Re: [Linux-ima-user] EVM: Using a presigned image

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote:
> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
>> Hi,
>>
>> I want to sign an root filesystem off line using the same private key
>> for both IMA and EVM, ie using evmctl sign --imasig
>>
>> This image is read-only and is on an embedded product.  The kernel
>> automatically loads the public key as I have
>> CONFIG_IMA_TRUSTED_KEYRING=y
>> CONFIG_IMA_LOAD_X509=y
>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
>>
>> set in the kernel configuration
>>
>> I can't see how to enable this key for verifying EVM as soon as the
>> kernel passes control to the init process.  Is this possible? Do I
>> have to write my own init processes which could be a script to load
>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
>> pass control to systemd?
>
> There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
> specify the same x509 certificate pathname.
>
> Mimi
>
I upgraded to 4.9 kernel and I tried using the same key pathname and
get the following errors

integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
integrity: Request for unknown key 'id:399171f9' err -11
Starting init: /sbin/init exists but couldn't execute it (error -13)

I've checked and the key is there and is used by IMA.  After debugging
it fails in
restrict_link_by_signature when it calls find_asymmetric_key.

If I use the same key with 4.1 it works fine.  Is there something
special that I need to do with the 4.9 kernel?

Here's some of the kernel configuration in case it helps

#
# Security options
#
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_TRUSTED_KEYS is not set
CONFIG_ENCRYPTED_KEYS=y
# CONFIG_KEY_DH_OPERATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
# CONFIG_SECURITY_PATH is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY is not set
# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_SMACK=y
# CONFIG_SECURITY_SMACK_BRINGUP is not set
# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
# CONFIG_IMA_TEMPLATE is not set
CONFIG_IMA_NG_TEMPLATE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
# CONFIG_IMA_DEFAULT_HASH_WP512 is not set
CONFIG_IMA_DEFAULT_HASH="sha1"
# CONFIG_IMA_WRITE_POLICY is not set
# CONFIG_IMA_READ_POLICY is not set
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_BLACKLIST_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/ima-x509.der"
CONFIG_IMA_APPRAISE_SIGNED_INIT=y
CONFIG_EVM=y
# CONFIG_EVM_ATTR_FSUUID is not set
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="/etc/keys/ima-x509.der"
# CONFIG_DEFAULT_SECURITY_SMACK is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CRYPTO=y

Many Thanks,
Martin.