Re: [PATCH 0/8] X.509: Software public key subtype changes

From: Mimi Zohar
Date: Mon Feb 22 2016 - 19:03:41 EST


On Mon, 2016-02-22 at 22:29 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
> > > (1) - (3) These are Tadeusz's RSA akcipher conversion.
> >
> > Up to here, IMA-appraisal works properly.
>
> I don't have IMA set up anywhere.

I know. With the "vfs: support for a common kernel file loader" patch
set, setting up a simple test becomes a lot simpler. With this patch
set you can measure and appraise just the kexec image and initramfs,
firmware and/or kernel modules.

Create two key pairs. Add one to the system keyring.* The other key
load on the IMA keyring. (Remember it needs to be signed with the
private key of a key on the system keyring.**)

To measure and appraise just the kexec initramfs, define a policy
containing:
measure func=INITRAMFS_CHECK
appraise func=INITRAMFS_CHECK appraise_type=imasig

To load the IMA policy, write the policy to the securityfs IMA policy
file:
cat <IMA policy> > /sys/kernel/securityfs/ima/policy.

Sign the kexec initramfs using evmctl:
evmctl ima_sign -k <privkey.pem> -a sha256 /boot/<initramfs>.img

Execute: kexec -s -l /boot/<image> --initrd=/boot/<initramfs>.img
--reuse-cmdline
Failures to appraise the initramfs are audit logged. The IMA
measurement list will contain the initramfs file hash.

*There are two or three methods for loading the key onto the system
keyring depending on the distro.
- builtin
- enroll in MoK db (on some distros)
- Mehmet's patch (needs to be upstreamed)

** Refer to the ima-evm-utils package README for further details on
creating and signing a certificate to be loaded on the IMA keyring.

Mimi