source-git / ima-evm-utils

Clone
Source Code
GIT

Blame README

c8 c8s master
  1.   c8
  2.   README
Blob History Raw
Packit c6d22b 
EVMCTL(1)
Packit c6d22b 
=========
Packit c6d22b
Packit c6d22b 
NAME
Packit c6d22b 
----
Packit c6d22b
Packit c6d22b 
evmctl - IMA/EVM signing utility
Packit c6d22b
Packit c6d22b
Packit c6d22b 
SYNOPSIS
Packit c6d22b 
--------
Packit c6d22b
Packit c6d22b 
evmctl [options] <command> [OPTIONS]
Packit c6d22b
Packit c6d22b
Packit c6d22b 
DESCRIPTION
Packit c6d22b 
-----------
Packit c6d22b
Packit c6d22b 
The evmctl utility can be used for producing and verifying digital signatures,
Packit c6d22b 
which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also
Packit c6d22b 
used to import keys into the kernel keyring.
Packit c6d22b
Packit c6d22b 
COMMANDS
Packit c6d22b 
--------
Packit c6d22b
Packit c6d22b 
 --version
Packit c6d22b 
 help <command>
Packit c6d22b 
 import [--rsa] pubkey keyring
Packit c6d22b 
 sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
Packit c6d22b 
 verify file
Packit c6d22b 
 ima_sign [--sigfile] [--key key] [--pass password] file
Packit c6d22b 
 ima_verify file
Packit c6d22b 
 ima_hash file
Packit c6d22b 
 ima_measurement [--key "key1, key2, ..."] [--list] file
Packit c6d22b 
 ima_fix [-t fdsxm] path
Packit c6d22b 
 sign_hash [--key key] [--pass password]
Packit c6d22b 
 hmac [--imahash | --imasig ] file
Packit c6d22b
Packit c6d22b
Packit c6d22b 
OPTIONS
Packit c6d22b 
-------
Packit c6d22b
Packit c6d22b 
  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512
Packit c6d22b 
  -s, --imasig       make IMA signature
Packit c6d22b 
  -d, --imahash      make IMA hash
Packit c6d22b 
  -f, --sigfile      store IMA signature in .sig file instead of xattr
Packit c6d22b 
      --rsa          use RSA key type and signing scheme v1
Packit c6d22b 
  -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
Packit c6d22b 
  -o, --portable     generate portable EVM signatures
Packit c6d22b 
  -p, --pass         password for encrypted signing key
Packit c6d22b 
  -r, --recursive    recurse into directories (sign)
Packit c6d22b 
  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
Packit c6d22b 
                     x - skip fixing if both ima and evm xattrs exist (use with caution)
Packit c6d22b 
                     m - stay on the same filesystem (like 'find -xdev')
Packit c6d22b 
  -n                 print result to stdout instead of setting xattr
Packit c6d22b 
  -u, --uuid         use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
Packit c6d22b 
      --smack        use extra SMACK xattrs for EVM
Packit c6d22b 
      --m32          force EVM hmac/signature for 32 bit target system
Packit c6d22b 
      --m64          force EVM hmac/signature for 64 bit target system
Packit c6d22b 
  -v                 increase verbosity level
Packit c6d22b 
  -h, --help         display this help and exit
Packit c6d22b
Packit c6d22b
Packit c6d22b 
INTRODUCTION
Packit c6d22b 
------------
Packit c6d22b
Packit c6d22b 
Linux kernel integrity subsystem is comprised of a number of different components
Packit c6d22b 
including the Integrity Measurement Architecture (IMA), Extended Verification Module
Packit c6d22b 
(EVM), IMA-appraisal extension, digital signature verification extension and audit
Packit c6d22b 
measurement log support.
Packit c6d22b
Packit c6d22b 
The evmctl utility is used for producing and verifying digital signatures, which
Packit c6d22b 
are used by the Linux kernel integrity subsystem. It is also used for importing keys
Packit c6d22b 
into the kernel keyring.
Packit c6d22b
Packit c6d22b 
Linux integrity subsystem allows to use IMA and EVM signatures. EVM signature
Packit c6d22b 
protects file metadata, such as file attributes and extended attributes. IMA
Packit c6d22b 
signature protects file content.
