Re: [PATCH v9 6/6] IMA: Read keyrings= option from the IMA policy

From: Lakshmi Ramasubramanian
Date: Wed Nov 27 2019 - 17:06:04 EST

Next message: Michal Suchanek: "[PATCH] powerpc: add link stack flush mitigation status in debugfs."
Previous message: Florian Westphal: "Re: selftests:netfilter: nft_nat.sh: internal00-0 Error Could not open file \"-\" No such file or directory"
In reply to: Mimi Zohar: "Re: [PATCH v9 6/6] IMA: Read keyrings= option from the IMA policy"
Next in thread: Lakshmi Ramasubramanian: "[PATCH v9 5/6] IMA: Add support to limit measuring keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/27/19 11:32 AM, Mimi Zohar wrote:

The example is really too colloquial/verbose. ÂPlease truncate it,
leaving just a sample "key" policy rule, with directions for verifying
the template data against the digest included in the measurement list.

I'll truncate the example and keep it to the point.

The following command verifies if the SHA256 hash generated from
the payload in the IMA log entry (listed above) for the .ima key
matches the SHA256 hash in the IMA log entry. The output of this
command should match the SHA256 hash given in the IMA log entry
(In this case, it should be
27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b)

Previously you didn't use the hash value, but ".ima" to locate the
"key" measurement in the measurement list. ÂIn each of the commands
above, it might be clearer.

If the IMA measurement list has only one IMA key then locating it with ".ima" would work - hash won't be needed for locating the entry.

But for describing key verification we can have just one IMA key. I'll change the description to locate the entry using ".ima".

# cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
| grep
27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b |

cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' '
-f 1

The above command also creates a binary file namely ima-cert.der
using the payload in the IMA log entry. This file should be a valid
x509 certificate which can be verified using openssl as given below:

root@nramas:/home/nramas

ditto

# openssl x509 -in ima-cert.der -inform DER -text

The above command should display the contents of the file ima-cert.der
as an x509 certificate.

Either the comments should be above or below the commands, not both.

I'll update the comment.

The IMA policy used here allows measurement of keys added to
".ima" and ".evm" keyrings only. Add a key to any other keyring and
verify that the key is not measured.

This comment would be included, if desired, when defining the policy
rule, not here.

Will remove the above from this patch description.

thanks,
-lakshmi

Next message: Michal Suchanek: "[PATCH] powerpc: add link stack flush mitigation status in debugfs."
Previous message: Florian Westphal: "Re: selftests:netfilter: nft_nat.sh: internal00-0 Error Could not open file \"-\" No such file or directory"
In reply to: Mimi Zohar: "Re: [PATCH v9 6/6] IMA: Read keyrings= option from the IMA policy"
Next in thread: Lakshmi Ramasubramanian: "[PATCH v9 5/6] IMA: Add support to limit measuring keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]