Menu
▾
▴
[Linux-ima-user] evmctl ima_sign + ima_verify failure
|
From: Patrick O. <pat...@in...> - 2015-07-10 13:46:22
|
Hello! I have (at least) one file where verifying the signature created by evmctl ima_sign fails. ima-evm-utils is 0.9 (git rev 3d9bdc1de2, the current master). $ evmctl ima_sign privkey_ima.pem pam_securetty.so $ getfattr -d -m . pam_securetty.so getfattr: Removing leading '/' from absolute path names # file: tmp/pam_securetty.so security.ima=0sAwIC2C1O/QCAEQNetDHu9W+Zn5bpL+cC2BvdkJNs6GIkS5EmD75MXrk+K0e0GLZOmAqwLbe/jOnsnw00WbthqG5xo7Vop+yDGnNVlGU95YQ1KQEqC3OZILkF5gyY88AU/T3y6UGa5Vl1FEvUrp4aVOUmTwqO6Wm/bVtJnNilhxkvRItjVNcVgQ== $ evmctl ima_verify --key x509_ima.der pam_securetty.so RSA_public_decrypt() failed: -1 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed The signature check done by the Linux kernel 3.19.2 also fails. The same operation works for other files; I have not done a full check to see which files work and which don't. The keys were generated using the scripts from https://wiki.tizen.org/wiki/Security:IntegrityMeasurement/Preparing_Tizen_image_protected_by_IMA/EVM and can also be found here: https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity/scripts The resulting keys are also in that repo: https://github.com/01org/meta-intel-iot-security/tree/master/meta-integrity/data/debug-keys The pam_securetty.so is not available online, so I am attaching it together with the keys, in case that someone has the time for trying to reproduce this. In the meantime, does anyone have a tip what I should look at to find and fix the problem? -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. |
