From: Martin T. <mto...@gm...> - 2017-10-14 07:43:03
|
On Fri, Oct 13, 2017 at 9:48 PM, Martin Townsend <mto...@gm...> wrote: > On Fri, Oct 13, 2017 at 5:38 PM, Martin Townsend > <mto...@gm...> wrote: >> Hi, >> >> On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote: >>> On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote: >>>> Hi, >>>> >>>> I want to sign an root filesystem off line using the same private key >>>> for both IMA and EVM, ie using evmctl sign --imasig >>>> >>>> This image is read-only and is on an embedded product. The kernel >>>> automatically loads the public key as I have >>>> CONFIG_IMA_TRUSTED_KEYRING=y >>>> CONFIG_IMA_LOAD_X509=y >>>> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der" >>>> >>>> set in the kernel configuration >>>> >>>> I can't see how to enable this key for verifying EVM as soon as the >>>> kernel passes control to the init process. Is this possible? Do I >>>> have to write my own init processes which could be a script to load >>>> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then >>>> pass control to systemd? >>> >>> There is a separate CONFIG_EVM_X509_PATH option for EVM. You can >>> specify the same x509 certificate pathname. >>> >>> Mimi >>> >> I upgraded to 4.9 kernel and I tried using the same key pathname and >> get the following errors >> >> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der >> integrity: Problem loading X.509 certificate (-126): /etc/keys/ima_x509.der >> integrity: Request for unknown key 'id:399171f9' err -11 >> Starting init: /sbin/init exists but couldn't execute it (error -13) >> >> I've checked and the key is there and is used by IMA. After debugging >> it fails in >> restrict_link_by_signature when it calls find_asymmetric_key. >> >> If I use the same key with 4.1 it works fine. Is there something >> special that I need to do with the 4.9 kernel? >> >> Here's some of the kernel configuration in case it helps >> >> # >> # Security options >> # >> CONFIG_KEYS=y >> # CONFIG_PERSISTENT_KEYRINGS is not set >> # CONFIG_BIG_KEYS is not set >> # CONFIG_TRUSTED_KEYS is not set >> CONFIG_ENCRYPTED_KEYS=y >> # CONFIG_KEY_DH_OPERATIONS is not set >> # CONFIG_SECURITY_DMESG_RESTRICT is not set >> CONFIG_SECURITY=y >> CONFIG_SECURITYFS=y >> CONFIG_SECURITY_NETWORK=y >> # CONFIG_SECURITY_NETWORK_XFRM is not set >> # CONFIG_SECURITY_PATH is not set >> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y >> CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y >> # CONFIG_HARDENED_USERCOPY is not set >> # CONFIG_SECURITY_SELINUX is not set >> CONFIG_SECURITY_SMACK=y >> # CONFIG_SECURITY_SMACK_BRINGUP is not set >> # CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> # CONFIG_SECURITY_LOADPIN is not set >> # CONFIG_SECURITY_YAMA is not set >> CONFIG_INTEGRITY=y >> CONFIG_INTEGRITY_SIGNATURE=y >> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y >> CONFIG_INTEGRITY_TRUSTED_KEYRING=y >> CONFIG_INTEGRITY_AUDIT=y >> CONFIG_IMA=y >> CONFIG_IMA_MEASURE_PCR_IDX=10 >> CONFIG_IMA_LSM_RULES=y >> # CONFIG_IMA_TEMPLATE is not set >> CONFIG_IMA_NG_TEMPLATE=y >> # CONFIG_IMA_SIG_TEMPLATE is not set >> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" >> CONFIG_IMA_DEFAULT_HASH_SHA1=y >> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set >> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set >> # CONFIG_IMA_DEFAULT_HASH_WP512 is not set >> CONFIG_IMA_DEFAULT_HASH="sha1" >> # CONFIG_IMA_WRITE_POLICY is not set >> # CONFIG_IMA_READ_POLICY is not set >> CONFIG_IMA_APPRAISE=y >> CONFIG_IMA_TRUSTED_KEYRING=y >> CONFIG_IMA_BLACKLIST_KEYRING=y >> CONFIG_IMA_LOAD_X509=y >> CONFIG_IMA_X509_PATH="/etc/keys/ima-x509.der" >> CONFIG_IMA_APPRAISE_SIGNED_INIT=y >> CONFIG_EVM=y >> # CONFIG_EVM_ATTR_FSUUID is not set >> CONFIG_EVM_EXTRA_SMACK_XATTRS=y >> CONFIG_EVM_LOAD_X509=y >> CONFIG_EVM_X509_PATH="/etc/keys/ima-x509.der" >> # CONFIG_DEFAULT_SECURITY_SMACK is not set >> CONFIG_DEFAULT_SECURITY_DAC=y >> CONFIG_DEFAULT_SECURITY="" >> CONFIG_CRYPTO=y >> >> Many Thanks, >> Martin. > > After reading through the code I could see that I needed to build the > kernel with the root CA certificate using CONFIG_SYSTEM_TRUSTED_KEYS > which is great as now we have a trusted root certificate in the kernel > and the kernel is signed and secured via freescale HAB. > > The intermediate keys are now successfully loaded but sadly it hangs. > I know there are 2 firmware files it has to load sdma and brcmfmac so > maybe the problem is there. I see SDMA fails, Here's the trace in case > it helps. > > UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB) > UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID > 724DF819-1381-41CE-A1C6-5597F29F1067, small LPT model > VFS: Mounted root (ubifs filesystem) readonly on device 0:14. > devtmpfs: mounted > integrity: Loaded X.509 cert 'IMA Certificate Authority: > f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der > integrity: Loaded X.509 cert 'IMA Certificate Authority: > f1ca9f5d8e7302b74a277d1d09a6ce0c399171f9': /etc/keys/ima-x509.der > Freeing unused kernel memory: 1024K > imx-sdma 20ec000.sdma: external firmware not found, using ROM firmware > > INFO: task kworker/u2:1:126 blocked for more than 120 seconds. > Not tainted 4.9.44-fslc+g8f876e1 #2 > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > kworker/u2:1 D 0 126 105 0x00000000 > [<808425a4>] (__schedule) from [<80842a34>] (schedule+0x4c/0xac) > [<80842a34>] (schedule) from [<808451c8>] (rwsem_down_write_failed+0xf8/0x27c) > [<808451c8>] (rwsem_down_write_failed) from [<803c4c40>] > (process_measurement+0xe0/0x420) > [<803c4c40>] (process_measurement) from [<803c4fa8>] (ima_file_check+0x28/0x30) > [<803c4fa8>] (ima_file_check) from [<802365f4>] (path_openat+0x2a8/0x11c4) > [<802365f4>] (path_openat) from [<802387b0>] (do_filp_open+0x5c/0xc0) > [<802387b0>] (do_filp_open) from [<8022dad8>] (do_open_execat+0x60/0x160) > [<8022dad8>] (do_open_execat) from [<8022fb34>] (do_execveat_common+0x188/0x71c) > [<8022fb34>] (do_execveat_common) from [<802300ec>] (do_execve+0x24/0x2c) > [<802300ec>] (do_execve) from [<80131478>] > (call_usermodehelper_exec_async+0x124/0x1b0) > [<80131478>] (call_usermodehelper_exec_async) from [<80107718>] > (ret_from_fork+0x14/0x3c) > Kernel panic - not syncing: hung_task: blocked tasks > CPU: 0 PID: 14 Comm: khungtaskd Not tainted 4.9.44-fslc+g8f876e1 #2 > Hardware name: Freescale i.MX6 Ultralite (Device Tree) > [<8010db5c>] (unwind_backtrace) from [<8010b718>] (show_stack+0x10/0x14) > [<8010b718>] (show_stack) from [<801d8028>] (panic+0xd0/0x244) > [<801d8028>] (panic) from [<801a1298>] (watchdog+0x320/0x3c4) > [<801a1298>] (watchdog) from [<8013a640>] (kthread+0xf4/0x10c) > [<8013a640>] (kthread) from [<80107718>] (ret_from_fork+0x14/0x3c) > > I'll try and debug some more at the weekend. > > -Martin. After putting some printk's in process_measurement the problem seems to be the inode for /bin/kmod is locked and then sometime before calling ima_appraise_measurement and inode_unlock process_measurement gets called again with the /bin/kmod inode and it hangs. integrity_inode_get ima_rdwr_violation_check /lib/systemd/systemd ima_collect_measurement ima_appraise_measurement process_measurement /bin/kmod inode_locked integrity_inode_get ima_rdwr_violation_check /bin/kmod ima_collect_measurement ima_appraise_measurement process_measurement /bin/kmod hangs until hung_task_detector kicks in and resets. My guess is that on my board systemd is loading a kernel module which in turn loads another dependent kernel module which is causing the problem. I'll see if I can get the name of the 2 modules being loaded -Martin. |