Menu
▾
▴
linux-ima-user
|
From: Tao <baa...@gm...> - 2015-12-23 16:29:04
|
Hi, I am trying the IMA appraisal function on a CentOS7 minimal installation machine. By default, thisdistribution ships with compiled kernel supports IMA functions. Kernel version is 3.10.0. I followed the instructions on the following two web pages. http://sourceforge.net/p/linux-ima/wiki/Home/ https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture It works fine with the measurement functions and IMA appraisal without digital signatures. I activated i_version flag in the root filesystem in the boot command line and change the mount option in /etc/fstab file. Since right now I am just testing the capability of the IMA, I set a custom policy only to appraise the file belonging to a user named “temp” and add "ima_appraise=enforce" in the boot command line. Then I use ‘evmctl ima_hash file’ and it works fine. I can see security.ima extended attribute with ‘getfattr’ command. And after I change the owner of the file to temp, I can still open it and execute it. The problem is with the ima_sign function provided by evmctl. Following the instructions, I create a new keyring in the system by launching the following commands: openssl genrsa -outprivkey_evm.pem 1024 openssl rsa -pubout -inprivkey_evm.pem -outpubkey_evm.pem ima_id=`keyctl newring _ima @u` evmctl import --rsa /etc/keys/pubkey_evm.pem $ima_id evmctl ima_sign –rsa file –v Until this point, I can see the hash value, the keyed, sighash and evm/ima signature. And I also can see the security.ima attribute is becoming 274 bytes long. Then I launch: evmctl ima_verify –rsa file –v and I can see the hash is correct and sighash is the same one shown with the above command. And the verification is OK. But after I change the ownership of the file to user ‘temp’ whose file is set to be appraised, and try to run the same ima_verify again, it gives error with the following message: [8621.067731]digsig: key not found, id:DE253B20DFD8E3 Fail to open: file Errno: Permission denied (13) with 'keyctl show' command, I can see the sub-attributes of keyring: _uid.0, named _ima and DE253B20DFD8E3. Can any one enlighten me what is the possible error? I followed exactly the procedure described in the wiki page. Or if there is something changed? Thank you very much for your time and best wishes! Tao |
|
From: Mimi Z. <zo...@li...> - 2015-12-23 17:51:19
|
On Wed, 2015-12-23 at 17:28 +0100, Tao wrote: > Hi, > > I am trying the IMA appraisal function on a CentOS7 minimal installation > machine. By default, thisdistribution ships with compiled kernel > supports IMA functions. Kernel version is 3.10.0. > > I followed the instructions on the following two web pages. > > http://sourceforge.net/p/linux-ima/wiki/Home/ > > https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture > > It works fine with the measurement functions and IMA appraisal without > digital signatures. I activated i_version flag in the root filesystem in > the boot command line and change the mount option in /etc/fstab file. > > Since right now I am just testing the capability of the IMA, I set a > custom policy only to appraise the file belonging to a user named “temp” > and add "ima_appraise=enforce" in the boot command line. > > Then I use ‘evmctl ima_hash file’ and it works fine. I can see > security.ima extended attribute with ‘getfattr’ command. And after I > change the owner of the file to temp, I can still open it and execute it. Does the reverse also work, meaning if a file owned by temp isn't signed, can you execute it? > The problem is with the ima_sign function provided by evmctl. Following > the instructions, I create a new keyring in the system by launching the > following commands: > > openssl genrsa -outprivkey_evm.pem 1024 > > openssl rsa -pubout -inprivkey_evm.pem -outpubkey_evm.pem > > ima_id=`keyctl newring _ima @u` Try logging in as root or "su - ", not using "sudo" to create the "_ima" keyring. > evmctl import --rsa /etc/keys/pubkey_evm.pem $ima_id > > evmctl ima_sign –rsa file –v > > Until this point, I can see the hash value, the keyed, sighash and > evm/ima signature. And I also can see the security.ima attribute is > becoming 274 bytes long. > > Then I launch: > > > evmctl ima_verify –rsa file –v > > and I can see the hash is correct and sighash is the same one shown with > the above command. And the verification is OK. > > > But after I change the ownership of the file to user > ‘temp’ whose file is set to be appraised, and try to run the same > ima_verify again, it gives error with the following message: > > [8621.067731]digsig: key not found, id:DE253B20DFD8E3 Probably "_ima" is not on root's keyring. Mimi > Fail to open: file > > Errno: Permission denied (13) > > > with 'keyctl show' command, I can see the > sub-attributes of keyring: _uid.0, named _ima and DE253B20DFD8E3. > > > Can any one enlighten me what is the possible error? I followed exactly > the procedure described in the wiki page. Or if there is something changed? > > > Thank you very much for your time and best wishes! |
|
From: Tao <baa...@gm...> - 2015-12-23 19:02:45
|
Hi Mimi,
Thank you very much for your reply.
