Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode

[Mimi Z. <zo...@li...>]

On Thu, 2015-09-17 at 12:48 +0000, Calligan, Keith (US) wrote:
> Hi,

> I am going to patch my Kernel today to use the Linux-next as you mentioned,
> but let me explain the issue I am having with the 4.2 build of the Kernel.
> If you believe that the Linux-next Kernel will fix these issues, I will
> immediately go to that.  Are the patches you made mostly enhancements or bug
> fixes as well? I know you specifically mentioned the
> CONFIG_SYSTEM_TRUSTED_KEYS being new but can I still do this the old-way
> (copying IMA local x509 to Kernel source)?

The change from storing the x509 keys in the root build directory to
having the keys stored in a single file is not a "bug" fix per-se, but
rather a clean up. 
 
> Background:  
>  
> I am still receiving the request for unknown key/invalid-HMAC error when
> running the /bin/ls command.
> 
> I am able to see the kmk-user, evm:encrypted, and IMA/EVM keyrings when
> running the ³keyctl show² command.  See below:

>  Session Keyring
>  312013873 --alswrv      0     0 keyring: _ses
>  853140663 --alswrv      0 65534   \_ keyring: _uid.0
>  332453814 --alswrv      0     0      \_ user: kmk-user
>  673567069 --alswrv      0     0      \_ keyring: _ima 
>  489008419 --als--v      0     0      |   \_ asymmetric:
> localhost.localdomain: root signing key:

If you've enabled the IMA trusted keyring, there should not be an
'_ima' keyring.

> ec0e32eb4c1fe167dbd7e9b58f7b88166895b433
>  584906645 --alswrv      0     0      \_ keyring: _evm
>  366138436 --als--v      0     0      |   \_ asymmetric:
> localhost.localdomain: root signing key:
> ec0e32eb4c1fe167dbd7e9b58f7b88166895b433
>  666325898 --alswrv      0    0       \_ encrypted: evm-key
>  
> The ³keyctl show² command from above shows that the EVM key is signed by the
> same root signing key as IMA. I decided to use the x509_ima.der file for
> both for troubleshooting purposes.  I will outline my testing steps below.

That's fine.

> For testing, I am currently only labelling /bin/ls with the ³evmctl sign
> ­imasig /bin/ls² command.
>  
> First, I boot into ³ima=fix² and ³evm=fix² mode.  Label the /bin/ls file.

With the ima_appraise_tcb boot command line option specified, the entire
file system needs to be labeled, not just a single file.

> I reboot into ³ima=enforce ima_appraise_tcb ima_policy=tcb evm=enforce²
> mode.

I'm surprised you can boot in enforce mode without labeling the
filesystem. (BTW, the default mode is "enforce" mode. No need to specify
it on the boot command line.)

> In the initramfs (after loading all of the keys), I run the /sysroot/bin/ls
> command.  I receive the request for unknown key/permission denied
> (invalid-HMAC) error.

> To figure out if it is EVM or IMA causing the issue, I changed the boot time
> parameters to ³ima=fix evm=enforce². Now, I can run the /bin/ls command
> (without any errors), but I am still able to run other binaries as well even
> though they have not been signed.  From this, I¹m assuming EVM isn¹t really
> working?

In fix mode, the secure xattr is "fixed", meaning that the security.ima
in this case is updated with the current file hash.
 
> As I mentioned previously, to rule out an issue with the EVM signing key, I
> changed the ³evmctl import² command in my INITRAMFS to use the x509_ima.der
> file for both IMA and EVM. Originally, EVM was using the x509_evm.der file.
> I did this assuming that possibly the EVM key needed to be signed by the
> IMA/CA authority as well.  Let me know if this is incorrect thinking.

The patches to require signed EVM keys has not yet been upstreamed.  EVM
is enabled by writing to <securityfs>/evm.  ( eg. for dracut, disable
98integrity/evm_enable.sh.)

> Before making the change with the EVM key, I took note of the output of
> ³getfattr ­m . ­d /bin/ls² command.
>  
> After changing EVM to use the IMA key, I relabeled the /bin/ls file (evmctl
> sign ­imasig /bin/ls).  The IMA and EVM hash stayed the same. I would have
> expected the EVM hash to change?

To modify either the IMA and EVM security xattrs, the existing xattrs
values must either be correct or the system must be in "fix" mode.

> Even with these issues occurring, I am running ³evmctl verify/ima_verify
> $file² commands.  The output of these commands shows everything is ok.

That would imply the public key was not properly loaded on the right
keyring.

Please show the IMA public keys on the '.ima' keyring and display the
xattrs for /bin/ls.  
- keyctl show %keyring:.ima
- getfattr -m ^security -e hex --dump /sysroot/bin/ls 

Mimi

> Thanks for any help you can provide.  Let me know if you need me to clarify
> or provide any additional info.
>  
> Keith