Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone

Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone

[miriam.rico]

[-- Attachment #1: Type: text/plain, Size: 4735 bytes --]

Hi,

I want to add IMA (Integrity Measurement Architecture) support to my Yocto build and I enabled it on my local.conf by adding:

DISTRO_FEATURES:append = " integrity ima"
IMAGE_CLASSES += "ima-evm-rootfs"
IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/ima_privkey.pem"
IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_evm.der"

Also, I added the meta-integrity layer to my bblayers.conf file.

After building the image, I noticed that the used algorithm is sha1. I would like to enable the sha256 algorithm, but I am having problems with it. I have tried to enable it using the kernel flags, but I can't get it. I have reviewed the configuration that applies when IMA is enabled and found it to be as follows (looking at the config file generated after compiling the kernel and doing a grep for IMA, I am using *Kernel version 5.15* ):

# SPDX-License-Identifier: MIT
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
CONFIG_IMA_DEFAULT_HASH="sha1"
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_SIGNATURE=y
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"

So I created a fragment file with the following:

CONFIG_IMA_SIG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_DEFAULT_HASH="sha256"

Then, I add it to my linux-yocto_%.bbappend file:

FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += "file://enable-ima.cfg "

But after recompiling the kernel, the template and the hash remain "ima-ng" and "sha1".

I have also tried to create the fragment file using menuconfig, activating "ima-sig" and "sha256", using diffconfig to create fragment.cfg file, copying the fragment file to meta-my-layer/recipes-kernel/linux/files and adding it to my linux-yocto_%.bbappend file, but the result has been the same, the template and the algorithm have not changed.

FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += "file://fragment.cfg "

I have been going through the tasks logs trying to see where the problem might be and found do_kernel_configme log. In the log, I saw the following:

Final scc/cfg list:  /home/.../Yocto/build/tmp/work/genericx86_64-poky-linux/linux-yocto/5.15.72+gitAUTOINC+441f5fe000_0b628306d1-r0/kernel-meta/bsp/common-pc-64/common-pc-64-standard.scc /home/
/home/.../Yocto/my_yocto_project/meta-my-layer/recipes-kernel/linux/files/enable-ima.cfg
/home/.../Yocto/my_yocto_project/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc features/ima/ima.scc

So I thought that maybe the kernel features are applied after the user-created fragments. So, I added the following options to my enable-ima.cfg fragment to see if it was true or not.

CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y

After recompiling the kernel, the result was the following:

# CONFIG_MDIO_BCM_UNIMAC is not set
CONFIG_FB_CFB_IMAGEBLIT=y
CONFIG_FB_SYS_IMAGEBLIT=y
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
# CONFIG_HID_PRIMAX is not set
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
CONFIG_IMA_DEFAULT_HASH="sha1"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_TRUSTED_KEYRING=y
# CONFIG_IMA_BLACKLIST_KEYRING is not set
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_IMA_APPRAISE_SIGNED_INIT=y
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
# CONFIG_IMA_DISABLE_HTABLE is not set

The newly added options appear in the configuration.

Can anyone tell me which is the order of applying Kernel configuration? I am not sure whether I am following the correct order. How can I apply my Kernel configuration?

Any answer will be appreciated.

Thank you,

Miriam

[-- Attachment #2: Type: text/html, Size: 5610 bytes --]

Re: [yocto] Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone

[Gyorgy Sarvari]

To me it looks like the KERNEL_FEATURES are always processed last, so I
guess it always overwrites the corresponding config fragments?

I don't see a nice way out of this at the first sight[1]... as a not too
nice (but most likely working) hack, you could remove
"features/ima/ima.scc" from KERNEL_FEATURES, and add the corresponding
(modified) config to your own fragment from ima.cfg.

