|
Packit Service |
42482e |
EVMCTL(1)
|
|
Packit Service |
42482e |
=========
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
NAME
|
|
Packit Service |
42482e |
----
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl - IMA/EVM signing utility
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
SYNOPSIS
|
|
Packit Service |
42482e |
--------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl [options] <command> [OPTIONS]
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
DESCRIPTION
|
|
Packit Service |
42482e |
-----------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
The evmctl utility can be used for producing and verifying digital signatures,
|
|
Packit Service |
42482e |
which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also
|
|
Packit Service |
42482e |
used to import keys into the kernel keyring.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
COMMANDS
|
|
Packit Service |
42482e |
--------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
--version
|
|
Packit Service |
42482e |
help <command>
|
|
Packit Service |
42482e |
import [--rsa] pubkey keyring
|
|
Packit Service |
42482e |
sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
|
|
Packit Service |
42482e |
verify file
|
|
Packit Service |
42482e |
ima_sign [--sigfile] [--key key] [--pass password] file
|
|
Packit Service |
42482e |
ima_verify file
|
|
Packit Service |
42482e |
ima_hash file
|
|
Packit Service |
42482e |
ima_measurement [--key "key1, key2, ..."] [--list] file
|
|
Packit Service |
42482e |
ima_fix [-t fdsxm] path
|
|
Packit Service |
42482e |
sign_hash [--key key] [--pass password]
|
|
Packit Service |
42482e |
hmac [--imahash | --imasig ] file
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
OPTIONS
|
|
Packit Service |
42482e |
-------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
-a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512
|
|
Packit Service |
42482e |
-s, --imasig make IMA signature
|
|
Packit Service |
42482e |
-d, --imahash make IMA hash
|
|
Packit Service |
42482e |
-f, --sigfile store IMA signature in .sig file instead of xattr
|
|
Packit Service |
42482e |
--rsa use RSA key type and signing scheme v1
|
|
Packit Service |
42482e |
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
|
|
Packit Service |
42482e |
-o, --portable generate portable EVM signatures
|
|
Packit Service |
42482e |
-p, --pass password for encrypted signing key
|
|
Packit Service |
42482e |
-r, --recursive recurse into directories (sign)
|
|
Packit Service |
42482e |
-t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
|
|
Packit Service |
42482e |
x - skip fixing if both ima and evm xattrs exist (use with caution)
|
|
Packit Service |
42482e |
m - stay on the same filesystem (like 'find -xdev')
|
|
Packit Service |
42482e |
-n print result to stdout instead of setting xattr
|
|
Packit Service |
42482e |
-u, --uuid use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
|
|
Packit Service |
42482e |
--smack use extra SMACK xattrs for EVM
|
|
Packit Service |
42482e |
--m32 force EVM hmac/signature for 32 bit target system
|
|
Packit Service |
42482e |
--m64 force EVM hmac/signature for 64 bit target system
|
|
Packit Service |
42482e |
-v increase verbosity level
|
|
Packit Service |
42482e |
-h, --help display this help and exit
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
INTRODUCTION
|
|
Packit Service |
42482e |
------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Linux kernel integrity subsystem is comprised of a number of different components
|
|
Packit Service |
42482e |
including the Integrity Measurement Architecture (IMA), Extended Verification Module
|
|
Packit Service |
42482e |
(EVM), IMA-appraisal extension, digital signature verification extension and audit
|
|
Packit Service |
42482e |
measurement log support.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
The evmctl utility is used for producing and verifying digital signatures, which
|
|
Packit Service |
42482e |
are used by the Linux kernel integrity subsystem. It is also used for importing keys
|
|
Packit Service |
42482e |
into the kernel keyring.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Linux integrity subsystem allows to use IMA and EVM signatures. EVM signature
|
|
Packit Service |
42482e |
protects file metadata, such as file attributes and extended attributes. IMA
|
|
Packit Service |
42482e |
signature protects file content.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
For more detailed information about integrity subsystem it is recommended to follow
|
|
Packit Service |
42482e |
resources in RESOURCES section.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
EVM HMAC and signature metadata
|
|
Packit Service |
42482e |
-------------------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
EVM protects file metadata by including following attributes into HMAC and signature
|
|
Packit Service |
42482e |
calculation: inode number, inode generation, UID, GID, file mode, security.selinux,
|
|
Packit Service |
42482e |
security.SMACK64, security.ima, security.capability.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
EVM HMAC and signature in may also include additional file and file system attributes.
