Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 15-09-16 16:02:16, Calligan, Keith (US) wrote:
> Hi Mimi,
> 
> Sorry for not understanding this completely.
> 
> I don’t see CONFIG_SYSTEM_TRUSTED_KEYS as an option in the Kernel.  I searched 
> for it when I ran “make menuconfig”.  Is there a patch I need for this? Are 
> you referring to the “IMA_X509_PATH” setting instead? This was previously set 
> to “/etc/keys/x509_ima.der"

Currently CONFIG_SYSTEM_TRUSTED_KEYRING can be enabled when you select kernel 
module signing - CONFIG_SYSTEM_TRUSTED_KEYRING and CONFIG_MODULE_SIG_FORCE.

I've written a patch that corrects this, but it only applies on top of my other 
patches.  I guess i should do another one without this dependency.

> Also, if I understand correctly, I am going to remove ima-local-ca.x509 from 
> the Kernel source directory? I know when I had this defined, I could see the 
> IVM CA when running “cat /proc/keys”.  I no longer see this after recompiling.

Err, why would you remove your public key if you're going to use IMA?

		Petko