My answers are in-line.
Another issue, when I open the file with vi or vim and make some
modifications of the file,
the security.ima attribute will disappear. But when I use nano to edit
the file, the value of
security.ima will be updated. I am not sure if this is another issue.
Best wishes!
Tao
On 12/23/2015 6:50 PM, Mimi Zohar wrote:
> On Wed, 2015-12-23 at 17:28 +0100, Tao wrote:
>> Hi,
>>
>> I am trying the IMA appraisal function on a CentOS7 minimal installation
>> machine. By default, thisdistribution ships with compiled kernel
>> supports IMA functions. Kernel version is 3.10.0.
>>
>> I followed the instructions on the following two web pages.
>>
>> http://sourceforge.net/p/linux-ima/wiki/Home/
>>
>> https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
>>
>> It works fine with the measurement functions and IMA appraisal without
>> digital signatures. I activated i_version flag in the root filesystem in
>> the boot command line and change the mount option in /etc/fstab file.
>>
>> Since right now I am just testing the capability of the IMA, I set a
>> custom policy only to appraise the file belonging to a user named “temp”
>> and add "ima_appraise=enforce" in the boot command line.
>>
>> Then I use ‘evmctl ima_hash file’ and it works fine. I can see
>> security.ima extended attribute with ‘getfattr’ command. And after I
>> change the owner of the file to temp, I can still open it and execute it.
> Does the reverse also work, meaning if a file owned by temp isn't
> signed, can you execute it?
if the file's hash is correct, but it is not signed, it can still be
executed. As I understand, the
'ima_hash' function only computes the hash value of the file, and store
it in the security.ima
attribute, so if the security.ima attribute is not signature based, the
appraise will succeed, and
then it should be able to be executed.
>> The problem is with the ima_sign function provided by evmctl. Following
>> the instructions, I create a new keyring in the system by launching the
>> following commands:
>>
>> openssl genrsa -outprivkey_evm.pem 1024
>>
>> openssl rsa -pubout -inprivkey_evm.pem -outpubkey_evm.pem
>>
>> ima_id=`keyctl newring _ima @u`
> Try logging in as root or "su - ", not using "sudo" to create the "_ima"
> keyring.
I always login as root, since I am just testing in a virtual machine,
with the root account, it
is more convenient.
>
>> evmctl import --rsa /etc/keys/pubkey_evm.pem $ima_id
>>
>> evmctl ima_sign –rsa file –v
>>
>> Until this point, I can see the hash value, the keyed, sighash and
>> evm/ima signature. And I also can see the security.ima attribute is
>> becoming 274 bytes long.
>>
>> Then I launch:
>>
>>
>> evmctl ima_verify –rsa file –v
>>
>> and I can see the hash is correct and sighash is the same one shown with
>> the above command. And the verification is OK.
>>
>>
>> But after I change the ownership of the file to user
>> ‘temp’ whose file is set to be appraised, and try to run the same
>> ima_verify again, it gives error with the following message:
>>
>> [8621.067731]digsig: key not found, id:DE253B20DFD8E3
> Probably "_ima" is not on root's keyring.
