lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1456185807.4448.91.camel@linux.vnet.ibm.com>
Date:	Mon, 22 Feb 2016 19:03:27 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	David Howells <dhowells@...hat.com>
Cc:	keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, tadeusz.struk@...el.com
Subject: Re: [PATCH 0/8] X.509: Software public key subtype changes

On Mon, 2016-02-22 at 22:29 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> 
> > >  (1) - (3) These are Tadeusz's RSA akcipher conversion.
> > 
> > Up to here, IMA-appraisal works properly.
> 
> I don't have IMA set up anywhere.

I know.  With the "vfs: support for a common kernel file loader" patch
set, setting up a simple test becomes a lot simpler.  With this patch
set you can measure and appraise just the kexec image and initramfs,
firmware and/or kernel modules.

Create two key pairs.  Add one to the system keyring.*   The other key
load on the IMA keyring.  (Remember it needs to be signed with the
private key of a key on the system keyring.**)

To measure and appraise just the kexec initramfs, define a policy
containing:
measure func=INITRAMFS_CHECK
appraise func=INITRAMFS_CHECK appraise_type=imasig

To load the IMA policy, write the policy to the securityfs IMA policy
file:
cat <IMA policy> > /sys/kernel/securityfs/ima/policy.

Sign the kexec initramfs using evmctl:
evmctl ima_sign -k <privkey.pem> -a sha256 /boot/<initramfs>.img

Execute:  kexec -s -l /boot/<image> --initrd=/boot/<initramfs>.img
--reuse-cmdline
Failures to appraise the initramfs are audit logged.  The IMA
measurement list will contain the initramfs file hash.

*There are two or three methods for loading the key onto the system
keyring depending on the distro.
- builtin
- enroll in MoK db (on some distros)
- Mehmet's patch  (needs to be upstreamed)

** Refer to the ima-evm-utils package README for further details on
creating and signing a certificate to be loaded on the IMA keyring.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