|
|
Packit Service |
42482e |
Currently supported additional attributes are filesystem UUID and extra SMACK
|
|
Packit Service |
42482e |
extended attributes.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include
|
|
Packit Service |
42482e |
filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes
|
|
Packit Service |
42482e |
fsuuid by default. Providing '--uuid' option without parameter allows to disable
|
|
Packit Service |
42482e |
usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use
|
|
Packit Service |
42482e |
custom UUID. Providing the '--portable' option will disable usage of the fs uuid
|
|
Packit Service |
42482e |
and also the inode number and generation.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to
|
|
Packit Service |
42482e |
include additional SMACK extended attributes into HMAC. They are following:
|
|
Packit Service |
42482e |
security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP.
|
|
Packit Service |
42482e |
evmctl '--smack' options enables that.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Key and signature formats
|
|
Packit Service |
42482e |
-------------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Linux integrity subsystem supports two type of signature and respectively two
|
|
Packit Service |
42482e |
key formats.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
First key format (v1) is pure RSA key encoded in PEM a format and uses own signature
|
|
Packit Service |
42482e |
format. It is now non-default format and requires to provide evmctl '--rsa' option
|
|
Packit Service |
42482e |
for signing and importing the key.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
|
|
Packit Service |
42482e |
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Integrity keyrings
|
|
Packit Service |
42482e |
----------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Integrity subsystem uses dedicated IMA/EVM keyrings to search for signature verification
|
|
Packit Service |
42482e |
keys - '_ima' and '_evm' respectively.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only to load keys,
|
|
Packit Service |
42482e |
signed by a key from the system keyring (.system). It means self-signed keys are not
|
|
Packit Service |
42482e |
allowed. This is a default behavior unless CONFIG_IMA_TRUSTED_KEYRING is undefined.
|
|
Packit Service |
42482e |
IMA trusted keyring is has different name '.ima'. Trusted keyring requires X509
|
|
Packit Service |
42482e |
public key certificates. Old version RSA public keys are not compatible with trusted
|
|
Packit Service |
42482e |
keyring.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate EVM encrypted keys
|
|
Packit Service |
42482e |
---------------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
EVM encrypted key is used for EVM HMAC calculation:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# create and save the key kernel master key (user type)
|
|
Packit Service |
42482e |
# LMK is used to encrypt encrypted keys
|
|
Packit Service |
42482e |
keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
|
|
Packit Service |
42482e |
keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# create the EVM encrypted key
|
|
Packit Service |
42482e |
keyctl add encrypted evm-key "new user:kmk 64" @u
|
|
Packit Service |
42482e |
keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate EVM trusted keys (TPM based)
|
|
Packit Service |
42482e |
-------------------------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Trusted EVM keys are keys which a generate with the help of TPM.
|
|
Packit Service |
42482e |
They are not related to integrity trusted keys.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# create and save the key kernel master key (user type)
|
|
Packit Service |
42482e |
keyctl add trusted kmk "new 32" @u
|
|
Packit Service |
42482e |
keyctl pipe `keyctl search @u trusted kmk` >kmk
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# create the EVM trusted key
|
|
Packit Service |
42482e |
keyctl add encrypted evm-key "new trusted:kmk 32" @u
|
|
Packit Service |
42482e |
keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate signing and verification keys
|
|
Packit Service |
42482e |
--------------------------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate private key in plain text format:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl genrsa -out privkey_evm.pem 1024
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate encrypted private key:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl genrsa -des3 -out privkey_evm.pem 1024
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Make encrypted private key from unencrypted:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate self-signed X509 public key certificate and private key for using kernel
|
|
Packit Service |
42482e |
asymmetric keys support:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
|
|
Packit Service |
42482e |
-x509 -config x509_evm.genkey \
|
|
Packit Service |
42482e |
-outform DER -out x509_evm.der -keyout privkey_evm.pem
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Configuration file x509_evm.genkey:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# Begining of the file
|
|
Packit Service |
42482e |
[ req ]
|
|
Packit Service |
42482e |
default_bits = 1024
|
|
Packit Service |
42482e |
distinguished_name = req_distinguished_name
|
|
Packit Service |
42482e |
prompt = no
|
|
Packit Service |
42482e |
string_mask = utf8only
|
|
Packit Service |
42482e |
x509_extensions = myexts
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
[ req_distinguished_name ]
|
|
Packit Service |
42482e |
O = Magrathea
|
|
Packit Service |
42482e |
CN = Glacier signing key
|
|
Packit Service |
42482e |
emailAddress = slartibartfast@magrathea.h2g2
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
[ myexts ]
|
|
Packit Service |
42482e |
basicConstraints=critical,CA:FALSE
|
|
Packit Service |
42482e |
keyUsage=digitalSignature
|
|
Packit Service |
42482e |
subjectKeyIdentifier=hash
|
|
Packit Service |
42482e |
authorityKeyIdentifier=keyid
|
|
Packit Service |
42482e |
# EOF
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate public key for using RSA key format:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Copy keys to /etc/keys:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
cp pubkey_evm.pem /etc/keys
|
|
Packit Service |
42482e |
scp pubkey_evm.pem target:/etc/keys
|
|
Packit Service |
42482e |
or
|
|
Packit Service |
42482e |
cp x509_evm.pem /etc/keys
|
|
Packit Service |
42482e |
scp x509_evm.pem target:/etc/keys
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate trusted keys
|
|
Packit Service |
42482e |
---------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generation of trusted keys is a bit more complicated process and involves
|
|
Packit Service |
42482e |
following steps:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
* Creation of local IMA certification authority (CA).