Packit c6d22b
Packit c6d22b 
For more detailed information about integrity subsystem it is recommended to follow
Packit c6d22b 
resources in RESOURCES section.
Packit c6d22b
Packit c6d22b
Packit c6d22b 
EVM HMAC and signature metadata
Packit c6d22b 
-------------------------------
Packit c6d22b
Packit c6d22b 
EVM protects file metadata by including following attributes into HMAC and signature
Packit c6d22b 
calculation: inode number, inode generation, UID, GID, file mode, security.selinux,
Packit c6d22b 
security.SMACK64, security.ima, security.capability.
Packit c6d22b
Packit c6d22b 
EVM HMAC and signature in may also include additional file and file system attributes.
Packit c6d22b 
Currently supported additional attributes are filesystem UUID and extra SMACK
Packit c6d22b 
extended attributes.
Packit c6d22b
Packit c6d22b 
Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include
Packit c6d22b 
filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes
Packit c6d22b 
fsuuid by default. Providing '--uuid' option without parameter allows to disable
Packit c6d22b 
usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use
Packit c6d22b 
custom UUID. Providing the '--portable' option will disable usage of the fs uuid
Packit c6d22b 
and also the inode number and generation.
Packit c6d22b
Packit c6d22b 
Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to
Packit c6d22b 
include additional SMACK extended attributes into HMAC. They are following:
Packit c6d22b 
security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP.
Packit c6d22b 
evmctl '--smack' options enables that.
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Key and signature formats
Packit c6d22b 
-------------------------
Packit c6d22b
Packit c6d22b 
Linux integrity subsystem supports two type of signature and respectively two
Packit c6d22b 
key formats.
Packit c6d22b
Packit c6d22b 
First key format (v1) is pure RSA key encoded in PEM a format and uses own signature
Packit c6d22b 
format. It is now non-default format and requires to provide evmctl '--rsa' option
Packit c6d22b 
for signing and importing the key.
Packit c6d22b
Packit c6d22b 
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
Packit c6d22b 
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Integrity keyrings
Packit c6d22b 
----------------
Packit c6d22b
Packit c6d22b 
Integrity subsystem uses dedicated IMA/EVM keyrings to search for signature verification
Packit c6d22b 
keys - '_ima' and '_evm' respectively.
Packit c6d22b
Packit c6d22b 
Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only to load keys,
Packit c6d22b 
signed by a key from the system keyring (.system). It means self-signed keys are not
Packit c6d22b 
allowed. This is a default behavior unless CONFIG_IMA_TRUSTED_KEYRING is undefined.
Packit c6d22b 
IMA trusted keyring is has different name '.ima'. Trusted keyring requires X509
Packit c6d22b 
public key certificates. Old version RSA public keys are not compatible with trusted
Packit c6d22b 
keyring.
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Generate EVM encrypted keys
Packit c6d22b 
---------------------------
Packit c6d22b
Packit c6d22b 
EVM encrypted key is used for EVM HMAC calculation:
Packit c6d22b
Packit c6d22b 
    # create and save the key kernel master key (user type)
Packit c6d22b 
    # LMK is used to encrypt encrypted keys
Packit c6d22b 
    keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
Packit c6d22b 
    keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
Packit c6d22b
Packit c6d22b 
    # create the EVM encrypted key
Packit c6d22b 
    keyctl add encrypted evm-key "new user:kmk 64" @u
Packit c6d22b 
    keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Generate EVM trusted keys (TPM based)
Packit c6d22b 
-------------------------------------
Packit c6d22b
Packit c6d22b 
Trusted EVM keys are keys which a generate with the help of TPM.
Packit c6d22b 
They are not related to integrity trusted keys.
