Re: [Linux-ima-user] EVM: Using a presigned image

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Fri, Oct 13, 2017 at 9:48 PM, Martin Townsend
<mto...@gm...> wrote:
> On Fri, Oct 13, 2017 at 5:38 PM, Martin Townsend
> <mto...@gm...> wrote:
>> Hi,
>>
>> On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote:
>>> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote:
>>>> Hi,
>>>>
>>>> I want to sign an root filesystem off line using the same private key
>>>> for both IMA and EVM, ie using evmctl sign --imasig
>>>>
>>>> This image is read-only and is on an embedded product.  The kernel
>>>> automatically loads the public key as I have
>>>> CONFIG_IMA_TRUSTED_KEYRING=y
>>>> CONFIG_IMA_LOAD_X509=y
>>>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"
>>>>
>>>> set in the kernel configuration
>>>>
>>>> I can't see how to enable this key for verifying EVM as soon as the
>>>> kernel passes control to the init process.  Is this possible? Do I
>>>> have to write my own init processes which could be a script to load
>>>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
>>>> pass control to systemd?
>>>
>>> There is a separate CONFIG_EVM_X509_PATH option for EVM.  You can
>>> specify the same x509 certificate pathname.
>>>
>>> Mimi
>>>
>> I upgraded to 4.9 kernel and I tried using the same key pathname and
>> get the following errors
>>
>> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
>> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der
>> integrity: Request for unknown key 'id:399171f9' err -11
>> Starting init: /sbin/init exists but couldn't execute it (error -13)
>>
>> I've checked and the key is there and is used by IMA.  After debugging
>> it fails in
>> restrict_link_by_signature when it calls find_asymmetric_key.
>>
>> If I use the same key with 4.1 it works fine.  Is there something
>> special that I need to do with the 4.9 kernel?
>>
>> Here's some of the kernel configuration in case it helps
>>
>> #
>> # Security options
>> #
>> CONFIG_KEYS=y
>> # CONFIG_PERSISTENT_KEYRINGS is not set
>> # CONFIG_BIG_KEYS is not set
>> # CONFIG_TRUSTED_KEYS is not set
>> CONFIG_ENCRYPTED_KEYS=y
>> # CONFIG_KEY_DH_OPERATIONS is not set
>> # CONFIG_SECURITY_DMESG_RESTRICT is not set
>> CONFIG_SECURITY=y
>> CONFIG_SECURITYFS=y
>> CONFIG_SECURITY_NETWORK=y
>> # CONFIG_SECURITY_NETWORK_XFRM is not set
>> # CONFIG_SECURITY_PATH is not set
>> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
>> CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
>> # CONFIG_HARDENED_USERCOPY is not set
>> # CONFIG_SECURITY_SELINUX is not set
>> CONFIG_SECURITY_SMACK=y
>> # CONFIG_SECURITY_SMACK_BRINGUP is not set
>> # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> # CONFIG_SECURITY_LOADPIN is not set
>> # CONFIG_SECURITY_YAMA is not set
>> CONFIG_INTEGRITY=y
>> CONFIG_INTEGRITY_SIGNATURE=y
>> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
>> CONFIG_INTEGRITY_TRUSTED_KEYRING=y
>> CONFIG_INTEGRITY_AUDIT=y
>> CONFIG_IMA=y
>> CONFIG_IMA_MEASURE_PCR_IDX=10
>> CONFIG_IMA_LSM_RULES=y
>> # CONFIG_IMA_TEMPLATE is not set
>> CONFIG_IMA_NG_TEMPLATE=y
>> # CONFIG_IMA_SIG_TEMPLATE is not set
>> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
>> CONFIG_IMA_DEFAULT_HASH_SHA1=y
>> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
>> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
>> # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
>> CONFIG_IMA_DEFAULT_HASH="sha1"
>> # CONFIG_IMA_WRITE_POLICY is not set
>> # CONFIG_IMA_READ_POLICY is not set
>> CONFIG_IMA_APPRAISE=y
>> CONFIG_IMA_TRUSTED_KEYRING=y
>> CONFIG_IMA_BLACKLIST_KEYRING=y
>> CONFIG_IMA_LOAD_X509=y
>> CONFIG_IMA_X509_PATH="/etc/keys/ima-x509.der"
>> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
>> CONFIG_EVM=y
>> # CONFIG_EVM_ATTR_FSUUID is not set
>> CONFIG_EVM_EXTRA_SMACK_XATTRS=y
>> CONFIG_EVM_LOAD_X509=y