It should be, because when I execute 'keyctl show', I can see _ima as a
sub keyring of keyring:_uid.0
but the system still show that :
digsig: key not found, id:DE253B20DFD8E3
Any other thoughts?
>
> Mimi
>
>> Fail to open: file
>>
>> Errno: Permission denied (13)
>>
>>
>> with 'keyctl show' command, I can see the
>> sub-attributes of keyring: _uid.0, named _ima and DE253B20DFD8E3.
>>
>>
>> Can any one enlighten me what is the possible error? I followed exactly
>> the procedure described in the wiki page. Or if there is something changed?
>>
>>
>> Thank you very much for your time and best wishes!
>
|
|
From: Mimi Z. <zo...@li...> - 2015-12-23 20:36:27
|
On Wed, 2015-12-23 at 20:02 +0100, Tao wrote: > Hi Mimi, > > Thank you very much for your reply. > > My answers are in-line. > > Another issue, when I open the file with vi or vim and make some > modifications of the file, > the security.ima attribute will disappear. But when I use nano to edit > the file, the value of > security.ima will be updated. I am not sure if this is another issue. "vi" doesn't edit the existing file, but creates a new file. Look at the inode (stat <pathname>) associated with the file before and after using "vi". (Your email is still mangled.) > >> But after I change the ownership of the file to user > >> ‘temp’ whose file is set to be appraised, and try to run the same > >> ima_verify again, it gives error with the following message: > >> > >> [8621.067731]digsig: key not found, id:DE253B20DFD8E3 > > Probably "_ima" is not on root's keyring. > It should be, because when I execute 'keyctl show', I can see _ima as a > sub keyring of keyring:_uid.0 > but the system still show that : > > digsig: key not found, id:DE253B20DFD8E3 > > Any other thoughts? The keyid lookup was broken and fixed twice. Perhaps one of these commits were backported to RHEL 7 without the corresponding fixes. - Commit 46963b7 "KEYS: Overhaul key identification when searching for asymmetric keys" broke the keyid lookup. Commit f1b731d "KEYS: Restore partial ID matching functionality for asymmetric keys" fixed it. - Commit 46963b774d44 "KEYS: Overhaul key identification when searching for asymmetric keys" broke the keyid lookup. Commit f2b3dee "KEYS: fix "ca_keys=" partial key matching" fixed it. Mimi |
|
From: Baal Su <baa...@gm...> - 2016-01-11 15:58:47
|
> On 23 Dec 2015, at 21:35, Mimi Zohar <zo...@li...> wrote: > > On Wed, 2015-12-23 at 20:02 +0100, Tao wrote: >> Hi Mimi, >> >> Thank you very much for your reply. >> >> My answers are in-line. >> >> Another issue, when I open the file with vi or vim and make some >> modifications of the file, >> the security.ima attribute will disappear. But when I use nano to edit >> the file, the value of >> security.ima will be updated. I am not sure if this is another issue. > > "vi" doesn't edit the existing file, but creates a new file. Look at > the inode (stat <pathname>) associated with the file before and after > using "vi". > > (Your email is still mangled.) > >>>> But after I change the ownership of the file to user >>>> ‘temp’ whose file is set to be appraised, and try to run the same >>>> ima_verify again, it gives error with the following message: >>>> >>>> [8621.067731]digsig: key not found, id:DE253B20DFD8E3 >>> Probably "_ima" is not on root's keyring. >> It should be, because when I execute 'keyctl show', I can see _ima as a >> sub keyring of keyring:_uid.0 >> but the system still show that : >> >> digsig: key not found, id:DE253B20DFD8E3 >> >> Any other thoughts? > > The keyid lookup was broken and fixed twice. Perhaps one of these > commits were backported to RHEL 7 without the corresponding fixes. > > - Commit 46963b7 "KEYS: Overhaul key identification when searching for > asymmetric keys" broke the keyid lookup. Commit f1b731d "KEYS: > Restore partial ID matching functionality for asymmetric keys" fixed it. > > - Commit 46963b774d44 "KEYS: Overhaul key identification when searching > for asymmetric keys" broke the keyid lookup. Commit f2b3dee "KEYS: fix > "ca_keys=" partial key matching" fixed it. > Hi Mimi, Thank you for your reply. I tried to recompile the kernel to 4.1.15, which is the latest longterm version. But the aforementioned problem still exists. When I run “keyctl show”, I can see the following output: Session Keyring 841881916 —alswrv 0 0 keyring: _ses 1060565120 —alswrv 0 65534 \_ keyring: _uid.0 332490404 —alswrv 0 0 \_ keyring: _ima 452725264 —alswrv 0 0 \_ user: 821C0DFD4C617DA But when I want to read from a file under appraisal with enforce mode, it still shows: [ 358.334856] digsig: key not found, id: 821C0DFD4C617DA cat: file: Permission denied Should I try with more recent kernel? Thank you for your time and best wishes! Tao > Mimi > |
|
From: Mark D. B. <md...@ju...> - 2016-01-11 17:16:35
|
Hi Baal,
...elided...
