From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756658AbcBWADj (ORCPT ); Mon, 22 Feb 2016 19:03:39 -0500 Received: from e28smtp09.in.ibm.com ([125.16.236.9]:54548 "EHLO e28smtp09.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756366AbcBWADh (ORCPT ); Mon, 22 Feb 2016 19:03:37 -0500 X-IBM-Helo: d28relay04.in.ibm.com X-IBM-MailFrom: zohar@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org;linux-security-module@vger.kernel.org;keyrings@vger.kernel.org Message-ID: <1456185807.4448.91.camel@linux.vnet.ibm.com> Subject: Re: [PATCH 0/8] X.509: Software public key subtype changes From: Mimi Zohar To: David Howells Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, tadeusz.struk@intel.com Date: Mon, 22 Feb 2016 19:03:27 -0500 In-Reply-To: <1634.1456180145@warthog.procyon.org.uk> References: <1456167445.3167.42.camel@linux.vnet.ibm.com> <20160219171806.17223.91381.stgit@warthog.procyon.org.uk> <1634.1456180145@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable x-cbid: 16022300-0041-0000-0000-000000776DBD Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2016-02-22 at 22:29 +0000, David Howells wrote: > Mimi Zohar wrote: > > > > (1) - (3) These are Tadeusz's RSA akcipher conversion. > > > > Up to here, IMA-appraisal works properly. > > I don't have IMA set up anywhere. I know. With the "vfs: support for a common kernel file loader" patch set, setting up a simple test becomes a lot simpler. With this patch set you can measure and appraise just the kexec image and initramfs, firmware and/or kernel modules. Create two key pairs. Add one to the system keyring.* The other key load on the IMA keyring. (Remember it needs to be signed with the private key of a key on the system keyring.**) To measure and appraise just the kexec initramfs, define a policy containing: measure func=INITRAMFS_CHECK appraise func=INITRAMFS_CHECK appraise_type=imasig To load the IMA policy, write the policy to the securityfs IMA policy file: cat > /sys/kernel/securityfs/ima/policy. Sign the kexec initramfs using evmctl: evmctl ima_sign -k -a sha256 /boot/.img Execute: kexec -s -l /boot/ --initrd=/boot/.img --reuse-cmdline Failures to appraise the initramfs are audit logged. The IMA measurement list will contain the initramfs file hash. *There are two or three methods for loading the key onto the system keyring depending on the distro. - builtin - enroll in MoK db (on some distros) - Mehmet's patch (needs to be upstreamed) ** Refer to the ima-evm-utils package README for further details on creating and signing a certificate to be loaded on the IMA keyring. Mimi