Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2015-09-16 at 14:28 +0000, Calligan, Keith (US) wrote:
> Hi Mimi,
> 
> Thanks for the info.
> 
> I¹m assuming that you mean copy the IMA public key to the Kernel source
> directory? Do I need to specify the name of this file somewhere as I¹m
> compiling the Kernel? Is there a default name or location to copy this
> file?

No, we're discussing the public key (eg. local ima-ca) used for
verifying the signed IMA keys.  Until recently, all .x509 keys (DER
format) in the kernel build root were builtin into the kernel image and
loaded onto the system keyring.  Currently, the keys are stored in a
single file as defined in CONFIG_SYSTEM_TRUSTED_KEYS.  The keys in this
file are in PEM format.

> I downloaded the newer version of Dracut from the link you sent and was
> looking at the scripts in the 98integrity directory.  Most of it makes
> sense to me.  I see that the EVM encrypted key is loaded as part of the
> module as well.  I¹m assuming I would only need to enable ³integrity and
> masterkey² as I build the INITRAMFS?

The masterkey decrypts the EVM symmetric key.  In your case, without a
TPM, you're using a "user" type masterkey.

> 
> CONFIG_IMA_TRUSTED_KEYRING was already enabled when I built the Kernel.
> 
> Here is the output of the 2 commands you provided with my current
> configuration.
> 
> *****keyctl show %keyring:.system_keyring*****
> 
> 
> Keyring
>  299333826 --alswrv      0     0  keyring: .system_keyring
>  925626728 --alswrv      0     0   \_ asymmetric: Build time autogenerated
> kernel key: e209db6b68e553f3a73f248de32ff531fc3f4063
>  602290602 --alswrv      0     0   \_ asymmetric: IMA-CA: IMA/EVM
> certificate signing key: 917665242851040704755d74629778f08d472d28

> 
> *****keyctl show %keyring:.ima*****
> Keyring
>  333847471 --alswrv      0     0  keyring: .ima
>  684181163 --alswrv      0     0   \_ asymmetric: localhost.localdomain:
> root signing key: ec0e32eb4c1fe167dbd7e9b58f7b88166895b433

This looks good.  You've loaded the "local IMA-CA" used for verifying
the IMA keys on the system keyring and loaded the signed IMA key on
the .ima keyring.

Mimi