Menu
▾
▴
Re: [Linux-ima-user] How to load a key to trusted IMA keyring?
|
From: Kiviluoto, J. J <jaa...@in...> - 2016-11-11 16:49:20
|
> > What is the correct way to get a key loaded into the trusted ".ima" > > keyring? > > > > If I try the CONFIG_IMA_LOAD_X509 way, this change removes the > > "KEY_ALLOC_TRUSTED" attribute required by a trusted keyring: > > https://sourceforge.net/p/linux-ima/mailman/message/34449223/ > > The key being loaded onto the .ima keyring needs to be signed by a key on > the .buitlin_trusted_keys keyring. On older kernels, the key needed to be > signed by a key on the system keyring. When I look at key_create_or_update() at http://lxr.free-electrons.com/source/security/keys/key.c?v=4.4#L773 it's always going to fail if the supplied "flags" doesn't have KEY_ALLOC_TRUSTED: http://lxr.free-electrons.com/source/security/keys/key.c?v=4.4#L833 and integrity_load_x509() never sets it: http://lxr.free-electrons.com/source/security/integrity/digsig.c?v=4.4#L101 The results is failure with -EPERM: [ 4.181234] integrity: Problem loading X.509 certificate (-1): /etc/keys/x509_ima.der I cannot see any key signature verification taking place at this point yet. > The README in the ima-evm-util package has a good explanation, with > examples. I have created my key with the instructions in ima-evm-utils README. Jaakko --------------------------------------------------------------------- Intel Finland Oy Registered Address: PL 281, 00181 Helsinki Business Identity Code: 0357606 - 4 Domiciled in Helsinki This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. |
