Re: [Linux-ima-user] How to load a key to trusted IMA keyring?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2016-11-10 at 08:33 +0000, Kiviluoto, Jaakko J wrote:
> Hi all,
> 
> What is the correct way to get a key loaded into the trusted ".ima"
> keyring?
> 
> If I try the CONFIG_IMA_LOAD_X509 way, this change removes the
> "KEY_ALLOC_TRUSTED" attribute required by a trusted keyring:
> https://sourceforge.net/p/linux-ima/mailman/message/34449223/
> 
> Similar roadblock when trying to insert the key with 'keyctl padd
> asymmetric "" 0x12345678 < /etc/keys/x509_ima.der' but that is
> expected.
> 
> Built-in keys from CONFIG_SYSTEM_TRUSTED_KEYS only go to system
> keyring, but I'd need to put one to ".ima"
> 
> Loading the key to untrusted "_ima" keyring seems to work fine, but
> then you can't use CONFIG_IMA_APPRAISE_SIGNED_INIT.
> 
> I'm using Linux kernel 4.4 with Yocto Krogoth branch.

The key being loaded onto the .ima keyring needs to be signed by a key
on the .buitlin_trusted_keys keyring.  On older kernels, the key needed
to be signed by a key on the system keyring.

The README in the ima-evm-util package has a good explanation, with
examples.

Mimi