>> CONFIG_EVM_X509_PATH="/etc/keys/ima-x509.der"
>> # CONFIG_DEFAULT_SECURITY_SMACK is not set
>> CONFIG_DEFAULT_SECURITY_DAC=y
>> CONFIG_DEFAULT_SECURITY=""
>> CONFIG_CRYPTO=y
>>
>> Many Thanks,
>> Martin.
>
> After reading through the code I could see that I needed to build the
> kernel with the root CA certificate using CONFIG_SYSTEM_TRUSTED_KEYS
> which is great as now we have a trusted root certificate in the kernel
> and the kernel is signed and secured via freescale HAB.
>
> The intermediate keys are now successfully loaded but sadly it hangs.
> I know there are 2 firmware files it has to load sdma and brcmfmac so
> maybe the problem is there. I see SDMA fails, Here's the trace in case
> it helps.
>
> UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB)
> UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID
> 724DF819-1381-41CE-A1C6-5597F29F1067, small LPT model
> VFS: Mounted root (ubifs filesystem) readonly on device 0:14.
> devtmpfs: mounted
> integrity: Loaded X.509 cert 'IMA Certificate Authority:
> f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
> integrity: Loaded X.509 cert 'IMA Certificate Authority:
> f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der
> Freeing unused kernel memory: 1024K
> imx-sdma 20ec000.sdma: external firmware not found, using ROM firmware
>
> INFO: task kworker/u2:1:126 blocked for more than 120 seconds.
>       Not tainted 4.9.44-fslc+g8f876e1 #2
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> kworker/u2:1    D    0   126    105 0x00000000
> [<808425a4>] (__schedule) from [<80842a34>] (schedule+0x4c/0xac)
> [<80842a34>] (schedule) from [<808451c8>] (rwsem_down_write_failed+0xf8/0x27c)
> [<808451c8>] (rwsem_down_write_failed) from [<803c4c40>]
> (process_measurement+0xe0/0x420)
> [<803c4c40>] (process_measurement) from [<803c4fa8>] (ima_file_check+0x28/0x30)
> [<803c4fa8>] (ima_file_check) from [<802365f4>] (path_openat+0x2a8/0x11c4)
> [<802365f4>] (path_openat) from [<802387b0>] (do_filp_open+0x5c/0xc0)
> [<802387b0>] (do_filp_open) from [<8022dad8>] (do_open_execat+0x60/0x160)
> [<8022dad8>] (do_open_execat) from [<8022fb34>] (do_execveat_common+0x188/0x71c)
> [<8022fb34>] (do_execveat_common) from [<802300ec>] (do_execve+0x24/0x2c)
> [<802300ec>] (do_execve) from [<80131478>]
> (call_usermodehelper_exec_async+0x124/0x1b0)
> [<80131478>] (call_usermodehelper_exec_async) from [<80107718>]
> (ret_from_fork+0x14/0x3c)
> Kernel panic - not syncing: hung_task: blocked tasks
> CPU: 0 PID: 14 Comm: khungtaskd Not tainted 4.9.44-fslc+g8f876e1 #2
> Hardware name: Freescale i.MX6 Ultralite (Device Tree)
> [<8010db5c>] (unwind_backtrace) from [<8010b718>] (show_stack+0x10/0x14)
> [<8010b718>] (show_stack) from [<801d8028>] (panic+0xd0/0x244)
> [<801d8028>] (panic) from [<801a1298>] (watchdog+0x320/0x3c4)
> [<801a1298>] (watchdog) from [<8013a640>] (kthread+0xf4/0x10c)
> [<8013a640>] (kthread) from [<80107718>] (ret_from_fork+0x14/0x3c)
>
> I'll try and debug some more at the weekend.
>
> -Martin.

After putting some printk's in process_measurement the problem seems
to be the inode for /bin/kmod is locked and then sometime before
calling ima_appraise_measurement and inode_unlock process_measurement
gets called again with the /bin/kmod inode and it hangs.

integrity_inode_get
ima_rdwr_violation_check  /lib/systemd/systemd
ima_collect_measurement
ima_appraise_measurement
process_measurement /bin/kmod
inode_locked
integrity_inode_get
ima_rdwr_violation_check  /bin/kmod
ima_collect_measurement
ima_appraise_measurement
process_measurement /bin/kmod

hangs until hung_task_detector kicks in and resets.  My guess is that
on my board systemd is loading a kernel module which in turn loads
another dependent kernel module which is causing the problem.  I'll
see if I can get the name of the 2 modules being loaded

-Martin.