Packit c6d22b
Packit c6d22b 
    # create and save the key kernel master key (user type)
Packit c6d22b 
    keyctl add trusted kmk "new 32" @u
Packit c6d22b 
    keyctl pipe `keyctl search @u trusted kmk` >kmk
Packit c6d22b
Packit c6d22b 
    # create the EVM trusted key
Packit c6d22b 
    keyctl add encrypted evm-key "new trusted:kmk 32" @u
Packit c6d22b 
    keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Generate signing and verification keys
Packit c6d22b 
--------------------------------------
Packit c6d22b
Packit c6d22b 
Generate private key in plain text format:
Packit c6d22b
Packit c6d22b 
    openssl genrsa -out privkey_evm.pem 1024
Packit c6d22b
Packit c6d22b 
Generate encrypted private key:
Packit c6d22b
Packit c6d22b 
    openssl genrsa -des3 -out privkey_evm.pem 1024
Packit c6d22b
Packit c6d22b 
Make encrypted private key from unencrypted:
Packit c6d22b
Packit c6d22b 
    openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
Packit c6d22b
Packit c6d22b 
Generate self-signed X509 public key certificate and private key for using kernel
Packit c6d22b 
asymmetric keys support:
Packit c6d22b
Packit c6d22b 
    openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
Packit c6d22b 
    	        -x509 -config x509_evm.genkey \
Packit c6d22b 
	        -outform DER -out x509_evm.der -keyout privkey_evm.pem
Packit c6d22b
Packit c6d22b 
Configuration file x509_evm.genkey:
Packit c6d22b
Packit c6d22b 
	# Begining of the file
Packit c6d22b 
	[ req ]
Packit c6d22b 
	default_bits = 1024
Packit c6d22b 
	distinguished_name = req_distinguished_name
Packit c6d22b 
	prompt = no
Packit c6d22b 
	string_mask = utf8only
Packit c6d22b 
	x509_extensions = myexts
Packit c6d22b
Packit c6d22b 
	[ req_distinguished_name ]
Packit c6d22b 
	O = Magrathea
Packit c6d22b 
	CN = Glacier signing key
Packit c6d22b 
	emailAddress = slartibartfast@magrathea.h2g2
Packit c6d22b
Packit c6d22b 
	[ myexts ]
Packit c6d22b 
	basicConstraints=critical,CA:FALSE
Packit c6d22b 
	keyUsage=digitalSignature
Packit c6d22b 
	subjectKeyIdentifier=hash
Packit c6d22b 
	authorityKeyIdentifier=keyid
Packit c6d22b 
	# EOF
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Generate public key for using RSA key format:
Packit c6d22b
Packit c6d22b 
    openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Copy keys to /etc/keys:
Packit c6d22b
Packit c6d22b 
    cp pubkey_evm.pem /etc/keys
Packit c6d22b 
    scp pubkey_evm.pem target:/etc/keys
Packit c6d22b 
 or
Packit c6d22b 
    cp x509_evm.pem /etc/keys
Packit c6d22b 
    scp x509_evm.pem target:/etc/keys
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Generate trusted keys
Packit c6d22b 
---------------------
Packit c6d22b
Packit c6d22b 
Generation of trusted keys is a bit more complicated process and involves
Packit c6d22b 
following steps:
Packit c6d22b
Packit c6d22b 
* Creation of local IMA certification authority (CA).
Packit c6d22b 
  It consist of private and public key certificate which are used
Packit c6d22b 
  to sign and verify other keys.
Packit c6d22b 
* Build Linux kernel with embedded local IMA CA X509 certificate.
Packit c6d22b 
  It is used to verify other keys added to the '.ima' trusted keyring
Packit c6d22b 
* Generate IMA private signing key and verification public key certificate,
Packit c6d22b 
  which is signed using local IMA CA private key.
