Menu
▾
▴
Re: [Linux-ima-user] evmctl ima_sign + ima_verify failure
|
From: Patrick O. <pat...@in...> - 2015-07-11 07:49:01
|
On Fri, 2015-07-10 at 18:56 -0400, Mimi Zohar wrote:
> On Fri, 2015-07-10 at 22:14 +0200, Patrick Ohly wrote:
> > I'm running these commands on a build host which does not have IMA
> > enabled. So it's really a test of the code inside evmctl. It seems to
> > produce a bad security.ima; both the kernel (on a different system) and
> > evmctl's own signature check code agree on that.
>
> Weird! evmctl has support for signing hashes. Create a sha256sums (eg.
> sha256sum <filename> > ./sha256sums.) Then sign the hash(es) in the
> sha256sums file.
>
> eg. cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > sha256sums.sig
>
> Compare the resulting signature in the sha256sums.sig file with the
> extended attribute. If the file hasn't changed, then they should be the
> same.
I was about to test that in a slightly different environment (same
binary) when I double-checked my previous results and noticed that they
now succeeded. The security.ima is slightly different (last few bytes
differ).
Running "evmctl ima_sign" under valgrind throws up a large number of
warnings about uninitialized memory. Is that normal?
I'll compile a binary with debug information and have a closer look - on
Monday.
> Please list the public keys loaded on the IMA keyring that are used to
> verify the signature.
I'm running this on a build host without IMA and without any keys on the
kernel keyring. The public key is the one specified explicitly on the
evmctl command line.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
|
