Menu
▾
▴
Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode
|
From: Mimi Z. <zo...@li...> - 2015-09-16 14:07:23
|
On Wed, 2015-09-16 at 11:49 +0000, Calligan, Keith (US) wrote: > I am a little confused on the difference between the .ima, _ima and > occasionally seeing the _ivm.1 and _ivm.empty keyrings. Am I loading > the key in the wrong place (or doing something else incorrectly)? Originally, keys being loaded onto the IMA keyring (_ima) did not need to be signed. With the "CONFIG_IMA_TRUSTED_KEYRING" option enabled, only signed keys can be loaded onto the ".ima" keyring. In addition, the public key needed for verifying these signed IMA keys needs to be loaded onto the .system_keyring. The easiest method for loading this key on the system keyring is by recompiling the kernel with the public key builtin. The master dracut git repo (git://git.kernel.org/pub/scm/boot/dracut/dracut.git) contains a module for loading the signed IMA keys onto the .ima keyring. > Here is my “keyctl show” output With CONFIG_IMA_TRUSTED_KEYRING enabled, use: - keyctl show %keyring:.system_keyring - keyctl show %keyring:.ima Mimi > ————————— > Session Keyring > 233684038 --alswrv 0 0 keyring: _ses > 787382555 --alswrv 0 65534 \_ keyring: _uid.0 > 88392938 --alswrv 0 0 \_ user: kmk-user > 394259904 --alswrv 0 0 \_ keyring: _evm > 276216246 --alswrv 0 0 | \_ user: 1ECAF89B087F7A55 > 364658328 --alswrv 0 0 \_ keyring: _ima > 44707860 --als--v 0 0 | \_ asymmetric: > localhost.localdomain: root signing key: > ec0e32eb4c1fe167dbd7e9b58f7b88166895b433 > 995573136 --alswrv 0 0 \_ encrypted: evm-key > ————————— > > Also, as reference, I am using an XFS filesystem but have tried on > EXT4 systems as well. Has anyone tried on XFS? > > Sorry for the long email. Any help is much appreciated. Please let > me know if you need any additional information. > > Thanks, > > Keith |