Packit c6d22b
Packit c6d22b 
Configuration file ima-local-ca.genkey:
Packit c6d22b
Packit c6d22b 
	# Begining of the file
Packit c6d22b 
	[ req ]
Packit c6d22b 
	default_bits = 2048
Packit c6d22b 
	distinguished_name = req_distinguished_name
Packit c6d22b 
	prompt = no
Packit c6d22b 
	string_mask = utf8only
Packit c6d22b 
	x509_extensions = v3_ca
Packit c6d22b
Packit c6d22b 
	[ req_distinguished_name ]
Packit c6d22b 
	O = IMA-CA
Packit c6d22b 
	CN = IMA/EVM certificate signing key
Packit c6d22b 
	emailAddress = ca@ima-ca
Packit c6d22b
Packit c6d22b 
	[ v3_ca ]
Packit c6d22b 
	basicConstraints=CA:TRUE
Packit c6d22b 
	subjectKeyIdentifier=hash
Packit c6d22b 
	authorityKeyIdentifier=keyid:always,issuer
Packit c6d22b 
	# keyUsage = cRLSign, keyCertSign
Packit c6d22b 
	# EOF
Packit c6d22b
Packit c6d22b 
Generate private key and X509 public key certificate:
Packit c6d22b
Packit c6d22b 
 openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
Packit c6d22b 
             -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
Packit c6d22b
Packit c6d22b 
Produce X509 in DER format for using while building the kernel:
Packit c6d22b
Packit c6d22b 
 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
Packit c6d22b
Packit c6d22b 
Configuration file ima.genkey:
Packit c6d22b
Packit c6d22b 
	# Begining of the file
Packit c6d22b 
	[ req ]
Packit c6d22b 
	default_bits = 1024
Packit c6d22b 
	distinguished_name = req_distinguished_name
Packit c6d22b 
	prompt = no
Packit c6d22b 
	string_mask = utf8only
Packit c6d22b 
	x509_extensions = v3_usr
Packit c6d22b
Packit c6d22b 
	[ req_distinguished_name ]
Packit c6d22b 
	O = `hostname`
Packit c6d22b 
	CN = `whoami` signing key
Packit c6d22b 
	emailAddress = `whoami`@`hostname`
Packit c6d22b
Packit c6d22b 
	[ v3_usr ]
Packit c6d22b 
	basicConstraints=critical,CA:FALSE
Packit c6d22b 
	#basicConstraints=CA:FALSE
Packit c6d22b 
	keyUsage=digitalSignature
Packit c6d22b 
	#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Packit c6d22b 
	subjectKeyIdentifier=hash
Packit c6d22b 
	authorityKeyIdentifier=keyid
Packit c6d22b 
	#authorityKeyIdentifier=keyid,issuer
Packit c6d22b 
	# EOF
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Generate private key and X509 public key certificate signing request:
Packit c6d22b
Packit c6d22b 
 openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
Packit c6d22b 
             -out csr_ima.pem -keyout privkey_ima.pem
Packit c6d22b
Packit c6d22b 
Sign X509 public key certificate signing request with local IMA CA private key:
Packit c6d22b
Packit c6d22b 
 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
Packit c6d22b 
              -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
Packit c6d22b 
              -outform DER -out x509_ima.der
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Sign file data and metadata
Packit c6d22b 
---------------------------
Packit c6d22b
Packit c6d22b 
Default key locations:
Packit c6d22b
Packit c6d22b 
 Private RSA key: /etc/keys/privkey_evm.pem
Packit c6d22b 
 Public RSA key: /etc/keys/pubkey_evm.pem
Packit c6d22b 
 X509 certificate: /etc/keys/x509_evm.der
Packit c6d22b
Packit c6d22b 
Options to remember: '-k', '-r', '--rsa', '--uuid', '--smack'.
Packit c6d22b
Packit c6d22b 
Sign file with EVM signature and calculate hash value for IMA:
Packit c6d22b
Packit c6d22b 
    evmctl sign --imahash test.txt
Packit c6d22b
Packit c6d22b 
Sign file with both IMA and EVM signatures:
Packit c6d22b
Packit c6d22b 
    evmctl sign --imasig test.txt:
Packit c6d22b
Packit c6d22b 
Sign file with IMA signature:
Packit c6d22b
Packit c6d22b 
    evmctl ima_sign test.txt
Packit c6d22b
Packit c6d22b 
Sign recursively whole filesystem:
Packit c6d22b
Packit c6d22b 
    evmctl -r sign --imahash /
Packit c6d22b
Packit c6d22b 
Fix recursively whole filesystem:
Packit c6d22b
Packit c6d22b 
    evmctl -r ima_fix /
Packit c6d22b
Packit c6d22b 
Sign filesystem selectively using 'find' command:
Packit c6d22b
Packit c6d22b 
    find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
Packit c6d22b
Packit c6d22b 
Fix filesystem selectively using 'find' command:
Packit c6d22b
Packit c6d22b 
    find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
Packit c6d22b
Packit c6d22b
Packit c6d22b 
Initialize IMA/EVM at early boot
Packit c6d22b 
--------------------------------
Packit c6d22b
Packit c6d22b 
IMA/EVM initialization should be normally done from initial RAM file system
Packit c6d22b 
before mounting root filesystem.
