[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1456185807.4448.91.camel@linux.vnet.ibm.com>
Date: Mon, 22 Feb 2016 19:03:27 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: David Howells <dhowells@...hat.com>
Cc: keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, tadeusz.struk@...el.com
Subject: Re: [PATCH 0/8] X.509: Software public key subtype changes
On Mon, 2016-02-22 at 22:29 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
>
> > > (1) - (3) These are Tadeusz's RSA akcipher conversion.
> >
> > Up to here, IMA-appraisal works properly.
>
> I don't have IMA set up anywhere.
I know. With the "vfs: support for a common kernel file loader" patch
set, setting up a simple test becomes a lot simpler. With this patch
set you can measure and appraise just the kexec image and initramfs,
firmware and/or kernel modules.
Create two key pairs. Add one to the system keyring.* The other key
load on the IMA keyring. (Remember it needs to be signed with the
private key of a key on the system keyring.**)
To measure and appraise just the kexec initramfs, define a policy
containing:
measure func=INITRAMFS_CHECK
appraise func=INITRAMFS_CHECK appraise_type=imasig
To load the IMA policy, write the policy to the securityfs IMA policy
file:
cat <IMA policy> > /sys/kernel/securityfs/ima/policy.
Sign the kexec initramfs using evmctl:
evmctl ima_sign -k <privkey.pem> -a sha256 /boot/<initramfs>.img
Execute: kexec -s -l /boot/<image> --initrd=/boot/<initramfs>.img
--reuse-cmdline
Failures to appraise the initramfs are audit logged. The IMA
measurement list will contain the initramfs file hash.
*There are two or three methods for loading the key onto the system
keyring depending on the distro.
- builtin
- enroll in MoK db (on some distros)
- Mehmet's patch (needs to be upstreamed)
** Refer to the ima-evm-utils package README for further details on
creating and signing a certificate to be loaded on the IMA keyring.
Mimi
Powered by blists - more mailing lists