|
|
Packit Service |
42482e |
It consist of private and public key certificate which are used
|
|
Packit Service |
42482e |
to sign and verify other keys.
|
|
Packit Service |
42482e |
* Build Linux kernel with embedded local IMA CA X509 certificate.
|
|
Packit Service |
42482e |
It is used to verify other keys added to the '.ima' trusted keyring
|
|
Packit Service |
42482e |
* Generate IMA private signing key and verification public key certificate,
|
|
Packit Service |
42482e |
which is signed using local IMA CA private key.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Configuration file ima-local-ca.genkey:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# Begining of the file
|
|
Packit Service |
42482e |
[ req ]
|
|
Packit Service |
42482e |
default_bits = 2048
|
|
Packit Service |
42482e |
distinguished_name = req_distinguished_name
|
|
Packit Service |
42482e |
prompt = no
|
|
Packit Service |
42482e |
string_mask = utf8only
|
|
Packit Service |
42482e |
x509_extensions = v3_ca
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
[ req_distinguished_name ]
|
|
Packit Service |
42482e |
O = IMA-CA
|
|
Packit Service |
42482e |
CN = IMA/EVM certificate signing key
|
|
Packit Service |
42482e |
emailAddress = ca@ima-ca
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
[ v3_ca ]
|
|
Packit Service |
42482e |
basicConstraints=CA:TRUE
|
|
Packit Service |
42482e |
subjectKeyIdentifier=hash
|
|
Packit Service |
42482e |
authorityKeyIdentifier=keyid:always,issuer
|
|
Packit Service |
42482e |
# keyUsage = cRLSign, keyCertSign
|
|
Packit Service |
42482e |
# EOF
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate private key and X509 public key certificate:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
|
|
Packit Service |
42482e |
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Produce X509 in DER format for using while building the kernel:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Configuration file ima.genkey:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# Begining of the file
|
|
Packit Service |
42482e |
[ req ]
|
|
Packit Service |
42482e |
default_bits = 1024
|
|
Packit Service |
42482e |
distinguished_name = req_distinguished_name
|
|
Packit Service |
42482e |
prompt = no
|
|
Packit Service |
42482e |
string_mask = utf8only
|
|
Packit Service |
42482e |
x509_extensions = v3_usr
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
[ req_distinguished_name ]
|
|
Packit Service |
42482e |
O = `hostname`
|
|
Packit Service |
42482e |
CN = `whoami` signing key
|
|
Packit Service |
42482e |
emailAddress = `whoami`@`hostname`
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
[ v3_usr ]
|
|
Packit Service |
42482e |
basicConstraints=critical,CA:FALSE
|
|
Packit Service |
42482e |
#basicConstraints=CA:FALSE
|
|
Packit Service |
42482e |
keyUsage=digitalSignature
|
|
Packit Service |
42482e |
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
Packit Service |
42482e |
subjectKeyIdentifier=hash
|
|
Packit Service |
42482e |
authorityKeyIdentifier=keyid
|
|
Packit Service |
42482e |
#authorityKeyIdentifier=keyid,issuer
|
|
Packit Service |
42482e |
# EOF
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Generate private key and X509 public key certificate signing request:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
|
|
Packit Service |
42482e |
-out csr_ima.pem -keyout privkey_ima.pem
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Sign X509 public key certificate signing request with local IMA CA private key:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
|
|
Packit Service |
42482e |
-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
|
|
Packit Service |
42482e |
-outform DER -out x509_ima.der
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Sign file data and metadata
|
|
Packit Service |
42482e |
---------------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Default key locations:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Private RSA key: /etc/keys/privkey_evm.pem
|
|
Packit Service |
42482e |
Public RSA key: /etc/keys/pubkey_evm.pem
|
|
Packit Service |
42482e |
X509 certificate: /etc/keys/x509_evm.der
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Options to remember: '-k', '-r', '--rsa', '--uuid', '--smack'.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Sign file with EVM signature and calculate hash value for IMA:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl sign --imahash test.txt
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Sign file with both IMA and EVM signatures:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl sign --imasig test.txt:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Sign file with IMA signature:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl ima_sign test.txt