Packit c6d22b
Packit c6d22b 
Here is Ubuntu initramfs example script (/etc/initramfs-tools/scripts/local-top/ima.sh)
Packit c6d22b
Packit c6d22b 
    # mount securityfs if not mounted
Packit c6d22b 
    SECFS=/sys/kernel/security
Packit c6d22b 
    grep -q  $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
Packit c6d22b
Packit c6d22b 
    # search for IMA trusted keyring, then for untrusted
Packit c6d22b 
    ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
Packit c6d22b 
    if [ -z "$ima_id" ]; then
Packit c6d22b 
        ima_id=`keyctl search @u keyring _ima 2>/dev/null`
Packit c6d22b 
        if [ -z "$ima_id" ]; then
Packit c6d22b 
	    ima_id=`keyctl newring _ima @u`
Packit c6d22b 
        fi
Packit c6d22b 
    fi
Packit c6d22b 
    # import IMA X509 certificate
Packit c6d22b 
    evmctl import /etc/keys/x509_ima.der $ima_id
Packit c6d22b
Packit c6d22b 
    # search for EVM keyring
Packit c6d22b 
    evm_id=`keyctl search @u keyring _evm 2>/dev/null`
Packit c6d22b 
    if [ -z "$evm_id" ]; then
Packit c6d22b 
        evm_id=`keyctl newring _evm @u`
Packit c6d22b 
    fi
Packit c6d22b 
    # import EVM X509 certificate
Packit c6d22b 
    evmctl import /etc/keys/x509_evm.der $evm_id
Packit c6d22b
Packit c6d22b 
    # a) import EVM encrypted key
Packit c6d22b 
    cat /etc/keys/kmk | keyctl padd user kmk @u
Packit c6d22b 
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
Packit c6d22b 
    # OR
Packit c6d22b 
    # b) import EVM trusted key
Packit c6d22b 
    keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
Packit c6d22b 
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
Packit c6d22b
Packit c6d22b 
    # enable EVM
Packit c6d22b 
    echo "1" > /sys/kernel/security/evm
Packit c6d22b
Packit c6d22b 
Optionally it is possible also to forbid adding, removing of new public keys
Packit c6d22b 
and certificates into keyrings and revoking keys using 'keyctl setperm' command:
Packit c6d22b
Packit c6d22b 
    # protect EVM keyring
Packit c6d22b 
    keyctl setperm $evm_id 0x0b0b0000
Packit c6d22b 
    # protect IMA keyring
Packit c6d22b 
    keyctl setperm $ima_id 0x0b0b0000
Packit c6d22b 
    # protecting IMA key from revoking (against DoS)
Packit c6d22b 
    ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
Packit c6d22b 
    keyctl setperm $ima_key 0x0b0b0000
Packit c6d22b
Packit c6d22b
Packit c6d22b 
When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for importing keys:
Packit c6d22b
Packit c6d22b 
    evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
Packit c6d22b
Packit c6d22b 
Latest version of keyctl allows to import X509 public key certificates:
Packit c6d22b
Packit c6d22b 
    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
Packit c6d22b
Packit c6d22b
Packit c6d22b 
FILES
Packit c6d22b 
-----
Packit c6d22b
Packit c6d22b 
Examples of scripts to generate X509 public key certificates:
Packit c6d22b
Packit c6d22b 
 /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
Packit c6d22b 
 /usr/share/doc/ima-evm-utils/ima-genkey.sh
Packit c6d22b 
 /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
Packit c6d22b
Packit c6d22b
Packit c6d22b 
AUTHOR
Packit c6d22b 
------
Packit c6d22b
Packit c6d22b 
Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
Packit c6d22b
Packit c6d22b
Packit c6d22b 
RESOURCES
Packit c6d22b 
---------
Packit c6d22b
Packit c6d22b 
 http://sourceforge.net/p/linux-ima/wiki/Home
Packit c6d22b 
 http://sourceforge.net/p/linux-ima/ima-evm-utils
Packit c6d22b
Packit c6d22b
Packit c6d22b 
COPYING
Packit c6d22b 
-------
Packit c6d22b
Packit c6d22b 
Copyright \(C) 2012 - 2014 Linux Integrity Project. Free use of this software is granted under
Packit c6d22b 
the terms of the GNU Public License (GPL).
Packit c6d22b

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation