[Dev] IMA/EVM

Patrick Ohly patrick.ohly at intel.com
Wed May 6 13:17:07 GMT 2015


Hello!

I am working on a Yocto layer which enables IMA/EVM in an image built
with Yocto. This may be of use for "Tizen on Yocto", but also other
distributions.

I am following the instructions in the Tizen Wiki, but I have some
questions. As this is relevant also for using IMA/EVM in Tizen, let me
copy the Tizen dev mailing list.

First, a general question: who is currently working on the kernel
patches, and where? There are:
      * git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git and the ima-control-experimental branch
      * Tizen's profile/common/kernel-common with
        sandbox/jkozerski/ima-evm
      * upstream Linux kernel

Is the code in the Linux kernel as merged for 3.19 considered ready for
production or are there additional fixes needed from the work done in
the Tizen repo?

What is the plan for getting the enhancements which are currently in the
Tizen repo also accepted upstream? For example, "ima: make IMA policy
replaceable at runtime" and "evm: add interface to read and write EVM
state (ENABLE/DISABLE/FIX)." are only in the Tizen sandbox branch.

Now, regarding the instructions in the Tizen Wiki:
https://wiki.tizen.org/wiki/Security:IntegrityMeasurement/Preparing_Tizen_image_protected_by_IMA/EVM describes the steps necessary to enable IMA/EVM before booting the image. The Yocto layer will need to do something similar, so I am trying to understand these instructions.

The instructions at the bottom of the page say that one should boot with
"evm=fix" if there are problems. My guess is that this will update
incorrect EVM checksums on-the-fly. However, doesn't the kernel need the
private key for that, which is normally not contained in the image?

According to the Wiki, one creates privkey_ima.pem but does not copy it
to the image (at least in that use case - there's another one about
converting a live image where the key gets copied temporarily).

http://sourceforge.net/p/linux-ima/wiki/Home/ talks about "Creating
trusted and EVM encrypted keys". Is that what's missing in the Tizen
Wiki for "evm=fix" to work? If so, will signing files with evmctl use
privkey_ima.pem for EVM while "evm=fix" uses some other key?

The problem in my pre-created image is that various systemd services
touching files in /etc (like /etc/resolv.conf) fail, even when booting
with "i_version ima_tcb ima_appraise=fix ima_appraise_tcb
ima_template_fmt=d-ng|n-ng|status evm=fix".

Essentially my file system became read-only:

# echo foo >/etc/resolv.conf
evm: init_desc failed
-sh: /etc/resolv.conf: Required key not available

The first line is a kernel message that gets printed to the console. It
comes from evm_init_hmac() in security/integrity/evm/evm_crypto.c.

That problem aside, should IMA/EVM do any checking on /etc at all
according to the policy in the Wiki? The instructions only mention the
creation of checksums for /usr /bin /sbin and /lib, but not /etc. Is the
policy in /etc/ima/ima_policy perhaps extending the policies activated
by "ima_appraise_tcb ima_tcb" instead of replacing it?

Anyway, my image obviously isn't ready yet. So how do I boot it without
IMA and EVM active? "ima_appraise=off" was not enough, I still get the
same errors during booting. /sys/kernel/security/evm contains 1
and /sys/kernel/security/ima/ima_state contains 0. evm_main.c only
allows enabling the fix mode, but does not check for something like
"off". So I can only turn off IMA, but not EVM?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list