Re: [Linux-ima-user] evmctl ima_sign + ima_verify failure

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2015-07-10 at 15:46 +0200, Patrick Ohly wrote:
> Hello!
> 
> I have (at least) one file where verifying the signature created by
> evmctl ima_sign fails. ima-evm-utils is 0.9 (git rev 3d9bdc1de2, the
> current master).

Was the file previously signed before this?   In enforcing mode,
existing signatures are considered to be "immutable" and can not be
removed/replaced.

> 
> $ evmctl ima_sign privkey_ima.pem pam_securetty.so
> $ getfattr -d -m . pam_securetty.so 
> getfattr: Removing leading '/' from absolute path names
> # file: tmp/pam_securetty.so
> security.ima=0sAwIC2C1O/QCAEQNetDHu9W+Zn5bpL+cC2BvdkJNs6GIkS5EmD75MXrk+K0e0GLZOmAqwLbe/jOnsnw00WbthqG5xo7Vop+yDGnNVlGU95YQ1KQEqC3OZILkF5gyY88AU/T3y6UGa5Vl1FEvUrp4aVOUmTwqO6Wm/bVtJnNilhxkvRItjVNcVgQ==
> $ evmctl ima_verify --key x509_ima.der pam_securetty.so 
> RSA_public_decrypt() failed: -1
> error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed

When displaying security.ima, please use the "-e hex" option. 

> The signature check done by the Linux kernel 3.19.2 also fails.

Compare the key embedded in the signature with the key on the IMA
keyring.  For example, /bin/more on my system is signed with the pseudo
fedora signing key - 0x96042912.   (The keyid are the last bytes of the
key.)

# getfattr -m ^security -e hex --dump /bin/more
getfattr: Removing leading '/' from absolute path names
# file: bin/more
security.evm=0x02e996f12568606b6178fa9c58799cc0cc3620e1b7
security.ima=0x030204960429120100034051af2a433369270a3fee0b1594a8ad8a50a722312c032f3abf9beeb163f4784671cea453e54bad35ce1f780316aec80026c04243541755ea42c2a381b33e6f596c55975c7590926b7f9df6b1096332934fb1e363c35ef2f8d1c1b4ea74dfe75e6ec01325ff15ebeaa9f1f23ef46bff8669ec514e2cd93c69d6329139a5081110785f46e4c522821bc1dcfe292d2125a946e0c29556be122bc0066170da8fb5a9eb25387ecf2a71c56924b11211865fef7f570cba08aaa2f0577a8fcfda35feff34fcb8ea847e0326a30b184b9d3fa1c48b5e61fe9928ce60f4076a82758bb67e734d3ea748944bf12d5b14dbfbc8ff40bfecda785e74d2c1842b7b91471a
security.selinux=0x73797374656d5f753a6f626a6563745f723a62696e5f743a733000

# keyctl show %keyring:.ima
Keyring
 481174173 ---lswrv      0     0  keyring: .ima
 872061722 --als--v      0     0   \_ asymmetric: fedora: pseudo signing key: 19536be0c0f540de1debfa6265469c3696042912
 409033268 --als--v      0     0   \_ asymmetric: local: pseudo signing key: 52b49042bdf4e0e005568b0afde870c2b3960f7f

Mimi