Menu
▾
▴
Re: [Linux-ima-user] IMA appraisal with signature issue
|
From: Baal Su <baa...@gm...> - 2016-01-12 16:05:13
|
> On 12 Jan 2016, at 16:55, Mimi Zohar <zo...@li...> wrote: > > On Tue, 2016-01-12 at 16:16 +0100, Baal Su wrote: >>> On 12 Jan 2016, at 14:32, Mimi Zohar <zo...@li...> wrote: >>> >>> On Tue, 2016-01-12 at 13:16 +0100, Baal Su wrote: >>>>> On 11 Jan 2016, at 20:53, Mimi Zohar <zo...@li...> wrote: >>>>> >>>>> On Mon, 2016-01-11 at 16:58 +0100, Baal Su wrote: >>> >>>> But when I try to read this file, which belongs to another user whose >>>> files are appraised, it still shows the same error as the following. >>>> >>>> Following Mark’s suggestion, I try to show the keys belonging to the >>>> keyring of global .ima, there is no key under it. >>> >>> If CONFIG_IMA_TRUSTED_KERYING is enabled, the IMA keyring name is .ima, >>> otherwise it is _ima. >> >> I checked the config file in the boot directory, the “CONFIG_IMA_TRUSTED_KEYRING” is enabled. >> >> I tried to change the keyring from _ima to .ima, in this command: >> >> ima_id=`keyctl newring .ima @u` >> >> The result is: >> >> add_key: Operation not permitted > > Userspace can not create dot prefixed keyrings, only the kernel can > create trusted keyrings. Keys added to the .ima keyring need to be > signed by a key on the system keyring. There are a couple of ways of > doing that: > > - build your CA key into the kernel > - On systems with RedHat's UEFI/MOK patches, Install your CA key into > the UEFI MoK db > - Mehmet Kalyaap posted a patch for reserving memory in the kernel for > additional keys. This patch has not yet been upstreamed. Thank you Mimi, I will try these methods and let you know the results. Best wishes! Tao > > Mimi |
