On Fri, 2018-03-16 at 09:32 +0000, Martin Townsend wrote: > [Resending to new integrity mailing list] > > Hi, > > I have a system with a pre-signed UBI root filesystem image with both > IMA/EVM signatures on all files. The Root CA Cert is compiled into > the kernel and the public keys is in the rootfs. All SMACK labels > have also been applied although at this early stage there aren't many > (just a few application specific ones) so it's mainly the defaults. > This image is then flashed to the on board NAND. > > The kernel bootargs for IMA are > > "ima_audit=1 ima_template=ima-ng ima_hash=sha1 ima_tcb > ima_appraise_tcb rootflags=i_version" > > and I'm enabling SMACK by using the kernel bootarg > > "security=smack" > > now if I boot without the "security=smack" it boots fine and I can > check the IMA/EVM signatures and can see that measurements are being > taken, but if I enable SMACK using the above kernel bootarg it fails > to boot and it looks like some problem early in systemd where it > mounts the required filesystems in mount-setup.c (log provided below). > Now if I flash an image that hasn't been signed and enable SMACK it > boots fine and I can use SMACK to enforce access control. So there > seems to some interaction between the two when mounting the early > filesystems. > > Before I delve into this I would appreciate any pointers to where to > start looking, any printk's to put in SMACK/IMA/mount code to help > diagnose this would be really appreciated. > > The Kernel is 4.9 LTSI, systemd is v229 > > Apologies if I have the wrong mailing list for SMACK, I couldn't find > one on vger.kernel.org. > > > Boot log. > ... > Security Framework initialized > Smack: Initializing. > Smack: IPv6 port labeling enabled. > Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) > Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) > CPU: Testing write buffer coherency: ok > Setting up static identity map for 0x80100000 - 0x80100058 > devtmpfs: initialized > evm: security.SMACK64 > evm: security.SMACK64EXEC > evm: security.SMACK64TRANSMUTE > evm: security.SMACK64MMAP > evm: security.ima > evm: security.capability > ... > Loading compiled-in X.509 certificates > Loaded X.509 cert 'IMA-EVM Root CA: cc972d25acf7c1efaa5329a48104efa303f0833a' > ... > UBIFS (ubi0:0): FS size: 201764864 bytes (192 MiB, 1589 LEBs), journal > size 9023488 bytes (8 MiB, 72 LEBs) > UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB) > UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID > F6EA70A5-1931-4049-89CB-93B82F37F6A4, small LPT model > VFS: Mounted root (ubifs filesystem) readonly on device 0:16. > devtmpfs: mounted > integrity: Loaded X.509 cert 'IMA Certificate Authority: > e2c191a6e31fd02d6beba0c7c7847720a35fd9c6': /etc/keys/ima-x509.der > Freeing unused kernel memory: 1024K > systemd[1]: Successfully loaded Smack policies. > systemd[1]: Successfully loaded Smack/CIPSO policies. > systemd[1]: System time before build time, advancing clock. > systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory > systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory > systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/systemd: No such > file or directory > [!!!!!!] Failed to mount API filesystems, freezing. > systemd[1]: Freezing execution. [Cc'ing Sascha] Are there any additional messages in /var/log/audit/audit.log? Mimi
