evmctl hmac fails in setxattr even in version 1.6.2

linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* evmctl hmac fails in setxattr even in version 1.6.2
@ 2025-04-24 17:29 Lev Olshvang
  2025-04-24 20:11 ` Mimi Zohar
  0 siblings, 1 reply; 2+ messages in thread
From: Lev Olshvang @ 2025-04-24 17:29 UTC (permalink / raw)
  To: linux-integrity@vger.kernel.org


Hi List,

I work on a ARM64 ubuntu 22 system, with installed
ima-evm-utils   1.1-0ubuntu2


I succedeed in implementing IMA and now I want to add EMV hmac 
functionality.

I booted kernel command line   "ima=on ima_appraise=log"

Then I made _evm keyring and added kmk and emv keys:
EVM_KR=`keyctl newring _evm @u`
keyctl add user kmk "$(dd if=/dev/urandom bs=1 count=32 2> /dev/null)" @u
keyctl add encrypted evm-key "new user:kmk 64" $EVM_KR
keyctl shows
  711205770 ----s-rv      0     0       \_ keyring: _ima
1066122475 --als--v      0     0       |   \_ asymmetric: mra: 
adm_signing key: 9375cf2445606beba28208741540ad1897d59051
  315058417 --alswrv      0     0       \_ keyring: _evm
  685369470 --alswrv      0     0       |   \_ encrypted: evm-key
   35009219 --alswrv      0     0       \_ user: kmk


But evmctl hmac command returns error:
evmctl hmac /etc/init.d/netconsole
setxattr failed: /etc/init.d/netconsole
errno: Operation not permitted (1)



I cloned ima-evmctl and compiled version 1.6.2 for x86_64, same ubuntu ,
I got same result
sudo /usr/local/bin/evmctl -d hmac --hmackey /etc/keys/plain.txt 
../IMA_EVM/DEMO
hash(sha256): 
0404a6cffb233ebd759555c7070d9985961bbd1d3007e7c8d9cba5e9c5c28496c51f
Reading to /etc/keys/plain.txt
generation: 3093355876
no xattr: security.selinux
no xattr: security.SMACK64
no xattr: security.apparmor
name: security.ima, size: 34
no xattr: security.capability
uuid: 069df3798ff14641a6e0f1db2b852380
hmac: 9df5db81cf089c22c4c128070c36827d7983284f
Setting EVM hmac xattr failed: ../IMA_EVM/DEMO  (errno: Operation not 
permitted)


It must be something trivial, please help


BR,

Lev


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: evmctl hmac fails in setxattr even in version 1.6.2
  2025-04-24 17:29 evmctl hmac fails in setxattr even in version 1.6.2 Lev Olshvang
@ 2025-04-24 20:11 ` Mimi Zohar
  0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2025-04-24 20:11 UTC (permalink / raw)
  To: Lev Olshvang, linux-integrity@vger.kernel.org

On Thu, 2025-04-24 at 20:29 +0300, Lev Olshvang wrote:
> Hi List,
> 
> I work on a ARM64 ubuntu 22 system, with installed
> ima-evm-utils   1.1-0ubuntu2
> 
> 
> I succedeed in implementing IMA and now I want to add EMV hmac 
> functionality.
> 
> I booted kernel command line   "ima=on ima_appraise=log"
> 
> Then I made _evm keyring and added kmk and emv keys:
> EVM_KR=`keyctl newring _evm @u`
> keyctl add user kmk "$(dd if=/dev/urandom bs=1 count=32 2> /dev/null)" @u
> keyctl add encrypted evm-key "new user:kmk 64" $EVM_KR
> keyctl shows
>   711205770 ----s-rv      0     0       \_ keyring: _ima
> 1066122475 --als--v      0     0       |   \_ asymmetric: mra: 
> adm_signing key: 9375cf2445606beba28208741540ad1897d59051
>   315058417 --alswrv      0     0       \_ keyring: _evm
>   685369470 --alswrv      0     0       |   \_ encrypted: evm-key
>    35009219 --alswrv      0     0       \_ user: kmk
> 
> 
> But evmctl hmac command returns error:
> evmctl hmac /etc/init.d/netconsole
> setxattr failed: /etc/init.d/netconsole
> errno: Operation not permitted (1)
> 
> 
> 
> I cloned ima-evmctl and compiled version 1.6.2 for x86_64, same ubuntu ,
> I got same result
> sudo /usr/local/bin/evmctl -d hmac --hmackey /etc/keys/plain.txt 
> ../IMA_EVM/DEMO
> hash(sha256): 
> 0404a6cffb233ebd759555c7070d9985961bbd1d3007e7c8d9cba5e9c5c28496c51f
> Reading to /etc/keys/plain.txt
> generation: 3093355876
> no xattr: security.selinux
> no xattr: security.SMACK64
> no xattr: security.apparmor
> name: security.ima, size: 34
> no xattr: security.capability
> uuid: 069df3798ff14641a6e0f1db2b852380
> hmac: 9df5db81cf089c22c4c128070c36827d7983284f
> Setting EVM hmac xattr failed: ../IMA_EVM/DEMO  (errno: Operation not 
> permitted)
> 
> 
> It must be something trivial, please help

Correct the EVM HMAC cannot be written directly, only the EVM portable signature
can be written directly.  EVM verifies the existing security.evm before allowing
it to be updated.  In EVM "fix" mode the existing EVM verification status is
ignored.

To label the filesystem, boot with the "evm=fix" boot command line option, after
loading the EVM HMAC key (trusted key), walk the filesystem opening each file. 
This will calculate and write out the EVM HMAC.  Refer to the ima-evm-utils
README.

Mimi

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-04-24 20:11 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-24 17:29 evmctl hmac fails in setxattr even in version 1.6.2 Lev Olshvang
2025-04-24 20:11 ` Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).