[Linux-ima-user] Questions about using IMA/EVM feature

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I have been using repo that Dmitry pointed to few days ago to get
familiar with IMA/EVM feature set.

I work for a embedded software hw/sw company and we are greatly
interested in this feature, and exactly what we are looking to assure
customers that stuff running on our device is not being compromised.

Anyway, I have compiled the kernel as described at
http://linux-ima.sourceforge.net/. For testing I am running the this
kernel to boot a Ubuntu system under Virtualbox.

I am running evm_enable.sh script that is part of evm-utils.

So I booted the system with kernel parameters rootflags=i_version
ima_audit=1  ima_appraise=fix evm=fix and ran the script
evm_label_all.sh. I created a test script call /bin/myscript.sh this
script had following security.* info
(This script just does echo "Hello World". )

# file: bin/myscript.sh
security.evm=0x02be034301cffd95fd237197ddf895d1e7e09ceed2
security.ima=0x01c0c5e04cf9c08652faf0247afb19c6d708ccf5ba

Now I rebooted this machine with kernel parameters rootflags=i_version
ima_audit=1 ima_tcb, then I updated /bin/myscript.sh to say echo
"Hello World1". Now this updates the security.* info on this file as
shown below.

# file: bin/myscript.sh
security.evm=0x02acf40095e80e65a44c50724b723dea8363f1e26ebe
security.ima=0x01dc29420238f18fca4e06d970eec75725a36373ee

My keyctl show following output:

sudo keyctl list @u
4 keys in keyring:
666858261: --alswrv     0     0 user: kmk
461487313: --alswrv     0     0 encrypted: evm-key
715895674: --alswrv     0     0 keyring: _ima
793114560: --alswrv     0     0 keyring: _evm

But I expected since I booted the system with ima_tcb I shouldn't be
able to execute the updated myscript.sh? What am doing wrong in doing
the basic IMA/EVM test?

I also see bunch of no evm keyring: -126, messages in the log, few
instances from the log shown below.

[  342.476799] type=1804 audit(1315852167.927:2686): pid=1548 uid=1000
auid=4294967295 ses=4294967295 op="add_template_measure"
cause="hash_added" comm="bash" name="/bin/more" dev=sda1 ino=97 res=0
[  416.364434] no evm keyring: -126
[  425.707144] no evm keyring: -126
[  425.707883] type=1804 audit(1315852251.155:2687): pid=1583 uid=1000
auid=4294967295 ses=4294967295 op="add_template_measure"
cause="hash_added" comm="bash" name="/usr/bin/scp" dev=sda1 ino=1424
res=0
[  466.291967] no evm keyring: -126
[  466.292507] type=1804 audit(1315852291.743:2688): pid=1591 uid=1000
auid=4294967295 ses=4294967295 op="add_template_measure"
cause="hash_added" comm="bash" name="/bin/ping" dev=sda1 ino=123 res=0
[  484.024376] no evm keyring: -126
[  484.024629] type=1804 audit(1315852309.475:2689): pid=1599 uid=1000
auid=4294967295 ses=4294967295 op="add_template_measure"
cause="hash_added" comm="scp" name="/usr/bin/ssh" dev=sda1 ino=1512
res=0
[  485.860190] no evm keyring: -126

A minor correct to FAQ section of http://linux-ima.sourceforge.net/.
The last question refers to kernel parameter ima-appraisal=fix and
should  it not be ima_appraise=fix?

-Subodh

-Subodh