[Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode

[Calligan, K. (US) <kca...@cy...>]

I am trying to setup IMA/EVM but appear to be having a problem with setting IMA in enforce mode.  I am getting an invalid-HMAC error.  If I run EVM=enforce (and IMA_APPRAISE=FIX), I don’t receive this error.

For background information, I am currently trying to get this to work on Kernel version 4.2 on Centos 7, but have tried Kernel 3.19 (and other Kernels newer than 3.13) and had the same types of issues.  I tried these different Kernels to rule-out the Kernel as the cause.

When I compiled the Kernel, I enabled everything under Security --> Integrity Subsystem with the exception of  FSUUID (Version 2) and “Require Signed User-Space Initialization.”  I used the scripts in the /usr/local/share/doc/ima-evm-utils directory to make the ima-local-ca.x509 and x509_ima.der files.  The ima-local-ca.x509 was copied to the Kernel source directory the x509_ima.der was copied to the /etc/keys directory on the filesystem, and the INITRAMFS so I could load before the system booted.  I also have the evmctl, kmk-user, evm-key, pubkey_evm.pem in the INITRAMFS.

When this issue is occurring, I have “ima_appraise=enforce ima_appraise_tcb evm=fix rd.break” for the bootline parameters.  The rd.break is so I can load they keys before the system is booted.  The script loads the kmk-user, evm-encrypted, IMA public key, and EVM public key and is shown below.  This is a non-TPM system.


—————————

keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u > /dev/null
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u > /dev/null

# import IMA public key
ima_id=`keyctl newring _ima @u`
evmctl import /etc/keys/x509_ima.der $ima_id

# import EVM public key
evm_id=`keyctl newring _evm @u`
evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id

# enable EVM
echo "1" > /sys/kernel/security/evm

# enable module checking
#echo "1" > /sys/kernel/security/module_check
—————————

To sign the binaries, I am running “evmctl sign –imasig $file.”  For non-ELF (binary) files, I am running “evmctl sign –imahash $file.”

When I am booted into the system in IMA_APPRAISE=fix mode and run “evmctl ima_verify $file,” I see that the file is verified OK.

When rebooting (after loading my script in initramfs), I receive the invalid-HMAC error.

I have a feeling that I am loading the keys incorrectly somehow.  Here is the output of “keyctl show” and “cat /proc/keys”.  Is there anything obvious to anyone on the list?

 —————————
02aa3014 I--Q---     1 perm 39010000     0     0 asymmetri localhost.localdomain: root signing key: ec0e32eb4c1fe167dbd7e9b58f7b88166895b433: X509.RSA 6895b433 []
0544c4ea I--Q---     1 perm 3f010000     0     0 user      kmk-user: 32
0dedbc46 I--Q---     7 perm 3f030000     0     0 keyring   _ses: 1
1076b9b6 I--Q---     1 perm 3f010000     0     0 user      1ECAF89B087F7A55: 142
11d778c2 I------     1 perm 1f0b0000     0     0 keyring   .system_keyring: 2
13e61baf I------     1 perm 1f0f0000     0     0 keyring   .ima: 1
15bc3e98 I--Q---     1 perm 3f010000     0     0 keyring   _ima: 1
177fedc0 I--Q---     2 perm 3f010000     0     0 keyring   _evm: 1
23e639aa I------     1 perm 1f030000     0     0 asymmetri IMA-CA: IMA/EVM certificate signing key: 917665242851040704755d74629778f08d472d28: X509.RSA 8d472d28 []
28c7c6ab I------     1 perm 1f030000     0     0 asymmetri localhost.localdomain: root signing key: ec0e32eb4c1fe167dbd7e9b58f7b88166895b433: X509.RSA 6895b433 []
2eee811b I--Q---     3 perm 1f3f0000     0 65534 keyring   _uid.0: 4
3474e666 I--Q---     1 perm 1f3f0000     0 65534 keyring   _uid_ses.0: 1
372bf168 I------     1 perm 1f030000     0     0 asymmetri Build time autogenerated kernel key: e209db6b68e553f3a73f248de32ff531fc3f4063: X509.RSA fc3f4063 []
3b573d90 I--Q---     1 perm 3f010000     0     0 encrypted evm-key: 139
—————————

I am a little confused on the difference between the .ima, _ima and occasionally seeing the _ivm.1 and _ivm.empty keyrings.  Am I loading the key in the wrong place (or doing something else incorrectly)?

Here is my “keyctl show” output

—————————
Session Keyring
 233684038 --alswrv      0     0  keyring: _ses
 787382555 --alswrv      0 65534   \_ keyring: _uid.0
  88392938 --alswrv      0     0       \_ user: kmk-user
 394259904 --alswrv      0     0       \_ keyring: _evm
 276216246 --alswrv      0     0       |   \_ user: 1ECAF89B087F7A55
 364658328 --alswrv      0     0       \_ keyring: _ima
  44707860 --als--v      0     0       |   \_ asymmetric: localhost.localdomain: root signing key: ec0e32eb4c1fe167dbd7e9b58f7b88166895b433
 995573136 --alswrv      0     0       \_ encrypted: evm-key
—————————

Also, as reference, I am using an XFS filesystem but have tried on EXT4 systems as well.  Has anyone tried on XFS?

Sorry for the long email.  Any help is much appreciated.  Please let me know if you need any additional information.

Thanks,

Keith