Hey Mimi, Thanks again for the quick response! > Both dracut and systemd have examples for loading keys on the IMA keyring. > > - https://git.kernel.org/pub/scm/boot/dracut/dracut.git/tree/modules.d/98integrity/ima-keys-load.sh > > - https://github.com/systemd/systemd/blob/master/src/core/ima-setup.c Yeah, I read those, and I don't see any of them doing anything I'm not already doing. The basics of how I'm loading the key are: ``` IMA_KEYRING_NAME="_ima" IMA_KEY_PERMS="0x0b0b0b0b" IMA_KEYRING_ID=$(keyctl newring ${IMA_KEYRING_NAME} @us) IMA_KEY_ID=$(keyctl padd asymmetric 'Local IMA Key' ${IMA_KEYRING_ID} < ${IMA_DIR}/cert_evm.der) keyctl link ${IMA_KEYRING_ID} @u keyctl setperm ${IMA_KEY_ID} ${IMA_KEY_PERMS} keyctl setperm ${IMA_KEYRING_ID} ${IMA_KEY_PERMS} ``` Can you see what's going wrong here? I also can't seem to read the DER from the asymmetric key, maybe that's related? I understand evmctl can do some of this, but I need to understand the internals here. Is it because I'm linking the keyring in after I build it? > Also, you might be interested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850339 Yeah, that's interesting. I'd be interested in sponsoring (after I generate a new OpenPGP key :) ) such work if you have a debian source package prepared > Mimi > Paul -- :wq
