Menu
▾
▴
Re: [Linux-ima-user] EVM hash / Permission Denied / Invalid HMAC
|
From: JL_N_ <dar...@gm...> - 2013-08-06 17:10:51
|
Ok everything solved :) , Thank you for support 2013/8/6 Mimi Zohar <zo...@li...> > On Tue, 2013-08-06 at 16:32 +0200, JL_N_ wrote: > > Then have you any Idea why .evm is lost after reboot ? > > > > PS: last message, forgot to join mailing list sorry > > -------------------------- > > CONFIG_EVM_HMAC_VERSION=2 -> thanks that solved me the problem with using > > -u when creating evmctl > > I'm wondering if my config works well ... > > I create a script file > > > > root@bt:~/Desktop# getfattr -m . -d test.sh > > # file: test.sh > > security.evm=0x0209d445f479df7502820651291221beb7029d982c > > security.ima=0x0174e66832f8a97698ca7b44c036eb39ca00ac5d7a > > > > > > I sign with your command > > root@bt:~/Desktop# evmctl sign -u - -x --imasig test.sh > > # file: test.sh > > > security.evm=0x0302025e61f96500808ba2575fd577b9c31edf1ca994bddd16ab6395402c2bd4c7b8b6d5f8cc948114afc7ba6b06180f433c1f4060fcf0c00002ce26b27d1dbeba1302356fa89969e416444bf60caeaf4f18dd8247e214f1b21f17ce3444ec9addb6a088efa0f24face99ff7ef1d5c664fcaabe887261851507fabe1562ec9942cbb632e4ab1ac6180 > > > security.ima=0x0302025e61f965008069138b19c5be04b27eb95fa9d27ff49f6565630217bbee3e368f37915f92114c9d4343a8508ef0c5e2a3f8bfaecb0ff10130647d4cb50f8d04a147fbb41b5d798f35ee4ed2fba072336d381529375b0ad84e3dd39c93867d9fb24ca9d9fab42945b29a296189c142a5cfed77fde8fa9e85934de2b908749903159fd81d634ffc > > > > > > I REBOOT > > > > Script still executable but I lost .evm signature ??? > > > > root@bt:~/Desktop# getfattr -m . -e hex -d great.sh > > # file: test.sh > > security.evm=0x02c7728ccbad9f579e9219c2acbf0cb34a2a41650b > > > security.ima=0x0302025e61f965008069138b19c5be04b27eb95fa9d27ff49f6565630217bbee3e368f37915f92114c9d4343a8508ef0c5e2a3f8bfaecb0ff10130647d4cb50f8d04a147fbb41b5d798f35ee4ed2fba072336d381529375b0ad84e3dd39c93867d9fb24ca9d9fab42945b29a296189c142a5cfed77fde8fa9e85934de2b908749903159fd81d634ffc > > > > > > .ima works very well with enforce mode (i did a test tryng to echo > > "aaa">>test.sh gives Permission denied). > > But .evm looks lost ... is it normal ? > > At some point, we might want to revisit this decision. At least for > now, replacing the 'security.evm' signature with an HMAC, is normal > behavior. > > Mimi > > |