> When I run “keyctl show”, I can see the following output:
...elided...
You may wish to consider
keyctl show %keyring:.ima
to look at the global .ima keyring rather than the _ima local user
keyring.
You could also dump all keyring information at once by doing
cat /proc/keys
(if you have compiled your kernel with CONFIG_KEYS=y)
-- Mark
|
|
From: Mimi Z. <zo...@li...> - 2016-01-11 19:53:18
|
On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: > Hi Mimi, > > Thank you for your reply. > > I tried to recompile the kernel to 4.1.15, which is the latest longterm version. But the aforementioned problem still exists. > > When I run “keyctl show”, I can see the following output: > > Session Keyring > 841881916 —alswrv 0 0 keyring: _ses > 1060565120 —alswrv 0 65534 \_ keyring: _uid.0 > 332490404 —alswrv 0 0 \_ keyring: _ima > 452725264 —alswrv 0 0 \_ user: 821C0DFD4C617DA It doesn't looke like there are any keys on the _ima keyring. Try listing the keys on the keyring: keyctl list `keyctl search @u keyring _ima` > > But when I want to read from a file under appraisal with enforce mode, it still shows: > > [ 358.334856] digsig: key not found, id: 821C0DFD4C617DA > cat: file: Permission denied Only asymmetric keys should be on the IMA keyring, not user. Mimi > Should I try with more recent kernel? > > Thank you for your time and best wishes! |
|
From: Baal Su <baa...@gm...> - 2016-01-12 12:16:27
|
> On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote: > > On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: > >> Hi Mimi, >> >> Thank you for your reply. >> >> I tried to recompile the kernel to 4.1.15, which is the latest longterm version. But the aforementioned problem still exists. >> >> When I run “keyctl show”, I can see the following output: >> >> Session Keyring >> 841881916 —alswrv 0 0 keyring: _ses >> 1060565120 —alswrv 0 65534 \_ keyring: _uid.0 >> 332490404 —alswrv 0 0 \_ keyring: _ima >> 452725264 —alswrv 0 0 \_ user: 821C0DFD4C617DA > > It doesn't looke like there are any keys on the _ima keyring. Try > listing the keys on the keyring: keyctl list `keyctl search @u keyring > _ima` > Hi Mimi and Mark, There is a mistake in the previous output, the correct one is the following: Session Keyring 841881916 —alswrv 0 0 keyring: _ses 1060565120 —alswrv 0 65534 \_ keyring: _uid.0 332490404 —alswrv 0 0 \_ keyring: _ima 452725264 —alswrv 0 0 \_ user: 821C0DFD4C617DA The ‘\_user:821C0DFD4C617DA' is the sub level of the keyring _ima. When I list the keys on the keyring, I can see the following output: 1 key in keyring: 6747479103 —alswrv 0 0 user: 821C0DFD4C617DA But when I try to read this file, which belongs to another user whose files are appraised, it still shows the same error as the following. Following Mark’s suggestion, I try to show the keys belonging to the keyring of global .ima, there is no key under it. > >> >> But when I want to read from a file under appraisal with enforce mode, it still shows: >> >> [ 358.334856] digsig: key not found, id: 821C0DFD4C617DA >> cat: file: Permission denied > > Only asymmetric keys should be on the IMA keyring, not user. I follow the instructions in the wiki page <http://sourceforge.net/p/linux-ima/wiki/Home/#imaevm-keyrings-loading-the-public-keys> to load the public keys, but instead of x509 certificate, I just use the RSA key pairs. Is there any change in the new version of the code? Because when I tried to load the public key, if I omit the ‘—rsa’ option, it will show 'd2i_x509_fp() failed', but it is not mentioned in the wiki. Please let me know if you have some idea why this error happens. Thank you very much for your time and best wishes! Tao > > Mimi > >> Should I try with more recent kernel? >> >> Thank you for your time and best wishes! > |
