Menu
▾
▴
Re: [Linux-ima-user] Invalid-HMAC Issue with IMA in Enforce Mode
|
From: Dmitry K. <dmi...@gm...> - 2015-09-23 20:04:01
|
Hello, Shortly.... There are 2 type of public keys IMA/EVM support 1) plain RSA keys - digsig support 2) X509 certificates - asymmetric key support The problem you have is that your use RSA keys, but sign for X509... See inline... In general you can also use X509 for EVM... Dmitry On Wed, Sep 16, 2015 at 2:49 PM, Calligan, Keith (US) <kca...@cy...> wrote: > I am trying to setup IMA/EVM but appear to be having a problem with setting > IMA in enforce mode. I am getting an invalid-HMAC error. If I run > EVM=enforce (and IMA_APPRAISE=FIX), I don’t receive this error. > > > > For background information, I am currently trying to get this to work on > Kernel version 4.2 on Centos 7, but have tried Kernel 3.19 (and other > Kernels newer than 3.13) and had the same types of issues. I tried these > different Kernels to rule-out the Kernel as the cause. > > > > When I compiled the Kernel, I enabled everything under Security à Integrity > Subsystem with the exception of FSUUID (Version 2) and “Require Signed > User-Space Initialization.” I used the scripts in the > /usr/local/share/doc/ima-evm-utils directory to make the ima-local-ca.x509 > and x509_ima.der files. The ima-local-ca.x509 was copied to the Kernel > source directory the x509_ima.der was copied to the /etc/keys directory on > the filesystem, and the INITRAMFS so I could load before the system booted. > I also have the evmctl, kmk-user, evm-key, pubkey_evm.pem in the INITRAMFS. > > > > When this issue is occurring, I have “ima_appraise=enforce ima_appraise_tcb > evm=fix rd.break” for the bootline parameters. The rd.break is so I can > load they keys before the system is booted. The script loads the kmk-user, > evm-encrypted, IMA public key, and EVM public key and is shown below. This > is a non-TPM system. > > > > ————————— > > > > keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u > /dev/null > > keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u > /dev/null > > > > # import IMA public key > > ima_id=`keyctl newring _ima @u` > > evmctl import /etc/keys/x509_ima.der $ima_id > > > > # import EVM public key > > evm_id=`keyctl newring _evm @u` > > evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id > > '--rsa' is for RSA based key... > > # enable EVM > > echo "1" > /sys/kernel/security/evm > > > > # enable module checking > > #echo "1" > /sys/kernel/security/module_check > How did you get such entry? module_check??? > ————————— > > > To sign the binaries, I am running “evmctl sign –imasig $file.” For non-ELF > (binary) files, I am running “evmctl sign –imahash $file.” You have also to use '--rsa' when signing... > > > When I am booted into the system in IMA_APPRAISE=fix mode and run “evmctl > ima_verify $file,” I see that the file is verified OK. > > > > When rebooting (after loading my script in initramfs), I receive the > invalid-HMAC error. > > > > I have a feeling that I am loading the keys incorrectly somehow. Here is > the output of “keyctl show” and “cat /proc/keys”. Is there anything obvious > to anyone on the list? > > > ————————— > > 02aa3014 I--Q--- 1 perm 39010000 0 0 asymmetri > localhost.localdomain: root signing key: > ec0e32eb4c1fe167dbd7e9b58f7b88166895b433: X509.RSA 6895b433 [] > > 0544c4ea I--Q--- 1 perm 3f010000 0 0 user kmk-user: 32 > > 0dedbc46 I--Q--- 7 perm 3f030000 0 0 keyring _ses: 1 > > 1076b9b6 I--Q--- 1 perm 3f010000 0 0 user 1ECAF89B087F7A55: > 142 > > 11d778c2 I------ 1 perm 1f0b0000 0 0 keyring .system_keyring: > 2 > > 13e61baf I------ 1 perm 1f0f0000 0 0 keyring .ima: 1 > > 15bc3e98 I--Q--- 1 perm 3f010000 0 0 keyring _ima: 1 > > 177fedc0 I--Q--- 2 perm 3f010000 0 0 keyring _evm: 1 > > 23e639aa I------ 1 perm 1f030000 0 0 asymmetri IMA-CA: IMA/EVM > certificate signing key: 917665242851040704755d74629778f08d472d28: X509.RSA > 8d472d28 [] > > 28c7c6ab I------ 1 perm 1f030000 0 0 asymmetri > localhost.localdomain: root signing key: > ec0e32eb4c1fe167dbd7e9b58f7b88166895b433: X509.RSA 6895b433 [] > > 2eee811b I--Q--- 3 perm 1f3f0000 0 65534 keyring _uid.0: 4 > > 3474e666 I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 1 > > 372bf168 I------ 1 perm 1f030000 0 0 asymmetri Build time > autogenerated kernel key: e209db6b68e553f3a73f248de32ff531fc3f4063: X509.RSA > fc3f4063 [] > > 3b573d90 I--Q--- 1 perm 3f010000 0 0 encrypted evm-key: 139 > > ————————— > > > I am a little confused on the difference between the .ima, _ima and > occasionally seeing the _ivm.1 and _ivm.empty keyrings. Am I loading the > key in the wrong place (or doing something else incorrectly)? > > > > Here is my “keyctl show” output > > > > ————————— > > Session Keyring > > 233684038 --alswrv 0 0 keyring: _ses > > 787382555 --alswrv 0 65534 \_ keyring: _uid.0 > > 88392938 --alswrv 0 0 \_ user: kmk-user > > 394259904 --alswrv 0 0 \_ keyring: _evm > > 276216246 --alswrv 0 0 | \_ user: 1ECAF89B087F7A55 > > 364658328 --alswrv 0 0 \_ keyring: _ima > > 44707860 --als--v 0 0 | \_ asymmetric: > localhost.localdomain: root signing key: > ec0e32eb4c1fe167dbd7e9b58f7b88166895b433 > > 995573136 --alswrv 0 0 \_ encrypted: evm-key > > ————————— > > > > Also, as reference, I am using an XFS filesystem but have tried on EXT4 > systems as well. Has anyone tried on XFS? > > > > Sorry for the long email. Any help is much appreciated. Please let me know > if you need any additional information. > > > > Thanks, > > > > Keith > > > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > -- Thanks, Dmitry |
