Re: [Linux-ima-user] IMA/EVM

[Mimi Z. <zo...@li...>]

On Fri, 2015-03-20 at 12:17 +0200, Petko Manolov wrote:

> Hello guys,
> 
> I am playing with local generated CA that sign public IMA keys.  This
> CA is in the trusted (.ima) keyring and stuff signed by public keys
> (that are themselves properly signed) seem to work fine.

The public CA key should be added to the system keyring, not the IMA
keyring.  Currently the only upstreamed method for adding the public CA
key to the system keyring is by putting the public CA key, suffixed
with .x509, in the kernel's root directory and rebuilding the kernel.
Fedora has a couple of patches, which have not been upstreamed, that add
the UEFI/Machine Owner Key(MoK) database keys to the system keyring.
Listed below are the main patches, but might introduce some dependencies
depending on kernel version.

- KEYS: Add a system blacklist keyring
- MODSIGN: Import certificates from UEFI Secure Boot
- Add EFI signature data tyeps
- Add an EFI signature blob parser and key loader

> However, i would need to have CA hierarchy and i wonder whether the
> current Linux kernel supports it. IOW i need a root certificate to
> sign other certificate(s) that on turn will sign IMA keys. 
> Is it possible to build something like:
> 
> 
> root CA ------> local CA 1 ------> IMA_key_1
> |
> +---> local CA 2 ------> IMA_key_2
> 
> So stuff signed by IMA_key_1 and 2 would properly pass the appraisal
> tests?
> 
> 
> thanks a bunch,

Yes, definitely!  Either build the local CA's key into the kernel or
import the CA's public key into the MoK db (eg. using mokutil).  Use
your public CA key to sign the other certificates containing the keys to
be loaded onto the IMA keyring.

Most of the online documentation for signing certificates requires
creating a Certificate Signing Request(CSR), which requires the private
key.  There is an OpenSSL option "--ss_cert" that allows signing the
certificates directly without access to the private key.

Good luck!

Mimi