fa8>] (ima_file_check+0x28/0x30)
> [<803c4fa8>] (ima_file_check) from [<802365f4>] (path_openat+0x2a8/0x11c4)
> [<802365f4>] (path_openat) from [<802387b0>] (do_filp_open+0x5c/0xc0)
> [<802387b0>] (do_filp_open) from [<8022dad8>] (do_open_execat+0x60/0x160)
> [<8022dad8>] (do_open_execat) from [<8022fb34>] (do_execveat_common+0x188/0x71c)
> [<8022fb34>] (do_execveat_common) from [<802300ec>] (do_execve+0x24/0x2c)
> [<802300ec>] (do_execve) from [<80131478>]
> (call_usermodehelper_exec_async+0x124/0x1b0)
> [<80131478>] (call_usermodehelper_exec_async) from [<80107718>]
> (ret_from_fork+0x14/0x3c)
> Kernel panic - not syncing: hung_task: blocked tasks
> CPU: 0 PID: 14 Comm: khungtaskd Not tainted 4.9.44-fslc+g8f876e1 #2
> Hardware name: Freescale i.MX6 Ultralite (Device Tree)
> [<8010db5c>] (unwind_backtrace) from [<8010b718>] (show_stack+0x10/0x14)
> [<8010b718>] (show_stack) from [<801d8028>] (panic+0xd0/0x244)
> [<801d8028>] (panic) from [<801a1298>] (watchdog+0x320/0x3c4)
> [<801a1298>] (watchdog) from [<8013a640>] (kthread+0xf4/0x10c)
> [<8013a640>] (kthread) from [<80107718>] (ret_from_fork+0x14/0x3c)
>
> I'll try and debug some more at the weekend.
>
> -Martin.

After putting some printk's in process_measurement the problem seems
to be the inode for /bin/kmod is locked and then sometime before
calling ima_appraise_measurement and inode_unlock process_measurement
gets called again with the /bin/kmod inode and it hangs.

integrity_inode_get
ima_rdwr_violation_check  /lib/systemd/systemd
ima_collect_measurement
ima_appraise_measurement
process_measurement /bin/kmod
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /bin/kmod
ima_collect_measurement
ima_appraise_measurement
process_measurement /bin/kmod

hangs until hung_task_detector kicks in and resets.  My guess is that
on my board systemd is loading a kernel module which in turn loads
another dependent kernel module which is causing the problem.  I'll
see if I can get the name of the 2 modules being loaded

-Martin.

Re: [Linux-ima-user] EVM: Using a presigned image

[Martin T. <mto...@gm...>]

Hi,

[snip]
> After putting some printk's in process_measurement the problem seems
> to be the inode for /bin/kmod is locked and then sometime before
> calling ima_appraise_measurement and inode_unlock process_measurement
> gets called again with the /bin/kmod inode and it hangs.
>
> integrity_inode_get
> ima_rdwr_violation_check  /lib/systemd/systemd
> ima_collect_measurement
> ima_appraise_measurement
> process_measurement /bin/kmod
> inode_locked
> integrity_inode_get
> ima_rdwr_violation_check  /bin/kmod
> ima_collect_measurement
> ima_appraise_measurement
> process_measurement /bin/kmod
>
> hangs until hung_task_detector kicks in and resets.  My guess is that
> on my board systemd is loading a kernel module which in turn loads
> another dependent kernel module which is causing the problem.  I'll
> see if I can get the name of the 2 modules being loaded
>
> -Martin.


I put in a load of debug prints and now have the following trace.  It
looks to me that the problem is when systemd starts it tries to verify
it's signature which invokes
crypto_alloc_tfm: crypto_find_alg(pkcs1pad(rsa,sha1))
I checked my certificate creation and I'm using RSA and SHA1 so looks good.
so it tries to load the module for this which then tries to verify
/bin/kmod
which has been signed the same way so this also tries to load the
pkcs1pad(rsa,sha1) which the invokes /bin/kmod
and hence are in a deadlock situation.

Is the problem that earlier on in the trace it verifies the
ima-x509.der key and loads pkcs1pad(rsa,sha256) module
crypto_alloc_tfm: crypto_find_alg(pkcs1pad(rsa,sha256))
Does ima assume that sha256 will be used for signing?

Should I create my signing certificates with sha256?

