From: Mimi Zohar <zohar@linux.ibm.com>
To: Lev Olshvang <levonshe@yandex.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>
Subject: Re: evmctl hmac fails in setxattr even in version 1.6.2
Date: Thu, 24 Apr 2025 16:11:34 -0400 [thread overview]
Message-ID: <fb35292f38d75d4a9f3360e17c7176cf2d1a6484.camel@linux.ibm.com> (raw)
In-Reply-To: <5ac2d162-a9f2-44db-a2be-c69602d14b17@yandex.com>
On Thu, 2025-04-24 at 20:29 +0300, Lev Olshvang wrote:
> Hi List,
>
> I work on a ARM64 ubuntu 22 system, with installed
> ima-evm-utils 1.1-0ubuntu2
>
>
> I succedeed in implementing IMA and now I want to add EMV hmac
> functionality.
>
> I booted kernel command line "ima=on ima_appraise=log"
>
> Then I made _evm keyring and added kmk and emv keys:
> EVM_KR=`keyctl newring _evm @u`
> keyctl add user kmk "$(dd if=/dev/urandom bs=1 count=32 2> /dev/null)" @u
> keyctl add encrypted evm-key "new user:kmk 64" $EVM_KR
> keyctl shows
> 711205770 ----s-rv 0 0 \_ keyring: _ima
> 1066122475 --als--v 0 0 | \_ asymmetric: mra:
> adm_signing key: 9375cf2445606beba28208741540ad1897d59051
> 315058417 --alswrv 0 0 \_ keyring: _evm
> 685369470 --alswrv 0 0 | \_ encrypted: evm-key
> 35009219 --alswrv 0 0 \_ user: kmk
>
>
> But evmctl hmac command returns error:
> evmctl hmac /etc/init.d/netconsole
> setxattr failed: /etc/init.d/netconsole
> errno: Operation not permitted (1)
>
>
>
> I cloned ima-evmctl and compiled version 1.6.2 for x86_64, same ubuntu ,
> I got same result
> sudo /usr/local/bin/evmctl -d hmac --hmackey /etc/keys/plain.txt
> ../IMA_EVM/DEMO
> hash(sha256):
> 0404a6cffb233ebd759555c7070d9985961bbd1d3007e7c8d9cba5e9c5c28496c51f
> Reading to /etc/keys/plain.txt
> generation: 3093355876
> no xattr: security.selinux
> no xattr: security.SMACK64
> no xattr: security.apparmor
> name: security.ima, size: 34
> no xattr: security.capability
> uuid: 069df3798ff14641a6e0f1db2b852380
> hmac: 9df5db81cf089c22c4c128070c36827d7983284f
> Setting EVM hmac xattr failed: ../IMA_EVM/DEMO (errno: Operation not
> permitted)
>
>
> It must be something trivial, please help
Correct the EVM HMAC cannot be written directly, only the EVM portable signature
can be written directly. EVM verifies the existing security.evm before allowing
it to be updated. In EVM "fix" mode the existing EVM verification status is
ignored.
To label the filesystem, boot with the "evm=fix" boot command line option, after
loading the EVM HMAC key (trusted key), walk the filesystem opening each file.
This will calculate and write out the EVM HMAC. Refer to the ima-evm-utils
README.
Mimi
prev parent reply other threads:[~2025-04-24 20:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 17:29 evmctl hmac fails in setxattr even in version 1.6.2 Lev Olshvang
2025-04-24 20:11 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fb35292f38d75d4a9f3360e17c7176cf2d1a6484.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=levonshe@yandex.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).