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Sign recursively whole filesystem:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl -r sign --imahash /
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Fix recursively whole filesystem:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl -r ima_fix /
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Sign filesystem selectively using 'find' command:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Fix filesystem selectively using 'find' command:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Initialize IMA/EVM at early boot
|
|
Packit Service |
42482e |
--------------------------------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
IMA/EVM initialization should be normally done from initial RAM file system
|
|
Packit Service |
42482e |
before mounting root filesystem.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Here is Ubuntu initramfs example script (/etc/initramfs-tools/scripts/local-top/ima.sh)
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# mount securityfs if not mounted
|
|
Packit Service |
42482e |
SECFS=/sys/kernel/security
|
|
Packit Service |
42482e |
grep -q $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# search for IMA trusted keyring, then for untrusted
|
|
Packit Service |
42482e |
ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
|
|
Packit Service |
42482e |
if [ -z "$ima_id" ]; then
|
|
Packit Service |
42482e |
ima_id=`keyctl search @u keyring _ima 2>/dev/null`
|
|
Packit Service |
42482e |
if [ -z "$ima_id" ]; then
|
|
Packit Service |
42482e |
ima_id=`keyctl newring _ima @u`
|
|
Packit Service |
42482e |
fi
|
|
Packit Service |
42482e |
fi
|
|
Packit Service |
42482e |
# import IMA X509 certificate
|
|
Packit Service |
42482e |
evmctl import /etc/keys/x509_ima.der $ima_id
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# search for EVM keyring
|
|
Packit Service |
42482e |
evm_id=`keyctl search @u keyring _evm 2>/dev/null`
|
|
Packit Service |
42482e |
if [ -z "$evm_id" ]; then
|
|
Packit Service |
42482e |
evm_id=`keyctl newring _evm @u`
|
|
Packit Service |
42482e |
fi
|
|
Packit Service |
42482e |
# import EVM X509 certificate
|
|
Packit Service |
42482e |
evmctl import /etc/keys/x509_evm.der $evm_id
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# a) import EVM encrypted key
|
|
Packit Service |
42482e |
cat /etc/keys/kmk | keyctl padd user kmk @u
|
|
Packit Service |
42482e |
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
|
|
Packit Service |
42482e |
# OR
|
|
Packit Service |
42482e |
# b) import EVM trusted key
|
|
Packit Service |
42482e |
keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
|
|
Packit Service |
42482e |
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# enable EVM
|
|
Packit Service |
42482e |
echo "1" > /sys/kernel/security/evm
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Optionally it is possible also to forbid adding, removing of new public keys
|
|
Packit Service |
42482e |
and certificates into keyrings and revoking keys using 'keyctl setperm' command:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
# protect EVM keyring
|
|
Packit Service |
42482e |
keyctl setperm $evm_id 0x0b0b0000
|
|
Packit Service |
42482e |
# protect IMA keyring
|
|
Packit Service |
42482e |
keyctl setperm $ima_id 0x0b0b0000
|
|
Packit Service |
42482e |
# protecting IMA key from revoking (against DoS)
|
|
Packit Service |
42482e |
ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
|
|
Packit Service |
42482e |
keyctl setperm $ima_key 0x0b0b0000
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for importing keys:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Latest version of keyctl allows to import X509 public key certificates:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
FILES
|
|
Packit Service |
42482e |
-----
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Examples of scripts to generate X509 public key certificates:
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
/usr/share/doc/ima-evm-utils/ima-genkey-self.sh
|
|
Packit Service |
42482e |
/usr/share/doc/ima-evm-utils/ima-genkey.sh
|
|
Packit Service |
42482e |
/usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
AUTHOR
|
|
Packit Service |
42482e |
------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
RESOURCES
|
|
Packit Service |
42482e |
---------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
http://sourceforge.net/p/linux-ima/wiki/Home
|
|
Packit Service |
42482e |
http://sourceforge.net/p/linux-ima/ima-evm-utils
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
COPYING
|
|
Packit Service |
42482e |
-------
|
|
Packit Service |
42482e |
|
|
Packit Service |
42482e |
Copyright \(C) 2012 - 2014 Linux Integrity Project. Free use of this software is granted under
|
|
Packit Service |
42482e |
the terms of the GNU Public License (GPL).
|
|
Packit Service |
42482e |
|