Menu
▾
▴
Re: [Linux-ima-user] evmctl ima_sign + ima_verify failure
|
From: Patrick O. <pat...@in...> - 2015-07-10 20:14:47
|
On Fri, 2015-07-10 at 15:51 -0400, Mimi Zohar wrote: > On Fri, 2015-07-10 at 15:46 +0200, Patrick Ohly wrote: > > Hello! > > > > I have (at least) one file where verifying the signature created by > > evmctl ima_sign fails. ima-evm-utils is 0.9 (git rev 3d9bdc1de2, the > > current master). > > Was the file previously signed before this? In enforcing mode, > existing signatures are considered to be "immutable" and can not be > removed/replaced. I'm running these commands on a build host which does not have IMA enabled. So it's really a test of the code inside evmctl. It seems to produce a bad security.ima; both the kernel (on a different system) and evmctl's own signature check code agree on that. > > $ evmctl ima_sign privkey_ima.pem pam_securetty.so > > $ getfattr -d -m . pam_securetty.so > > getfattr: Removing leading '/' from absolute path names > > # file: tmp/pam_securetty.so > > security.ima=0sAwIC2C1O/QCAEQNetDHu9W+Zn5bpL+cC2BvdkJNs6GIkS5EmD75MXrk+K0e0GLZOmAqwLbe/jOnsnw00WbthqG5xo7Vop+yDGnNVlGU95YQ1KQEqC3OZILkF5gyY88AU/T3y6UGa5Vl1FEvUrp4aVOUmTwqO6Wm/bVtJnNilhxkvRItjVNcVgQ== > > $ evmctl ima_verify --key x509_ima.der pam_securetty.so > > RSA_public_decrypt() failed: -1 > > error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 > > error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed > > When displaying security.ima, please use the "-e hex" option. Then I get: security.ima=0x030202d82d4efd008011035eb431eef56f999f96e92fe702d81bdd90936ce862244b91260fbe4c5eb93e2b47b418b64e980ab02db7bf8ce9ec9f0d3459bb61a86e71a3b568a7ec831a735594653de5843529012a0b739920b905e60c98f3c014fd3df2e9419ae55975144bd4ae9e1a54e5264f0a8ee969bf6d5b499cd8a587192f448b6354d71581 > > The signature check done by the Linux kernel 3.19.2 also fails. > > Compare the key embedded in the signature with the key on the IMA > keyring. For example, /bin/more on my system is signed with the pseudo > fedora signing key - 0x96042912. (The keyid are the last bytes of the > key.) In this case, I specify the keys explicitly (privkey_ima.pem and x509_ima.der). I know that they match, because signing some other file and verifying it works. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. |
