Menu
▾
▴
Re: [Linux-ima-user] EVM hash / Permission Denied / Invalid HMAC
|
From: Mimi Z. <zo...@li...> - 2013-08-06 16:52:19
|
On Tue, 2013-08-06 at 16:32 +0200, JL_N_ wrote: > Then have you any Idea why .evm is lost after reboot ? > > PS: last message, forgot to join mailing list sorry > -------------------------- > CONFIG_EVM_HMAC_VERSION=2 -> thanks that solved me the problem with using > -u when creating evmctl > I'm wondering if my config works well ... > I create a script file > > root@bt:~/Desktop# getfattr -m . -d test.sh > # file: test.sh > security.evm=0x0209d445f479df7502820651291221beb7029d982c > security.ima=0x0174e66832f8a97698ca7b44c036eb39ca00ac5d7a > > > I sign with your command > root@bt:~/Desktop# evmctl sign -u - -x --imasig test.sh > # file: test.sh > security.evm=0x0302025e61f96500808ba2575fd577b9c31edf1ca994bddd16ab6395402c2bd4c7b8b6d5f8cc948114afc7ba6b06180f433c1f4060fcf0c00002ce26b27d1dbeba1302356fa89969e416444bf60caeaf4f18dd8247e214f1b21f17ce3444ec9addb6a088efa0f24face99ff7ef1d5c664fcaabe887261851507fabe1562ec9942cbb632e4ab1ac6180 > security.ima=0x0302025e61f965008069138b19c5be04b27eb95fa9d27ff49f6565630217bbee3e368f37915f92114c9d4343a8508ef0c5e2a3f8bfaecb0ff10130647d4cb50f8d04a147fbb41b5d798f35ee4ed2fba072336d381529375b0ad84e3dd39c93867d9fb24ca9d9fab42945b29a296189c142a5cfed77fde8fa9e85934de2b908749903159fd81d634ffc > > > I REBOOT > > Script still executable but I lost .evm signature ??? > > root@bt:~/Desktop# getfattr -m . -e hex -d great.sh > # file: test.sh > security.evm=0x02c7728ccbad9f579e9219c2acbf0cb34a2a41650b > security.ima=0x0302025e61f965008069138b19c5be04b27eb95fa9d27ff49f6565630217bbee3e368f37915f92114c9d4343a8508ef0c5e2a3f8bfaecb0ff10130647d4cb50f8d04a147fbb41b5d798f35ee4ed2fba072336d381529375b0ad84e3dd39c93867d9fb24ca9d9fab42945b29a296189c142a5cfed77fde8fa9e85934de2b908749903159fd81d634ffc > > > .ima works very well with enforce mode (i did a test tryng to echo > "aaa">>test.sh gives Permission denied). > But .evm looks lost ... is it normal ? At some point, we might want to revisit this decision. At least for now, replacing the 'security.evm' signature with an HMAC, is normal behavior. Mimi |