From: Yan K. <sam...@gm...> - 2017-03-23 10:50:33
|
I did it in initramfs。 ima_id=`keyctl newring _ima @u` evmctl import /etc/keys/pubkey_evm.pem $ima_id Is it essential to generate a new one when reboot ? Thanks, sam > On 23 Mar 2017, at 18:14, Nayna <na...@li...> wrote: > > > > On 03/23/2017 12:40 PM, Yan Kun wrote: >> Hi,ALL >> >> I try to enable IMA-appraisal and to make a file can not modify by >> invalid user. >> >> with ima_appraise=fix >> $ evmctl ima_sign test.txt >> >> >> reboot with ima_appraise=enforce and with my policy: >> measure fowner=1000 >> appraise fowner=1000 >> >> But it will report “Request for unknow key ‘id:66a39168'" >> and by "keyctl show” >> 25950863 keyring:_ima >> >> the value ,like 25950863 will change every reboot,so where did I make >> mistake? > > Looks like key is not added in _ima keyring. > You need to import public part of the key used for signing into _ima. > > Thanks & Regards, > - Nayna > >> >> Thanks >> >> Regards, >> >> Sam >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> >> _______________________________________________ >> Linux-ima-devel mailing list >> Lin...@li... >> https://lists.sourceforge.net/lists/listinfo/linux-ima-devel >> > |