[1]: which doesn't mean a lot, but will see if correction comes

On 4/2/25 14:32, miriam.rico via lists.yoctoproject.org wrote:
> Hi,
>  
> I want to add IMA (Integrity Measurement Architecture) support to my
> Yocto build and I enabled it on my local.conf by adding: 
> 
> DISTRO_FEATURES:append = " integrity ima"
> IMAGE_CLASSES += "ima-evm-rootfs"
> IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/ima_privkey.pem"
> IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
> EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_evm.der"
>  
> Also, I added the meta-integrity layer to my bblayers.conf file.
>  
> After building the image, I noticed that the used algorithm is sha1. I
> would like to enable the sha256 algorithm, but I am having problems with
> it. I have tried to enable it using the kernel flags, but I can't get
> it. I have reviewed the configuration that applies when IMA is enabled
> and found it to be as follows (looking at the config file generated
> after compiling the kernel and doing a grep for IMA, I am using *Kernel
> version 5.15*):
>  
> # SPDX-License-Identifier: MIT
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_NG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> CONFIG_IMA_DEFAULT_HASH="sha1"
> CONFIG_IMA_APPRAISE=y
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> CONFIG_SIGNATURE=y
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
>  
> So I created a fragment file with the following:
>  
> CONFIG_IMA_SIG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
> CONFIG_IMA_DEFAULT_HASH_SHA256=y
> CONFIG_IMA_DEFAULT_HASH="sha256"
> 
> Then, I add it to my linux-yocto_%.bbappend file:
> 
> FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
> SRC_URI += "file://enable-ima.cfg "
> 
> But after recompiling the kernel, the template and the hash remain "ima-
> ng" and "sha1". 
> 
> I have also tried to create the fragment file using menuconfig,
> activating "ima-sig" and "sha256", using diffconfig to create
> fragment.cfg file, copying the fragment file to meta-my-layer/recipes-
> kernel/linux/files and adding it to my linux-yocto_%.bbappend file, but
> the result has been the same, the template and the algorithm have not
> changed.
>  
> FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
> SRC_URI += "file://fragment.cfg "
>  
> I have been going through the tasks logs trying to see where the problem
> might be and found do_kernel_configme log. In the log, I saw the following:
> 
> Final scc/cfg list:  /home/.../Yocto/build/tmp/work/genericx86_64-poky-
> linux/linux-yocto/5.15.72+gitAUTOINC+441f5fe000_0b628306d1-r0/kernel-
> meta/bsp/common-pc-64/common-pc-64-standard.scc /home/
> /home/.../Yocto/my_yocto_project/meta-my-layer/recipes-kernel/linux/
> files/enable-ima.cfg
> /home/.../Yocto/my_yocto_project/meta-security/meta-tpm/recipes-kernel/
> linux/linux-yocto/tpm2.scc features/ima/ima.scc
>  
> So I thought that maybe the kernel features are applied after the user-
> created fragments. So, I added the following options to my enable-
> ima.cfg fragment to see if it was true or not.
>  
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
>  
> After recompiling the kernel, the result was the following:
>  
> # CONFIG_MDIO_BCM_UNIMAC is not set
> CONFIG_FB_CFB_IMAGEBLIT=y
> CONFIG_FB_SYS_IMAGEBLIT=y
> CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
> # CONFIG_HID_PRIMAX is not set
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_NG_TEMPLATE=y
> # CONFIG_IMA_SIG_TEMPLATE is not set
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> CONFIG_IMA_DEFAULT_HASH="sha1"
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_APPRAISE=y
> # CONFIG_IMA_ARCH_POLICY is not set
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_APPRAISE_MODSIG=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> # CONFIG_IMA_BLACKLIST_KEYRING is not set
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
> # CONFIG_IMA_DISABLE_HTABLE is not set
>  
> The newly added options appear in the configuration.
>  
> Can anyone tell me which is the order of applying Kernel configuration?
> I am not sure whether I am following the correct order. How can I apply
> my Kernel configuration? 
>  
> Any answer will be appreciated.
>  
> Thank you,
>  
> Miriam
>  
>  
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#65063): https://lists.yoctoproject.org/g/yocto/message/65063
> Mute This Topic: https://lists.yoctoproject.org/mt/112045333/6084445
> Mute #kernel:https://lists.yoctoproject.org/g/yocto/mutehashtag/kernel
> Mute #kirkstone:https://lists.yoctoproject.org/g/yocto/mutehashtag/kirkstone
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone

[Bruce Ashfield]

In message: [yocto] Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone
on 02/04/2025 miriam.rico via lists.yoctoproject.org wrote:

> Hi,
>  
> I want to add IMA (Integrity Measurement Architecture) support to my Yocto
> build and I enabled it on my local.conf by adding: 
> 
> DISTRO_FEATURES:append = " integrity ima"
> IMAGE_CLASSES += "ima-evm-rootfs"
> IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/ima_privkey.pem"
> IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
> EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_evm.der"
>  
> Also, I added the meta-integrity layer to my bblayers.conf file.
>  
> After building the image, I noticed that the used algorithm is sha1. I would
> like to enable the sha256 algorithm, but I am having problems with it. I have
> tried to enable it using the kernel flags, but I can't get it. I have reviewed
> the configuration that applies when IMA is enabled and found it to be as
> follows (looking at the config file generated after compiling the kernel and
> doing a grep for IMA, I am using Kernel version 5.15):
>  
> # SPDX-License-Identifier: MIT
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_NG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> CONFIG_IMA_DEFAULT_HASH="sha1"
> CONFIG_IMA_APPRAISE=y
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> CONFIG_SIGNATURE=y
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
>  
> So I created a fragment file with the following:
>  
> CONFIG_IMA_SIG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
> CONFIG_IMA_DEFAULT_HASH_SHA256=y
> CONFIG_IMA_DEFAULT_HASH="sha256"
> 
> Then, I add it to my linux-yocto_%.bbappend file:
> 
> FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
> SRC_URI += "file://enable-ima.cfg "
> 
> But after recompiling the kernel, the template and the hash remain "ima-ng" and
> "sha1". 
> 
> I have also tried to create the fragment file using menuconfig, activating
> "ima-sig" and "sha256", using diffconfig to create fragment.cfg file, copying
> the fragment file to meta-my-layer/recipes-kernel/linux/files and adding it to
> my linux-yocto_%.bbappend file, but the result has been the same, the template
> and the algorithm have not changed.
>  
> FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
> SRC_URI += "file://fragment.cfg "
>  
> I have been going through the tasks logs trying to see where the problem might
> be and found do_kernel_configme log. In the log, I saw the following:
> 
> Final scc/cfg list:  /home/.../Yocto/build/tmp/work/genericx86_64-poky-linux/
> linux-yocto/5.15.72+gitAUTOINC+441f5fe000_0b628306d1-r0/kernel-meta/bsp/
> common-pc-64/common-pc-64-standard.scc /home/
> /home/.../Yocto/my_yocto_project/meta-my-layer/recipes-kernel/linux/files/
> enable-ima.cfg
> /home/.../Yocto/my_yocto_project/meta-security/meta-tpm/recipes-kernel/linux/
> linux-yocto/tpm2.scc features/ima/ima.scc
>  
> So I thought that maybe the kernel features are applied after the user-created
> fragments. So, I added the following options to my enable-ima.cfg fragment to
> see if it was true or not.
>  
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
>  
> After recompiling the kernel, the result was the following:
>  
> # CONFIG_MDIO_BCM_UNIMAC is not set
> CONFIG_FB_CFB_IMAGEBLIT=y
> CONFIG_FB_SYS_IMAGEBLIT=y
> CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
> # CONFIG_HID_PRIMAX is not set
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_NG_TEMPLATE=y
> # CONFIG_IMA_SIG_TEMPLATE is not set
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> CONFIG_IMA_DEFAULT_HASH="sha1"
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_APPRAISE=y
> # CONFIG_IMA_ARCH_POLICY is not set
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_APPRAISE_MODSIG=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> # CONFIG_IMA_BLACKLIST_KEYRING is not set
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
> # CONFIG_IMA_DISABLE_HTABLE is not set
>  
> The newly added options appear in the configuration.
>  
> Can anyone tell me which is the order of applying Kernel configuration? I am
> not sure whether I am following the correct order. How can I apply my Kernel
> configuration? 

I've send the order several times for documenation, but I admit that
I haven't really gone to check to see if it is there. I've also answered
on the list a few times over the years, but also, that only helps if
you know what to look/search for.

Fragments are applied in the order they are found. And that order
is of course governed by the standard bitbake variable processing
rules (default values, overrides, etc, etc). A bbappend like you
tried first would work, unless the processing order of the variable
puts another fragment after that manipulates the same variable (as
you also found)

KERNEL_FEATURES are always applied after all "in tree" (aka
kernel-cache) and user supplied fragments (i.e. bbappends), since
KERNEL_FEATURES have more stringent checks to see that they
exist and are applied. They form a "contract" that if they aren't
applied, then we have a problem. Of course the order of KERNEL_FEATURES
is also controlled by normal bitbake variable processing rules.

So yes, if you have another fragment that is modifying an option
that yuo want to apply, you can either :remove that feature / fragment
from the SRC_URI or create a KERNEL_FEATURE that will be applied
after the usersupplied 'standard' fragments.

Bruce

>  
> Any answer will be appreciated.
>  
> Thank you,
>  
> Miriam
>  
>  

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#65063): https://lists.yoctoproject.org/g/yocto/message/65063
> Mute This Topic: https://lists.yoctoproject.org/mt/112045333/1050810
> Mute #kernel:https://lists.yoctoproject.org/g/yocto/mutehashtag/kernel
> Mute #kirkstone:https://lists.yoctoproject.org/g/yocto/mutehashtag/kirkstone
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone

[miriam.rico]

[-- Attachment #1: Type: text/plain, Size: 304 bytes --]

Hi,

Thank you very much for your answers. Now the configuration order is clear to me. I tried to do a do_configure:append and add the options I needed to the .config file and rerun olddefconfig. This seems to have worked as the options I wanted are now loaded into the Kernel.

