Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Mimi,

Sorry for not understanding this completely.

I don’t see CONFIG_SYSTEM_TRUSTED_KEYS as an option in the Kernel.  I
searched for it when I ran “make menuconfig”.  Is there a patch I need for
this? Are you referring to the “IMA_X509_PATH” setting instead? This was
previously set to “/etc/keys/x509_ima.der"

Also, if I understand correctly, I am going to remove ima-local-ca.x509
from the Kernel source directory? I know when I had this defined, I could
see the IVM CA when running “cat /proc/keys”.  I no longer see this after
recompiling.   

Thanks,

Keith

On 9/16/15, 10:52 AM, "Mimi Zohar" <zo...@li...> wrote:

>On Wed, 2015-09-16 at 14:28 +0000, Calligan, Keith (US) wrote:
>> Hi Mimi,
>> 
>> Thanks for the info.
>> 
>> I¹m assuming that you mean copy the IMA public key to the Kernel source
>> directory? Do I need to specify the name of this file somewhere as I¹m
>> compiling the Kernel? Is there a default name or location to copy this
>> file?
>
>No, we're discussing the public key (eg. local ima-ca) used for
>verifying the signed IMA keys.  Until recently, all .x509 keys (DER
>format) in the kernel build root were builtin into the kernel image and
>loaded onto the system keyring.  Currently, the keys are stored in a
>single file as defined in CONFIG_SYSTEM_TRUSTED_KEYS.  The keys in this
>file are in PEM format.
>
>> I downloaded the newer version of Dracut from the link you sent and was
>> looking at the scripts in the 98integrity directory.  Most of it makes
>> sense to me.  I see that the EVM encrypted key is loaded as part of the
>> module as well.  I¹m assuming I would only need to enable ³integrity and
>> masterkey² as I build the INITRAMFS?
>
>The masterkey decrypts the EVM symmetric key.  In your case, without a
>TPM, you're using a "user" type masterkey.
>
>> 
>> CONFIG_IMA_TRUSTED_KEYRING was already enabled when I built the Kernel.
>> 
>> Here is the output of the 2 commands you provided with my current
>> configuration.
>> 
>> *****keyctl show %keyring:.system_keyring*****
>> 
>> 
>> Keyring
>>  299333826 --alswrv      0     0  keyring: .system_keyring
>>  925626728 --alswrv      0     0   \_ asymmetric: Build time
>>autogenerated
>> kernel key: e209db6b68e553f3a73f248de32ff531fc3f4063
>>  602290602 --alswrv      0     0   \_ asymmetric: IMA-CA: IMA/EVM
>> certificate signing key: 917665242851040704755d74629778f08d472d28
>
>> 
>> *****keyctl show %keyring:.ima*****
>> Keyring
>>  333847471 --alswrv      0     0  keyring: .ima
>>  684181163 --alswrv      0     0   \_ asymmetric: localhost.localdomain:
>> root signing key: ec0e32eb4c1fe167dbd7e9b58f7b88166895b433
>
>This looks good.  You've loaded the "local IMA-CA" used for verifying
>the IMA keys on the system keyring and loaded the signed IMA key on
>the .ima keyring.
>
>Mimi
>