[Linux-ima-user] IMA appraisal with signature issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I am trying the IMA appraisal function on a CentOS7 minimal installation 
machine. By default, thisdistribution ships with compiled kernel 
supports IMA functions. Kernel version is 3.10.0.

I followed the instructions on the following two web pages.

http://sourceforge.net/p/linux-ima/wiki/Home/

https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture

It works fine with the measurement functions and IMA appraisal without 
digital signatures. I activated i_version flag in the root filesystem in 
the boot command line and change the mount option in /etc/fstab file.

Since right now I am just testing the capability of the IMA, I set a 
custom policy only to appraise the file belonging to a user named “temp” 
and add "ima_appraise=enforce" in the boot command line.

Then I use ‘evmctl ima_hash file’ and it works fine. I can see 
security.ima extended attribute with ‘getfattr’ command. And after I 
change the owner of the file to temp, I can still open it and execute it.

The problem is with the ima_sign function provided by evmctl. Following 
the instructions, I create a new keyring in the system by launching the 
following commands:

openssl  genrsa  -outprivkey_evm.pem  1024

openssl  rsa  -pubout  -inprivkey_evm.pem  -outpubkey_evm.pem

ima_id=`keyctl  newring  _ima  @u`

evmctl  import --rsa  /etc/keys/pubkey_evm.pem  $ima_id

evmctl  ima_sign  –rsa  file –v

Until this point, I can see the hash value, the keyed, sighash and 
evm/ima signature. And I also can see the security.ima attribute is 
becoming 274 bytes long.

Then I launch:

evmctl  ima_verify  –rsa  file –v

and I can see the hash is correct and sighash is the same one shown with 
the above command. And the verification is OK.

                 But after I change the ownership of the file to user 
‘temp’ whose file is set to be appraised, and try to run the same 
ima_verify again, it gives error with the following message:

[8621.067731]digsig: key not found, id:DE253B20DFD8E3

Fail to open: file

Errno: Permission denied (13)

                 with 'keyctl show' command, I can see the 
sub-attributes of keyring: _uid.0, named _ima and DE253B20DFD8E3.

Can any one enlighten me what is the possible error? I followed exactly 
the procedure described in the wiki page. Or if there is something changed?

Thank you very much for your time and best wishes!
Tao