Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Mimi,

Thanks for the info.

I¹m assuming that you mean copy the IMA public key to the Kernel source
directory? Do I need to specify the name of this file somewhere as I¹m
compiling the Kernel? Is there a default name or location to copy this
file?

I downloaded the newer version of Dracut from the link you sent and was
looking at the scripts in the 98integrity directory.  Most of it makes
sense to me.  I see that the EVM encrypted key is loaded as part of the
module as well.  I¹m assuming I would only need to enable ³integrity and
masterkey² as I build the INITRAMFS?

CONFIG_IMA_TRUSTED_KEYRING was already enabled when I built the Kernel.

Here is the output of the 2 commands you provided with my current
configuration.

*****keyctl show %keyring:.system_keyring*****

Keyring
 299333826 --alswrv      0     0  keyring: .system_keyring
 925626728 --alswrv      0     0   \_ asymmetric: Build time autogenerated
kernel key: e209db6b68e553f3a73f248de32ff531fc3f4063
 602290602 --alswrv      0     0   \_ asymmetric: IMA-CA: IMA/EVM
certificate signing key: 917665242851040704755d74629778f08d472d28

*****keyctl show %keyring:.ima*****
Keyring
 333847471 --alswrv      0     0  keyring: .ima
 684181163 --alswrv      0     0   \_ asymmetric: localhost.localdomain:
root signing key: ec0e32eb4c1fe167dbd7e9b58f7b88166895b433

Thanks,

Keith

On 9/16/15, 10:06 AM, "Mimi Zohar" <zo...@li...> wrote:

>On Wed, 2015-09-16 at 11:49 +0000, Calligan, Keith (US) wrote:
>
>> I am a little confused on the difference between the .ima, _ima and
>> occasionally seeing the _ivm.1 and _ivm.empty keyrings.  Am I loading
>> the key in the wrong place (or doing something else incorrectly)?
>
>Originally, keys being loaded onto the IMA keyring (_ima) did not need
>to be signed.  With the "CONFIG_IMA_TRUSTED_KEYRING" option enabled,
>only signed keys can be loaded onto the ".ima" keyring.  In addition,
>the public key needed for verifying these signed IMA keys needs to be
>loaded onto the .system_keyring.  The easiest method for loading this
>key on the system keyring is by recompiling the kernel with the public
>key builtin.
>
>The master dracut git repo
>(git://git.kernel.org/pub/scm/boot/dracut/dracut.git) contains a module
>for loading the signed IMA keys onto the .ima keyring.
> 
>> Here is my ³keyctl show² output
>
>With CONFIG_IMA_TRUSTED_KEYRING enabled, use:
>- keyctl show %keyring:.system_keyring
>- keyctl show %keyring:.ima
>
>Mimi
>
>> 
>> Session Keyring
>>  233684038 --alswrv      0     0  keyring: _ses
>>  787382555 --alswrv      0 65534   \_ keyring: _uid.0
>>   88392938 --alswrv      0     0       \_ user: kmk-user
>>  394259904 --alswrv      0     0       \_ keyring: _evm
>>  276216246 --alswrv      0     0       |   \_ user: 1ECAF89B087F7A55
>>  364658328 --alswrv      0     0       \_ keyring: _ima
>>   44707860 --als--v      0     0       |   \_ asymmetric:
>> localhost.localdomain: root signing key:
>> ec0e32eb4c1fe167dbd7e9b58f7b88166895b433
>>  995573136 --alswrv      0     0       \_ encrypted: evm-key
>> 
>> 
>> Also, as reference, I am using an XFS filesystem but have tried on
>> EXT4 systems as well.  Has anyone tried on XFS?
>> 
>> Sorry for the long email.  Any help is much appreciated.  Please let
>> me know if you need any additional information.
>> 
>> Thanks,
>> 
>> Keith
>