Re: [Linux-ima-user] EVM: Using a presigned image

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, Oct 13, 2017 at 5:38 PM, Martin Townsend
<mto...@gm...> wrote:
> Hi,
>
> On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote:
>> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
>>> Hi,
>>>
>>> I want to sign an root filesystem off line using the same private key
>>> for both IMA and EVM, ie using evmctl sign --imasig
>>>
>>> This image is read-only and is on an embedded product.  The kernel
>>> automatically loads the public key as I have
>>> CONFIG_IMA_TRUSTED_KEYRING=y
>>> CONFIG_IMA_LOAD_X509=y
>>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
>>>
>>> set in the kernel configuration
>>>
>>> I can't see how to enable this key for verifying EVM as soon as the
>>> kernel passes control to the init process.  Is this possible? Do I
>>> have to write my own init processes which could be a script to load
>>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
>>> pass control to systemd?
>>
>> There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
>> specify the same x509 certificate pathname.
>>
>> Mimi
>>
> I upgraded to 4.9 kernel and I tried using the same key pathname and
> get the following errors
>
> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
> integrity: Request for unknown key 'id:399171f9' err -11
> Starting init: /sbin/init exists but couldn't execute it (error -13)
>
> I've checked and the key is there and is used by IMA.  After debugging
> it fails in
> restrict_link_by_signature when it calls find_asymmetric_key.
>
> If I use the same key with 4.1 it works fine.  Is there something
> special that I need to do with the 4.9 kernel?
>
> Here's some of the kernel configuration in case it helps
>
> #
> # Security options
> #
> CONFIG_KEYS=y
> # CONFIG_PERSISTENT_KEYRINGS is not set
> # CONFIG_BIG_KEYS is not set
> # CONFIG_TRUSTED_KEYS is not set
> CONFIG_ENCRYPTED_KEYS=y
> # CONFIG_KEY_DH_OPERATIONS is not set
> # CONFIG_SECURITY_DMESG_RESTRICT is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> CONFIG_SECURITY_NETWORK=y
> # CONFIG_SECURITY_NETWORK_XFRM is not set
> # CONFIG_SECURITY_PATH is not set
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
> CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
> # CONFIG_HARDENED_USERCOPY is not set
> # CONFIG_SECURITY_SELINUX is not set
> CONFIG_SECURITY_SMACK=y
> # CONFIG_SECURITY_SMACK_BRINGUP is not set
> # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_LOADPIN is not set
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_INTEGRITY=y
> CONFIG_INTEGRITY_SIGNATURE=y
> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
> CONFIG_INTEGRITY_TRUSTED_KEYRING=y
> CONFIG_INTEGRITY_AUDIT=y
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_LSM_RULES=y
> # CONFIG_IMA_TEMPLATE is not set
> CONFIG_IMA_NG_TEMPLATE=y
> # CONFIG_IMA_SIG_TEMPLATE is not set
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
> CONFIG_IMA_DEFAULT_HASH="sha1"
> # CONFIG_IMA_WRITE_POLICY is not set
> # CONFIG_IMA_READ_POLICY is not set
> CONFIG_IMA_APPRAISE=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> CONFIG_IMA_BLACKLIST_KEYRING=y
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/ima-x509.der"
> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
> CONFIG_EVM=y
> # CONFIG_EVM_ATTR_FSUUID is not set
> CONFIG_EVM_EXTRA_SMACK_XATTRS=y
> CONFIG_EVM_LOAD_X509=y
> CONFIG_EVM_X509_PATH="/etc/keys/ima-x509.der"
> # CONFIG_DEFAULT_SECURITY_SMACK is not set
> CONFIG_DEFAULT_SECURITY_DAC=y
> CONFIG_DEFAULT_SECURITY=""
> CONFIG_CRYPTO=y
>
> Many Thanks,
> Martin.

After reading through the code I could see that I needed to build the
kernel with the root CA certificate using CONFIG_SYSTEM_TRUSTED_KEYS
which is great as now we have a trusted root certificate in the kernel
and the kernel is signed and secured via freescale HAB.

The intermediate keys are now successfully loaded but sadly it hangs.
I know there are 2 firmware files it has to load sdma and brcmfmac so
maybe the problem is there. I see SDMA fails, Here's the trace in case
it helps.

UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB)
UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID
724DF819-1381-41CE-A1C6-5597F29F1067, small LPT model
VFS: Mounted root (ubifs filesystem) readonly on device 0:14.
devtmpfs: mounted
integrity: Loaded X.509 cert 'IMA Certificate Authority:
f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
integrity: Loaded X.509 cert 'IMA Certificate Authority:
f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
Freeing unused kernel memory: 1024K
imx-sdma 20ec000.sdma: external firmware not found, using ROM firmware

INFO: task kworker/u2:1:126 blocked for more than 120 seconds.
      Not tainted 4.9.44-fslc+g8f876e1 #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u2:1    D    0   126    105 0x00000000
[<808425a4>] (__schedule) from [<80842a34>] (schedule+0x4c/0xac)
[<80842a34>] (schedule) from [<808451c8>] (rwsem_down_write_failed+0xf8/0x27c)
[<808451c8>] (rwsem_down_write_failed) from [<803c4c40>]
(process_measurement+0xe0/0x420)
[<803c4c40>] (process_measurement) from [<803c4fa8>] (ima_file_check+0x28/0x30)
[<803c4fa8>] (ima_file_check) from [<802365f4>] (path_openat+0x2a8/0x11c4)
[<802365f4>] (path_openat) from [<802387b0>] (do_filp_open+0x5c/0xc0)
[<802387b0>] (do_filp_open) from [<8022dad8>] (do_open_execat+0x60/0x160)
[<8022dad8>] (do_open_execat) from [<8022fb34>] (do_execveat_common+0x188/0x71c)
[<8022fb34>] (do_execveat_common) from [<802300ec>] (do_execve+0x24/0x2c)
[<802300ec>] (do_execve) from [<80131478>]
(call_usermodehelper_exec_async+0x124/0x1b0)
[<80131478>] (call_usermodehelper_exec_async) from [<80107718>]
(ret_from_fork+0x14/0x3c)
Kernel panic - not syncing: hung_task: blocked tasks
CPU: 0 PID: 14 Comm: khungtaskd Not tainted 4.9.44-fslc+g8f876e1 #2
Hardware name: Freescale i.MX6 Ultralite (Device Tree)
[<8010db5c>] (unwind_backtrace) from [<8010b718>] (show_stack+0x10/0x14)
[<8010b718>] (show_stack) from [<801d8028>] (panic+0xd0/0x244)
[<801d8028>] (panic) from [<801a1298>] (watchdog+0x320/0x3c4)
[<801a1298>] (watchdog) from [<8013a640>] (kthread+0xf4/0x10c)
[<8013a640>] (kthread) from [<80107718>] (ret_from_fork+0x14/0x3c)

I'll try and debug some more at the weekend.

-Martin.