On Mon, 2018-04-09 at 09:41 +0100, Martin Townsend wrote:
> Hi,
>
> I'm trying to get to the bottom of an issue I'm seeing when enabling
> the CAAM in the kernel with IMA/EVM enabled. I'm using the official
> NXP (imx_4.9.11_1.0.0_ga) vendor Kernel.
>
> Here's the error message I'm getting.
>
> caam_jr 2142000.jr1: 40000789: DECO: desc idx 7: Protocol Size Error -
> A protocol has seen an error in size. When running RSA, pdb size N <
> (size of F) when no formatting is used; or pdb size N < (F + 11) when
> formatting is used.
> integrity: Problem loading X.509 certificate (-129): /etc/keys/ima-x509.der
This error message indicates that the kernel is trying to load a key
onto the IMA keyring, but any key added to the trusted IMA keyring
(.ima) must be signed by a key on the builtin (or secondary) keyring.
Please verify that the public key used to sign the ima-x509.der is on
the builtin keyring (eg. "keyctl show %keyring:.builtin_trusted_keys)
or the secondary keyring. Depending on how the kernel was configured,
loading the public CA onto the builtin (or secondary) keyring might be
possible.
Some distros are carrying patches which load the UEFI keys onto the
secondary keyring. The other (preferred) method would be to insert
the CA certificate into the kernel and resign the kernel. This
requires reserving memory for the key when the kernel is built.
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
Mimi
> I put a dump_stack in the error handling routine in CAAM and in the
> caam_jr_enqueue to get (I removed some of the caam_jr_enqueue
> dump_stacks during initialisation to highlight the one of interest)
>
> caam 2140000.caam: ERA source: CCBVID.
> caam 2140000.caam: Entropy delay = 3200
> caam 2140000.caam: Instantiated RNG4 SH0
> caam 2140000.caam: Instantiated RNG4 SH1
> caam 2140000.caam: device ID = 0x0a16030000000000 (Era 8)
> caam 2140000.caam: job rings = 3, qi = 0
> caam algorithms registered in /proc/crypto
> caam_jr_enqueue
> CPU: 0 PID: 1 Comm: swapper Not tainted 4.9.11-1.0.0+gc27010d #4
> Hardware name: Freescale i.MX6 UltraLite (Device Tree)
> caam_jr_enqueue
> CPU: 0 PID: 1 Comm: swapper Not tainted 4.9.11-1.0.0+gc27010d #4
> Hardware name: Freescale i.MX6 UltraLite (Device Tree)
> caam_jr 2141000.jr0: registering rng-caam
> caam 2140000.caam: caam pkc algorithms registered in /proc/crypto
> caam_jr_enqueue
> CPU: 0 PID: 1 Comm: swapper Not tainted 4.9.11-1.0.0+gc27010d #4
> Hardware name: Freescale i.MX6 UltraLite (Device Tree)
> caam_rsa_set_pub_key
> caam_rsa_max_size
> caam_rsa_enc
> caam_jr_enqueue
> CPU: 0 PID: 1 Comm: swapper Not tainted 4.9.11-1.0.0+gc27010d #4
> Hardware name: Freescale i.MX6 UltraLite (Device Tree)
> [<8010dd8c>] (unwind_backtrace) from [<8010b8cc>] (show_stack+0x10/0x14)
> [<8010b8cc>] (show_stack) from [<80608f74>] (caam_jr_enqueue+0x3c/0x2bc)
> [<80608f74>] (caam_jr_enqueue) from [<8061fb84>] (caam_rsa_enc+0x210/0x3ac)
> [<8061fb84>] (caam_rsa_enc) from [<803ed910>] (pkcs1pad_verify+0xa8/0xe4)
> [<803ed910>] (pkcs1pad_verify) from [<804134e4>]
> (public_key_verify_signature+0x17c/0x248)
> [<804134e4>] (public_key_verify_signature) from [<804132a0>]
> (restrict_link_by_signature+0xa8/0xd4)
> [<804132a0>] (restrict_link_by_signature) from [<803cadd4>]
> (key_create_or_update+0x12c/0x370)
> [<803cadd4>] (key_create_or_update) from [<80c253a0>]
> (integrity_load_x509+0x70/0xc4)
> [<80c253a0>] (integrity_load_x509) from [<80c256bc>] (ima_load_x509+0x28/0x3c)
> [<80c256bc>] (ima_load_x509) from [<80c2510c>] (integrity_load_keys+0x8/0x10)
> [<80c2510c>] (integrity_load_keys) from [<80c00de0>]
> (kernel_init_freeable+0x1bc/0x1cc)
> [<80c00de0>] (kernel_init_freeable) from [<80844ccc>] (kernel_init+0x8/0x114)
> [<80844ccc>] (kernel_init) from [<801078d8>] (ret_from_fork+0x14/0x3c)
> CPU: 0 PID: 112 Comm: irq/214-2142000 Not tainted 4.9.11-1.0.0+gc27010d #4
> Hardware name: Freescale i.MX6 UltraLite (Device Tree)
> [<8010dd8c>] (unwind_backtrace) from [<8010b8cc>] (show_stack+0x10/0x14)
> [<8010b8cc>] (show_stack) from [<8060a0e8>] (report_deco_status+0x30/0xf8)
> [<8060a0e8>] (report_deco_status) from [<8061f3c8>] (rsa_pub_done+0x20/0x60)
> [<8061f3c8>] (rsa_pub_done) from [<80608d94>] (caam_jr_threadirq+0x1dc/0x29c)
> [<80608d94>] (caam_jr_threadirq) from [<80165dcc>] (irq_thread_fn+0x1c/0x54)
> [<80165dcc>] (irq_thread_fn) from [<80166024>] (irq_thread+0x114/0x1d4)
> [<80166024>] (irq_thread) from [<801415b4>] (kthread+0xe4/0xec)
> [<801415b4>] (kthread) from [<801078d8>] (ret_from_fork+0x14/0x3c)
> caam_jr 2142000.jr1: 40000789: DECO: desc idx 7: Protocol Size Error -
> A protocol has seen an error in size. When running RSA, pdb size N <
> (size of F) when no formatting is used; or pdb size N < (F + 11) when
> formatting is used.
