Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode

[Calligan, K. (US) <kca...@cy...>]

Hi,


I am going to patch my Kernel today to use the Linux-next as you mentioned,
but let me explain the issue I am having with the 4.2 build of the Kernel.
If you believe that the Linux-next Kernel will fix these issues, I will
immediately go to that.  Are the patches you made mostly enhancements or bug
fixes as well? I know you specifically mentioned the
CONFIG_SYSTEM_TRUSTED_KEYS being new but can I still do this the old-way
(copying IMA local x509 to Kernel source)?
 
Background:  
 
I am still receiving the request for unknown key/invalid-HMAC error when
running the /bin/ls command.

I am able to see the kmk-user, evm:encrypted, and IMA/EVM keyrings when
running the ³keyctl show² command.  See below:
 
 Session Keyring
 312013873 --alswrv      0     0 keyring: _ses
 853140663 --alswrv      0 65534   \_ keyring: _uid.0
 332453814 --alswrv      0     0      \_ user: kmk-user
 673567069 --alswrv      0     0      \_ keyring: _ima
 489008419 --als--v      0     0      |   \_ asymmetric:
localhost.localdomain: root signing key:
ec0e32eb4c1fe167dbd7e9b58f7b88166895b433
 584906645 --alswrv      0     0      \_ keyring: _evm
 366138436 --als--v      0     0      |   \_ asymmetric:
localhost.localdomain: root signing key:
ec0e32eb4c1fe167dbd7e9b58f7b88166895b433
 666325898 --alswrv      0    0       \_ encrypted: evm-key
 
The ³keyctl show² command from above shows that the EVM key is signed by the
same root signing key as IMA. I decided to use the x509_ima.der file for
both for troubleshooting purposes.  I will outline my testing steps below.
 
For testing, I am currently only labelling /bin/ls with the ³evmctl sign
­imasig /bin/ls² command.
 
First, I boot into ³ima=fix² and ³evm=fix² mode.  Label the /bin/ls file.
 
I reboot into ³ima=enforce ima_appraise_tcb ima_policy=tcb evm=enforce²
mode.
 
In the initramfs (after loading all of the keys), I run the /sysroot/bin/ls
command.  I receive the request for unknown key/permission denied
(invalid-HMAC) error.
 
To figure out if it is EVM or IMA causing the issue, I changed the boot time
parameters to ³ima=fix evm=enforce². Now, I can run the /bin/ls command
(without any errors), but I am still able to run other binaries as well even
though they have not been signed.  From this, I¹m assuming EVM isn¹t really
working?
 
As I mentioned previously, to rule out an issue with the EVM signing key, I
changed the ³evmctl import² command in my INITRAMFS to use the x509_ima.der
file for both IMA and EVM. Originally, EVM was using the x509_evm.der file.
I did this assuming that possibly the EVM key needed to be signed by the
IMA/CA authority as well.  Let me know if this is incorrect thinking.

Before making the change with the EVM key, I took note of the output of
³getfattr ­m . ­d /bin/ls² command.
 
After changing EVM to use the IMA key, I relabeled the /bin/ls file (evmctl
sign ­imasig /bin/ls).  The IMA and EVM hash stayed the same. I would have
expected the EVM hash to change?
 
Even with these issues occurring, I am running ³evmctl verify/ima_verify
$file² commands.  The output of these commands shows everything is ok.
 
Thanks for any help you can provide.  Let me know if you need me to clarify
or provide any additional info.
 
Keith