Any help greatly appreciated,
Martin.


crypto_alloc_tfm: crypto_find_alg(crct10dif)
crypto_alloc_tfm: crypto_create_tfm(crct10dif)
crypto_alloc_tfm: crypto_find_alg(sha1)
crypto_alloc_tfm: crypto_create_tfm(sha1)
imx-sdma 20ec000.sdma: Direct firmware load for
imx/sdma/sdma-imx6q.bin failed with error -2
imx-sdma 20ec000.sdma: Falling back to user helper
__request_module: mdio:00000000000001111100000011110001
call_usermodehelper_exec_async: /sbin/modprobe -q --
mdio:00000000000001111100000011110001 106
cpu cpu0: dev_pm_opp_get_opp_count: OPP table not found (-19)
crypto_alloc_tfm: crypto_find_alg(sha1)
crypto_alloc_tfm: crypto_create_tfm(sha1)
crypto_alloc_tfm: crypto_find_alg(hmac(sha256))
__request_module: crypto-hmac(sha256)
call_usermodehelper_exec_async: /sbin/modprobe -q -- crypto-hmac(sha256) 111
__request_module: crypto-hmac(sha256)-all
call_usermodehelper_exec_async: /sbin/modprobe -q -- crypto-hmac(sha256)-all 112
crypto_alloc_tfm: crypto_create_tfm(hmac(sha256))
crypto_alloc_tfm: crypto_find_alg(sha256)
crypto_alloc_tfm: crypto_create_tfm(sha256)
crypto_alloc_tfm: crypto_find_alg(cbc(aes))
__request_module: crypto-cbc(aes)
call_usermodehelper_exec_async: /sbin/modprobe -q -- crypto-cbc(aes) 115
__request_module: crypto-cbc(aes)-all
call_usermodehelper_exec_async: /sbin/modprobe -q -- crypto-cbc(aes)-all 116
crypto_alloc_tfm: crypto_create_tfm(cbc(aes))
crypto_alloc_tfm: crypto_find_alg(sha1)
crypto_alloc_tfm: crypto_create_tfm(sha1)
process_measurement /etc/keys/ima-x509.der 1
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /etc/keys/ima-x509.der
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
crypto_alloc_tfm: crypto_find_alg(sha256)
crypto_alloc_tfm: crypto_create_tfm(sha256)
ASYM: ==>restrict_link_by_signature()
ASYM: ==>restrict_link_by_signature find_asymmetric_key()
ASYM: ==>restrict_link_by_signature verify_signature()
SIG: ==>verify_signature(1)
SIG: ==>verify_signature asymmetric_key_subtype()
SIG: ==>verify_signature subtype=80d4cad4
PKEY: ==>public_key_verify_signature() 1
PKEY: ==>public_key_verify_signature crypto_alloc_akcipher() 1
crypto_alloc_tfm: crypto_find_alg(pkcs1pad(rsa,sha256))
__request_module: crypto-pkcs1pad(rsa,sha256)
call_usermodehelper_exec_async: /sbin/modprobe -q --
crypto-pkcs1pad(rsa,sha256) 120
process_measurement /bin/kmod 120
inode_locked
ima_rdwr_violation_check  /bin/kmod
inode unlock
inode_unlocked
process_measurement /bin/kmod 120
inode_locked
integrity_inode_get
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/ld-2.23.so 120
inode_locked
ima_rdwr_violation_check  /lib/ld-2.23.so
inode unlock
inode_unlocked
process_measurement /bin/kmod 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /bin/kmod
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/ld-2.23.so 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/ld-2.23.so
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /etc/ld.so.cache 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /etc/ld.so.cache
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libz.so.1.2.8 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libz.so.1.2.8
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libz.so.1.2.8 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libz.so.1.2.8
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libc-2.23.so 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libc-2.23.so
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libc-2.23.so 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libc-2.23.so
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.softdep 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.softdep
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.dep.bin 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.dep.bin
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.alias.bin 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.alias.bin
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.symbols.bin 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.symbols.bin
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.builtin.bin 120
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.builtin.bin
ima_read_xattr? false
ima_get_hash_algo
ima_collect_measurement
ima_store_measurement
freeing xattr
inode unlock
inode_unlocked
__request_module: crypto-pkcs1pad(rsa,sha256)-all
call_usermodehelper_exec_async: /sbin/modprobe -q --
crypto-pkcs1pad(rsa,sha256)-all 121
process_measurement /bin/kmod 121
inode_locked
ima_rdwr_violation_check  /bin/kmod
inode unlock
inode_unlocked
process_measurement /bin/kmod 121
inode_locked
integrity_inode_get
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/ld-2.23.so 121
inode_locked
ima_rdwr_violation_check  /lib/ld-2.23.so
inode unlock
inode_unlocked
process_measurement /bin/kmod 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /bin/kmod
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/ld-2.23.so 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/ld-2.23.so
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /etc/ld.so.cache 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /etc/ld.so.cache