> integrity: Problem loading X.509 certificate (-129): /etc/keys/ima-x509.der
> [<8010dd8c>] (unwind_backtrace) from [<8010b8cc>] (show_stack+0x10/0x14)
> [<8010b8cc>] (show_stack) from [<8060a0d0>] (report_deco_status+0x30/0xf8)
> [<8060a0d0>] (report_deco_status) from [<8061db94>] (rsa_pub_done+0x20/0x60)
> [<8061db94>] (rsa_pub_done) from [<80608d94>] (caam_jr_threadirq+0x1dc/0x29c)
> [<80608d94>] (caam_jr_threadirq) from [<80165dcc>] (irq_thread_fn+0x1c/0x54)
> [<80165dcc>] (irq_thread_fn) from [<80166024>] (irq_thread+0x114/0x1d4)
> [<80166024>] (irq_thread) from [<801415b4>] (kthread+0xe4/0xec)
> [<801415b4>] (kthread) from [<801078d8>] (ret_from_fork+0x14/0x3c)
>
> So it's failing to verify the signature on my x509 certificate because
> pdb size M < (size of F) ...
>
> On the NXP mailing lists there is someone with a similar issue and the
> response was
> “The error appears to be saying that the public RSA modulus is shorter
> than the signature being verified.
>
> RSA uses modular arithmetic, and all valid values are smaller than the
> public RSA modulus. However, the signature (F in the error message
> below), is too large.
>
> The customer should try to determine why their public RSA Modulus (N)
> is shorter than the signature (F).”
>
> I have to admit I'm not really sure what this means, I've created my
> certificate using openssl and a configuration file (shown below) that
> set the keysize to 2048 bits so I'm not sure how the signature in the
> x509 is greater than the RSA modulus which in my limited understanding
> is the key size in bits.
>
> I added the following to public_key_verify_signature()
>
> printk("%s: Public Key: Keylen: %u\n", __func__, pkey->keylen);
> printk("%s: Signature: %u\n", __func__, sig->s_size);
>
> and get
>
> public_key_verify_signature: Public Key: Keylen: 270
> public_key_verify_signature: Signature: 257
>
> I'm assuming they are both in bytes which kind of suggests the key
> length is larger than the signature but then again this keylen may
> include other information. I'm a bit suspicious of the signature
> length of 257 maybe this is causing the problem which could point to
> creating the certificate incorrectly?? Here's the configuration I'm
> using for the root cert:
> [ ca ]
> default_ca = CA_default
>
> [ CA_default ]
> dir = ./ca
>
> certs = $dir/certsdb #
> Where the issued certs are kept
> new_certs_dir = $certs #
> default place for new certs.
> database = $dir/certdbindex.txt #
> database index file.
> certificate = $dir/certs/ima-local-ca.x509 # The
> CA certificate
> private_key = $dir/private/ca-privkey.pem # The
> private key
> default_days = 3650
> default_md = sha256
> preserve = no
> email_in_dn = no
> nameopt = default_ca
> certopt = default_ca
> policy = policy_ima_ca
>
> [ policy_ima_ca ]
> countryName = match # Must be
> the same as the CA
> stateOrProvinceName = match # Must be
> the same as the CA
> organizationName = supplied
> organizationalUnitName = optional
> commonName = supplied # Must be there
> emailAddress = optional
>
> [ req ]
> default_bits = 2048 # Size of keys
> default_keyfile = privkey.pem # name of
> generated keys
> string_mask = utf8only # permitted characters
> distinguished_name = req_distinguished_name # where to
> get DN for reqs
> prompt = no # No prompting
> x509_extensions = v3_ca # The
> extentions to add to self signed certs
> req_extensions = v3_req # The
> extensions to add to req's
>
> [ req_distinguished_name ]
> O = xxx
> OU = IMA
> CN = xxx IMA-EVM Root CA
> emailAddress = ca-ima-evm@xxxxxxx
> L = xxx
> ST = Dorset
> C = xxx
>
> [ v3_ca ]
> basicConstraints = CA:TRUE
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer:always
> subjectAltName = email:move
>
> [ v3_req ]
> subjectAltName=email:move
>
>
> Then the openssl (1.0.2n 7 Dec 2017) command to create the self
> signed root CA certificate.
>
> openssl req -new -x509 -utf8 -sha256 \
> -days $((365 * $duration)) \
> -passout file:$rootcadir/private/key_pass.txt \
> -keyout $rootca_privkey \
> -outform DER \
> -out $rootca_pubcert_der \
> -config $rootcadir/$ima_root_openssl_cnf
>
> I'm not sure what I can do further to debug this so any help or
> suggestions would be really appreciated. If there is any further
> debug that would help let me know and I'll try it out.
>
> Many Thanks,
> Martin.
>