|
From: Mimi Z. <zo...@li...> - 2016-01-12 13:33:45
|
On Tue, 2016-01-12 at 13:16 +0100, Baal Su wrote: > > On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote: > > > > On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: > But when I try to read this file, which belongs to another user whose > files are appraised, it still shows the same error as the following. > > Following Mark’s suggestion, I try to show the keys belonging to the > keyring of global .ima, there is no key under it. If CONFIG_IMA_TRUSTED_KERYING is enabled, the IMA keyring name is .ima, otherwise it is _ima. > >> > >> But when I want to read from a file under appraisal with enforce mode, it still shows: > >> > >> [ 358.334856] digsig: key not found, id: 821C0DFD4C617DA > >> cat: file: Permission denied > > > > Only asymmetric keys should be on the IMA keyring, not user. > > I follow the instructions in the wiki page > <http://sourceforge.net/p/linux-ima/wiki/Home/#imaevm-keyrings-loading-the-public-keys> to load the public keys, but instead of x509 certificate, I just use the RSA key pairs. Why don't you follow the directions first, before making changes, and see if that works. You'll need the ima-evm-utils package. Mimi |
|
From: Baal Su <baa...@gm...> - 2016-01-12 15:16:13
|
> On 12 Jan 2016, at 14:32, Mimi Zohar <zo...@li...> wrote: > > On Tue, 2016-01-12 at 13:16 +0100, Baal Su wrote: >>> On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote: >>> >>> On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: > >> But when I try to read this file, which belongs to another user whose >> files are appraised, it still shows the same error as the following. >> >> Following Mark’s suggestion, I try to show the keys belonging to the >> keyring of global .ima, there is no key under it. > > If CONFIG_IMA_TRUSTED_KERYING is enabled, the IMA keyring name is .ima, > otherwise it is _ima. I checked the config file in the boot directory, the “CONFIG_IMA_TRUSTED_KEYRING” is enabled. I tried to change the keyring from _ima to .ima, in this command: ima_id=`keyctl newring .ima @u` The result is: add_key: Operation not permitted > >>>> >>>> But when I want to read from a file under appraisal with enforce mode, it still shows: >>>> >>>> [ 358.334856] digsig: key not found, id: 821C0DFD4C617DA >>>> cat: file: Permission denied >>> >>> Only asymmetric keys should be on the IMA keyring, not user. >> >> I follow the instructions in the wiki page >> <http://sourceforge.net/p/linux-ima/wiki/Home/#imaevm-keyrings-loading-the-public-keys> to load the public keys, but instead of x509 certificate, I just use the RSA key pairs. > > Why don't you follow the directions first, before making changes, and > see if that works. You'll need the ima-evm-utils package. I already use the latest ima-evm-utils package compiled from source code, and use the script in the example directory to create the RSA key pairs. But it does not work following the instructions in the wiki page. Here are the commands I used just in case there are some steps which are wrong: git clone git://git.code.sf.net/p/linux-ima/ima-evm-utils <git://git.code.sf.net/p/linux-ima/ima-evm-utils> cd ima-evm-utils build the source code with the steps on the wiki page cd examples ./ima-genkey-self.sh cp privkey_evm.pem /etc/keys/ cp pubkey_evm.pem /etc/keys/ ima_id=`keyctl newring _ima @u` evmctl import --rsa /etc/keys/pubkey_evm.pem $ima_id evmctl ima_sign —rsa file -v evmctl ima_verify —rsa file -v Until this step, I can see the verification is OK. Then I change the owner of this file to user ‘temp’, whose file is set to be appraised with ima-policy. But then I try to read the content of the file with cat, the permission is denied with: [ 358.334856] digsig: key not found, id: 821C0DFD4C617DA cat: file: Permission denied Please let me know if there are some commands are not correct or there are some missing steps. Thank you very much for your time and best wishes! Tao > > Mimi > |