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libz.so.1.2.8 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libz.so.1.2.8
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libz.so.1.2.8 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libz.so.1.2.8
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libc-2.23.so 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libc-2.23.so
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/libc-2.23.so 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/libc-2.23.so
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.softdep 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.softdep
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.dep.bin 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.dep.bin
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.alias.bin 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.alias.bin
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.symbols.bin 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.symbols.bin
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
process_measurement /lib/modules/4.9.44-fslc+g8f876e1/modules.builtin.bin 121
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/modules/4.9.44-fslc+g8f876e1/modules.builtin.bin
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
crypto_alloc_tfm: crypto_create_tfm(pkcs1pad(rsa,sha256))
PKEY: ==>public_key_verify_signature akcipher_request_alloc() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_set_pub_key() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_maxsize() 1
PKEY: ==>public_key_verify_signature akcipher_request_set_crypt() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_verify() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_verify() finished: 0
PKEY: <==public_key_verify_signature done
PKEY: <==public_key_verify_signature() returning = 0
SIG: <==verify_signature() = 0
ASYM: ==>restrict_link_by_signature verify_signature() ret:0
process_measurement /etc/keys/ima-x509.der 1
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /etc/keys/ima-x509.der
ima_get_cache_status? false
freeing xattr
inode unlock
inode_unlocked
crypto_alloc_tfm: crypto_find_alg(sha256)
crypto_alloc_tfm: crypto_create_tfm(sha256)
ASYM: ==>restrict_link_by_signature()
ASYM: ==>restrict_link_by_signature find_asymmetric_key()
ASYM: ==>restrict_link_by_signature verify_signature()
SIG: ==>verify_signature(1)
SIG: ==>verify_signature asymmetric_key_subtype()
SIG: ==>verify_signature subtype=80d4cad4
PKEY: ==>public_key_verify_signature() 1
PKEY: ==>public_key_verify_signature crypto_alloc_akcipher() 1
crypto_alloc_tfm: crypto_find_alg(pkcs1pad(rsa,sha256))
crypto_alloc_tfm: crypto_create_tfm(pkcs1pad(rsa,sha256))
PKEY: ==>public_key_verify_signature akcipher_request_alloc() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_set_pub_key() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_maxsize() 1
PKEY: ==>public_key_verify_signature akcipher_request_set_crypt() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_verify() 1
PKEY: ==>public_key_verify_signature crypto_akcipher_verify() finished: 0
PKEY: <==public_key_verify_signature done
PKEY: <==public_key_verify_signature() returning = 0
SIG: <==verify_signature() = 0
ASYM: ==>restrict_link_by_signature verify_signature() ret:0
process_measurement /lib/systemd/systemd 1
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /lib/systemd/systemd
ima_read_xattr? true
ima_get_hash_algo
ima_collect_measurement
ima_appraise_measurement
evm_verifyxattr
evm_verifyxattr 1
evm_verifyxattr cache:96524210
evm_verify_hmac
evm_verify_hmac
EVM_IMA_XATTR_DIGSIG evm_calc_hash
crypto_alloc_tfm: crypto_find_alg(sha1)
crypto_alloc_tfm: crypto_create_tfm(sha1)
rc=0
integrity_digsig_verify
integrity_digsig_verify 1
got key 2
asymmetric_verify
asymmetric_verify
request_asymmetric_key
verify_signature
SIG: ==>verify_signature(1)
SIG: ==>verify_signature asymmetric_key_subtype()
SIG: ==>verify_signature subtype=80d4cad4
PKEY: ==>public_key_verify_signature() 1
PKEY: ==>public_key_verify_signature crypto_alloc_akcipher() 1
crypto_alloc_tfm: crypto_find_alg(pkcs1pad(rsa,sha1))
__request_module: crypto-pkcs1pad(rsa,sha1)
call_usermodehelper_exec_async: /sbin/modprobe -q --
crypto-pkcs1pad(rsa,sha1) 124
process_measurement /bin/kmod 124
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /bin/kmod
ima_read_xattr? true
ima_get_hash_algo
ima_collect_measurement
ima_appraise_measurement
evm_verifyxattr
evm_verifyxattr 124
evm_verifyxattr cache:96524030
evm_verify_hmac
evm_verify_hmac
EVM_IMA_XATTR_DIGSIG evm_calc_hash
rc=0
integrity_digsig_verify
integrity_digsig_verify 124
got key 2
asymmetric_verify
asymmetric_verify
request_asymmetric_key
verify_signature
SIG: ==>verify_signature(124)
SIG: ==>verify_signature asymmetric_key_subtype()
SIG: ==>verify_signature subtype=80d4cad4
PKEY: ==>public_key_verify_signature() 124
PKEY: ==>public_key_verify_signature crypto_alloc_akcipher() 124
crypto_alloc_tfm: crypto_find_alg(pkcs1pad(rsa,sha1))
__request_module: crypto-pkcs1pad(rsa,sha1)
call_usermodehelper_exec_async: /sbin/modprobe -q --
crypto-pkcs1pad(rsa,sha1) 126
process_measurement /bin/kmod 126