Thank you

Miriam

[-- Attachment #2: Type: text/html, Size: 399 bytes --]

Re: [yocto] Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone

[miriam.rico]

[-- Attachment #1: Type: text/plain, Size: 5531 bytes --]

Hi again,

I have IMA working with the appraisal default policy

> 
> appraise func=MODULE_CHECK appraise_type=imasig
> appraise func=FIRMWARE_CHECK appraise_type=imasig
> appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
> 

And now, I want to add a custom policy with measure and appraisal rules. The purpose of the custom policy is to measure all binary files and, in case the signature does not match, prevent opening those binaries. I have created the following policy:

> 
> measure func=BPRM_CHECK mask=MAY_EXEC
> appraise func=BPRM_CHECK mask=MAY_EXEC
> 

I have the following Kernel flags regarding

> 
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> # CONFIG_IMA_NG_TEMPLATE is not set
> CONFIG_IMA_SIG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
> # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
> CONFIG_IMA_DEFAULT_HASH_SHA256=y
> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> CONFIG_IMA_DEFAULT_HASH="sha256"
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_APPRAISE=y
> # CONFIG_IMA_ARCH_POLICY is not set
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_APPRAISE_MODSIG=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> # CONFIG_IMA_BLACKLIST_KEYRING is not set
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
> # CONFIG_IMA_DISABLE_HTABLE is not set
> 

And a recipe that copies the ima policy to the roots of initramfs:

> 
> install -m 0644 ${WORKDIR}/ima-policy  ${D}/etc/ima/ima-policy
> 

But I am not able to load it. I have added the policy to the initramfs, but when booting the machine, I always get the same error:

> 
> ima: signed policy file (specified as an absolute pathname) required.
> audit: type=1802 audit(1744809469.971:2): pid: 624 uid=0 auid=4294967295
> ses=4294967295 op=update_policy cause=signed policy required comm="init"
> res=0 errno=0
> 

I tried to sign the policy using evmctl during initramfs build process, but it gives me the following error:

> 
> setaxttr failed: /etc/ima/ima-policy
> errno: Operation not supported (95)
> 

So I tried to sign the policy using the IMA init script of meta-integrity layer (https://git.yoctoproject.org/meta-security/tree/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima?h=kirkstone), I modified it to sign the policy, but the same error appeared. I added the following line to the script after the mount process and before keyctl use:

> 
> ...
> if [ ! -d /sys/kernel/security/ima ]; then
> fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in
> the kernel."
> fi
> 
> *if [ -f /etc/ima/ima-policy ] && [ -f /etc/ima/ima_privkey.pem ]; then*
> *evmctl ima_sign --hashalgo sha256 --key /etc/ima/ima_privkey.pem
> /etc/ima/ima-policy*
> *fi*
> 
> for kind in ima evm; do
> ...
> 

I checked the Kernel flags to ensure that xattr flags are enabled. I have these flags regarding xattr:

> 
> CONFIG_DEVTMPFS=y
> CONFIG_DEVTMPFS_MOUNT=y
> CONFIG_TMPFS=y
> CONFIG_TMPFS_POSIX_ACL=y
> CONFIG_TMPFS_XATTR=y
> # CONFIG_TMPFS_INODE64 is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> 

Also, I tried to sign the policy on my machine, but the same error occurred.

So I decided to disable the IMA policy sign kernel flag. Now, my flags are:

> 
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> # CONFIG_IMA_NG_TEMPLATE is not set
> CONFIG_IMA_SIG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
> # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
> CONFIG_IMA_DEFAULT_HASH_SHA256=y
> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> CONFIG_IMA_DEFAULT_HASH="sha256"
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_APPRAISE=y
> # CONFIG_IMA_ARCH_POLICY is not set
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> # CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS is not set
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_APPRAISE_MODSIG=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> # CONFIG_IMA_BLACKLIST_KEYRING is not set
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
> # CONFIG_IMA_DISABLE_HTABLE is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> 

But when I try to load my custom policy, I receive the following error:

> 
> audit: type=1807 audit(1746014631.946:2); UNKNOWN=Writing res=0
> write error: Invalid argumentaudit: type=1802 audit(1746014631.946:3):
> pid=640 uid=0 auid=429467295 ses=4294967295 op=update_policy
> cause=invalid-policy comm="init" res=0 errno=0
> 

I also tried creating an ima-policy with the same policy rules as the default one. And the same error appeared.

What am I doing wrong? How can I load my custom policy? How can I sign the policy? Can the policy be signed during the compile or install process on Yocto? Or during the boot process (initramfs)?

Thank you so much,

Miriam

[-- Attachment #2: Type: text/html, Size: 6809 bytes --]