|
From: Mimi Z. <zo...@li...> - 2016-01-12 15:57:02
|
On Tue, 2016-01-12 at 16:16 +0100, Baal Su wrote: > > On 12 Jan 2016, at 14:32, Mimi Zohar <zo...@li...> wrote: > > > > On Tue, 2016-01-12 at 13:16 +0100, Baal Su wrote: > >>> On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote: > >>> > >>> On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: > > > >> But when I try to read this file, which belongs to another user whose > >> files are appraised, it still shows the same error as the following. > >> > >> Following Mark’s suggestion, I try to show the keys belonging to the > >> keyring of global .ima, there is no key under it. > > > > If CONFIG_IMA_TRUSTED_KERYING is enabled, the IMA keyring name is .ima, > > otherwise it is _ima. > > I checked the config file in the boot directory, the “CONFIG_IMA_TRUSTED_KEYRING” is enabled. > > I tried to change the keyring from _ima to .ima, in this command: > > ima_id=`keyctl newring .ima @u` > > The result is: > > add_key: Operation not permitted Userspace can not create dot prefixed keyrings, only the kernel can create trusted keyrings. Keys added to the .ima keyring need to be signed by a key on the system keyring. There are a couple of ways of doing that: - build your CA key into the kernel - On systems with RedHat's UEFI/MOK patches, Install your CA key into the UEFI MoK db - Mehmet Kalyaap posted a patch for reserving memory in the kernel for additional keys. This patch has not yet been upstreamed. Mimi |
|
From: Baal Su <baa...@gm...> - 2016-01-12 16:05:13
|
> On 12 Jan 2016, at 16:55, Mimi Zohar <zo...@li...> wrote: > > On Tue, 2016-01-12 at 16:16 +0100, Baal Su wrote: >>> On 12 Jan 2016, at 14:32, Mimi Zohar <zo...@li...> wrote: >>> >>> On Tue, 2016-01-12 at 13:16 +0100, Baal Su wrote: >>>>> On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote: >>>>> >>>>> On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: >>> >>>> But when I try to read this file, which belongs to another user whose >>>> files are appraised, it still shows the same error as the following. >>>> >>>> Following Mark’s suggestion, I try to show the keys belonging to the >>>> keyring of global .ima, there is no key under it. >>> >>> If CONFIG_IMA_TRUSTED_KERYING is enabled, the IMA keyring name is .ima, >>> otherwise it is _ima. >> >> I checked the config file in the boot directory, the “CONFIG_IMA_TRUSTED_KEYRING” is enabled. >> >> I tried to change the keyring from _ima to .ima, in this command: >> >> ima_id=`keyctl newring .ima @u` >> >> The result is: >> >> add_key: Operation not permitted > > Userspace can not create dot prefixed keyrings, only the kernel can > create trusted keyrings. Keys added to the .ima keyring need to be > signed by a key on the system keyring. There are a couple of ways of > doing that: > > - build your CA key into the kernel > - On systems with RedHat's UEFI/MOK patches, Install your CA key into > the UEFI MoK db > - Mehmet Kalyaap posted a patch for reserving memory in the kernel for > additional keys. This patch has not yet been upstreamed. Thank you Mimi, I will try these methods and let you know the results. Best wishes! Tao > > Mimi |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X