[Linux-ima-user] EVM hash / Permission Denied / Invalid HMAC

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I am trying to activate IMA appraisal & EVM modules.

After compiling linux kernel 3.10.2 on my bt5R3 and setting kernel boot
option in a first time like this:

GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=fix
ima_appraise_tcb evm=fix"

and after running this command to generate xattr security.ima and
security.evm

find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec head
-c 1 '{}' \;

like this:

GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=enforce
ima_appraise_tcb evm=enforce"

I try to create digital signature of xattr like it's recommended on
tutorial Tutorial to IMA &
EVM<http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page>
.
Seems to work for immutable file with IMA but not for EVM.

evmctl sign -u - -x --imahash new.sh

Gives Permission Denied when I reboot and try to launch
But when I use

evmctl sign -u - --imahash new.sh

 Before reboot hash is well created

root@bt:~/Desktop# getfattr -m . -d new.sh # file: new.sh
security.evm=0sAwFGfvtRAABzverB5Wn60QEEAFuDBwwe/Dw4crcy8XYwVFgkKnIDwz4ZwHhwLs0Gf/QPrlJOM/gB1a7NhlCo9NArzbo0cfJxU2j28Amromvlmy6wtdbv3HbAuZbpbZ7JyGI9r3sQXarGV/z764G2Ic2myaUk1B9ADowDhKsQybNjuNVF7xNz2c30DSwLlLweP2gd
security.ima=0sAasqoo2HlztKurTEoLQjFIpsI9Fn

After reboot, hash is lost...

root@bt:~/Desktop# getfattr -m . -d new.sh
# file: new.sh
security.evm=0sApBPpCiVtujFqqeUkq5GIhuzX06b
security.ima=0sAasqoo2HlztKurTEoLQjFIpsI9Fn

 Every steps have been followed, creating RSA keys, loading them early at
boot in initramfs with keyctl.

Session Keyring
       -3 --alswrv      0 65534  keyring: _uid_ses.0977514165 --alswrv
     0 65534   \_ keyring: _uid.0572301790 --alswrv      0     0
\_ user: kmk-user126316032 --alswrv      0     0       \_ encrypted:
evm-key570886575 --alswrv      0     0       \_ keyring: _ima304346597
--alswrv      0     0       \_ keyring: _evm

However as soon as I reboot my OS when I try to read a signed and hashed
file I get the error "Permission Denied" Running dmesg tells me :

[ 5461.175996] type=1800 audit(1375262160.913:57): pid=1756 uid=0
auid=4294967295 ses=4294967295 op="appraise_data"
cause="**invalid-HMAC**" comm="sh" name="/root/Desktop/new.sh"
dev="sda1" ino=546526 res=0

Have you any idea why i get invalid HMAC ? The keys are loaded like the
tutorial says...

Maybe there is an issue known between new kernel (3.10.2) using modules IMA
& EVM verif functions to check integrity of file and the way on how I hash
security.evm xattr  with evmctl?

Thanks for your help

PS: I'm also looking, if it exists a good doc to explain how and when IMA
measurements are done.