Menu
▾
▴
Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode
|
From: Calligan, K. (US) <kca...@cy...> - 2015-09-16 16:49:38
|
Hi Petko/Mimi, Thanks for the responses. I am searching specifically for CONFIG_SYSTEM_TRUSTED_KEYS (not CONFIG_SYSTEM_TRUSTED_KEYRING). From Mimi¹s description, it appeared as though CONFIG_SYSTEM_TRUSTED_KEYS allowed me to define the location of the IMA CA public key file (PEM file) as an alternative to copying the ima-local-ca.x509 file. I apologize if I¹m understanding this incorrectly. I already have module signing enabled (default) and CONFIG_SYSTEM_TRUSTED_KEYRING is set to ³y" I have copied back the ima-local.x509 file back to the Kernel source to get back where I was. I also defined ³IMA_X509_PATH² to be /etc/keys/x509_ima.der. What is the significance of this setting? I ran a ³make -V=1² to increase the verbosity of the build but don¹t see this getting loaded. I only see reference to it in the $KERNEL_SRC/security/ima_init.c file. Is this an alternative to loading through the INITRAMFS? Thanks, Keith On 9/16/15, 12:22 PM, "Petko Manolov" <pe...@mi...> wrote: >On 15-09-16 16:02:16, Calligan, Keith (US) wrote: >> Hi Mimi, >> >> Sorry for not understanding this completely. >> >> I don¹t see CONFIG_SYSTEM_TRUSTED_KEYS as an option in the Kernel. I >>searched >> for it when I ran ³make menuconfig². Is there a patch I need for this? >>Are >> you referring to the ³IMA_X509_PATH² setting instead? This was >>previously set >> to ³/etc/keys/x509_ima.der" > >Currently CONFIG_SYSTEM_TRUSTED_KEYRING can be enabled when you select >kernel >module signing - CONFIG_SYSTEM_TRUSTED_KEYRING and >CONFIG_MODULE_SIG_FORCE. > >I've written a patch that corrects this, but it only applies on top of my >other >patches. I guess i should do another one without this dependency. > >> Also, if I understand correctly, I am going to remove ima-local-ca.x509 >>from >> the Kernel source directory? I know when I had this defined, I could >>see the >> IVM CA when running ³cat /proc/keys². I no longer see this after >>recompiling. > >Err, why would you remove your public key if you're going to use IMA? > > > Petko |
