Menu
▾
▴
Re: [Linux-ima-user] IMA appraisal with signature issue
|
From: Mimi Z. <zo...@li...> - 2016-01-12 15:57:02
|
On Tue, 2016-01-12 at 16:16 +0100, Baal Su wrote: > > On 12 Jan 2016, at 14:32, Mimi Zohar <zo...@li...> wrote: > > > > On Tue, 2016-01-12 at 13:16 +0100, Baal Su wrote: > >>> On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote: > >>> > >>> On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: > > > >> But when I try to read this file, which belongs to another user whose > >> files are appraised, it still shows the same error as the following. > >> > >> Following Mark’s suggestion, I try to show the keys belonging to the > >> keyring of global .ima, there is no key under it. > > > > If CONFIG_IMA_TRUSTED_KERYING is enabled, the IMA keyring name is .ima, > > otherwise it is _ima. > > I checked the config file in the boot directory, the “CONFIG_IMA_TRUSTED_KEYRING” is enabled. > > I tried to change the keyring from _ima to .ima, in this command: > > ima_id=`keyctl newring .ima @u` > > The result is: > > add_key: Operation not permitted Userspace can not create dot prefixed keyrings, only the kernel can create trusted keyrings. Keys added to the .ima keyring need to be signed by a key on the system keyring. There are a couple of ways of doing that: - build your CA key into the kernel - On systems with RedHat's UEFI/MOK patches, Install your CA key into the UEFI MoK db - Mehmet Kalyaap posted a patch for reserving memory in the kernel for additional keys. This patch has not yet been upstreamed. Mimi |
