Re: [PATCH 0/8] X.509: Software public key subtype changes

[Mimi Zohar]

On Mon, 2016-02-22 at 22:29 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> 
> > >  (1) - (3) These are Tadeusz's RSA akcipher conversion.
> > 
> > Up to here, IMA-appraisal works properly.
> 
> I don't have IMA set up anywhere.

I know.  With the "vfs: support for a common kernel file loader" patch
set, setting up a simple test becomes a lot simpler.  With this patch
set you can measure and appraise just the kexec image and initramfs,
firmware and/or kernel modules.

Create two key pairs.  Add one to the system keyring.*   The other key
load on the IMA keyring.  (Remember it needs to be signed with the
private key of a key on the system keyring.**)

To measure and appraise just the kexec initramfs, define a policy
containing:
measure func=INITRAMFS_CHECK
appraise func=INITRAMFS_CHECK appraise_type=imasig

To load the IMA policy, write the policy to the securityfs IMA policy
file:
cat <IMA policy> > /sys/kernel/securityfs/ima/policy.

Sign the kexec initramfs using evmctl:
evmctl ima_sign -k <privkey.pem> -a sha256 /boot/<initramfs>.img

Execute:  kexec -s -l /boot/<image> --initrd=/boot/<initramfs>.img
--reuse-cmdline
Failures to appraise the initramfs are audit logged.  The IMA
measurement list will contain the initramfs file hash.

*There are two or three methods for loading the key onto the system
keyring depending on the distro.
- builtin
- enroll in MoK db (on some distros)
- Mehmet's patch  (needs to be upstreamed)

** Refer to the ima-evm-utils package README for further details on
creating and signing a certificate to be loaded on the IMA keyring.

Mimi