[Linux-ima-user] How to prevent the no signature files be executed.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi everyone,

In Ubuntu 16.04 I do the following steps to digitally signed.

@Enable EVM
echo "1" > /sys/kernel/security/evm

@Create keys folder
$ su -c 'mkdir -p /etc/keys'

@To create and save the kernel master key (user type):
$ su -c 'modprobe trusted encrypted'
$ su -c 'keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32
2>/dev/null`" @u'
$ su -c 'keyctl pipe `keyctl search @u user kmk-user` >
/etc/keys/kmk-user.blob'

@Create the EVM encrypted key
$ su -c 'keyctl add encrypted evm-key "new user:kmk-user 32" @u'
$ su -c 'keyctl pipe `keyctl search @u encrypted evm-key`
>/etc/keys/evm-user.blob'

@generate unencrypted private key
openssl genrsa -out privkey_evm.pem 1024

@Image Labeling : whole file-system
sudo find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path
"/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;

sudo find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path
"/lib/modules/*" -type f -uid 0 -exec evmctl ima_sign --imahash '{}' -print
\;

@check security.ima content
evmctl ima_sign --hashalgo sha256 --rsa --key /etc/keys/privkey_evm.pem -t
f /home/my/test.sh
getfattr -e hex -m security -d /home/my/test.sh

In the last step, i can see the signature for tset.sh file.
However, i have no idea how to enable system verification function to
prevent the no signature files be executed.
Does anyone can help it?
THX