On Fri, 2018-03-16 at 14:34 +0000, Martin Townsend wrote: > Hi Mimi, > > On Fri, Mar 16, 2018 at 1:25 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > On Fri, 2018-03-16 at 09:32 +0000, Martin Townsend wrote: > >> [Resending to new integrity mailing list] > >> > >> Hi, > >> > >> I have a system with a pre-signed UBI root filesystem image with both > >> IMA/EVM signatures on all files. The Root CA Cert is compiled into > >> the kernel and the public keys is in the rootfs. All SMACK labels > >> have also been applied although at this early stage there aren't many > >> (just a few application specific ones) so it's mainly the defaults. > >> This image is then flashed to the on board NAND. > >> > >> The kernel bootargs for IMA are > >> > >> "ima_audit=1 ima_template=ima-ng ima_hash=sha1 ima_tcb > >> ima_appraise_tcb rootflags=i_version" > >> > >> and I'm enabling SMACK by using the kernel bootarg > >> > >> "security=smack" > >> > >> now if I boot without the "security=smack" it boots fine and I can > >> check the IMA/EVM signatures and can see that measurements are being > >> taken, but if I enable SMACK using the above kernel bootarg it fails > >> to boot and it looks like some problem early in systemd where it > >> mounts the required filesystems in mount-setup.c (log provided below). > >> Now if I flash an image that hasn't been signed and enable SMACK it > >> boots fine and I can use SMACK to enforce access control. So there > >> seems to some interaction between the two when mounting the early > >> filesystems. > >> > >> Before I delve into this I would appreciate any pointers to where to > >> start looking, any printk's to put in SMACK/IMA/mount code to help > >> diagnose this would be really appreciated. > >> > >> The Kernel is 4.9 LTSI, systemd is v229 > >> > >> Apologies if I have the wrong mailing list for SMACK, I couldn't find > >> one on vger.kernel.org. > >> > >> > >> Boot log. > >> ... > >> Security Framework initialized > >> Smack: Initializing. > >> Smack: IPv6 port labeling enabled. > >> Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) > >> Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) > >> CPU: Testing write buffer coherency: ok > >> Setting up static identity map for 0x80100000 - 0x80100058 > >> devtmpfs: initialized > >> evm: security.SMACK64 > >> evm: security.SMACK64EXEC > >> evm: security.SMACK64TRANSMUTE > >> evm: security.SMACK64MMAP > >> evm: security.ima > >> evm: security.capability > >> ... > >> Loading compiled-in X.509 certificates > >> Loaded X.509 cert 'IMA-EVM Root CA: cc972d25acf7c1efaa5329a48104efa303f0833a' > >> ... > >> UBIFS (ubi0:0): FS size: 201764864 bytes (192 MiB, 1589 LEBs), journal > >> size 9023488 bytes (8 MiB, 72 LEBs) > >> UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB) > >> UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID > >> F6EA70A5-1931-4049-89CB-93B82F37F6A4, small LPT model > >> VFS: Mounted root (ubifs filesystem) readonly on device 0:16. > >> devtmpfs: mounted > >> integrity: Loaded X.509 cert 'IMA Certificate Authority: > >> e2c191a6e31fd02d6beba0c7c7847720a35fd9c6': /etc/keys/ima-x509.der > >> Freeing unused kernel memory: 1024K > >> systemd[1]: Successfully loaded Smack policies. > >> systemd[1]: Successfully loaded Smack/CIPSO policies. > >> systemd[1]: System time before build time, advancing clock. > >> systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory > >> systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory > >> systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/systemd: No such > >> file or directory > >> [!!!!!!] Failed to mount API filesystems, freezing. > >> systemd[1]: Freezing execution. > > > > [Cc'ing Sascha] > > > > Are there any additional messages in /var/log/audit/audit.log? > > > > Mimi > > > > Sadly I can't see this file, I don't even think the relevant > filesystems have been mounted as this point. I tried the emergency > shell but no joy. Is there a way of patching the kernel to show audit > messages to the console? If you point me at the relevant code I'll > hack something in. I'm currently putting printk's everywhere I can > think of to see what's going on. If you can think of anywhere in the > IMA that would be good to see a debug print let me know, currently I > have something in process_measurements and a few other places in > ima_main.c. I would think the audit messages would go to the console. With dracut, I use a couple of boot command line options for debugging (eg. rd.debug rd.break=pre-mount, rd.shell). Mimi
