Re: [Linux-ima-user] Initramfs and IMA Appraisal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 11/26/2014 11:12 PM, Mimi Zohar wrote:

> With commit "8feba3f Add support for signing a file hash", evmctl now
> supports signing file hashes.  You might want to create a manifest file
> containing all the files and their hashes, similar to the .deb md5sums
> file, and then sign the files hashes.
>
> find <dir> -type f -exec sha256sum {} \;  >> ./sha256sums
> cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > sha256sums.sig
Thanks for the tip!

>
>>       - At boot, before reading and enabling the IMA policy, the attributes
>>         are loaded from the attribute file and applied to the TMPFS. Then,
>>         when the policy is loaded, no appraisal error occurs.
> Interesting that the EVM signatures are valid, as the HMAC calculation
> includes the i_ino.  This means that the extracted files have the same
> i_ino as the original version that you signed.  I'm not sure that we can
> really count on that, nor am I sure how to resolve this problem.

In fact I create and restore the EVM signatures, but I don't enable EVM 
at the moment.
I don't see an easy solution for that, if I understand correctly the 
tmpfs code, it
calls get_next_ino() to generate inode numbers, and they will probably 
be random at
each boot.

Also, even if tar format (for xattr support) is used instead of cpio to 
uncompress
initramfs into tmpfs FS, we will still have this problem for EVM signatures.

Maybe a solution would be to ignore inode number for specific 
filesystems during
EVM signature calculation (and have an option in evmctl for that too) ?

>
> Are you using an initrd not an initramfs?  According to
> Documentation/filesystems/ramfs-rootfs-initramfs.txt, "If CONFIG_TMPFS
> is enabled, rootfs will use tmpfs instead of ramfs by default".
>
Yes, that what I thought too, but it seems that it is not really the 
case because
of this test:

     if (IS_ENABLED(CONFIG_TMPFS) && !saved_root_name[0] &&
         (!root_fs_names || strstr(root_fs_names, "tmpfs"))) {
         err = shmem_init();
         is_tmpfs = true;
     } else {
         err = init_ramfs_fs();
     }

Christophe