On 5/21/19 5:30 PM, Mimi Zohar wrote:
I did some more investigation on this one and see different behavior
when the IMA signing key is self-signed and signed by a another key.
Perhaps it's something with the key. If you haven't already used the
scripts for generating the keys in the ima-evm-utils examples/
directory, you might try that.
When the IMA signer key is self-signed x509v3 Subject Key ID and
Authority Key ID are the same - please see below.
In this case, the ima-evm-utils sets the 4 byte key ID correctly in the
IMA Signature set in security.ima.
ima_verify successfully verifies the IMA signature.
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10
X509v3 Authority Key Identifier:
keyid:36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10
root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x03020415f374100080c11a06d7fc7626467d6abb08a8a573f27412fd2dcf726f40f238f226792b1787cddee1aac094e695795f6b7e07fc8749902623e78b69566b1d0c22c311f6e5b4b76a2af981eaa2cb69c326cc9566e29d5ff8ea37188bb262fa3bef991deacd58ee6350299c0f4beaf49f20ae1ac1ceac58ff593a544f14603c2e600cf116a6e5
But if the IMA signer key is signed by another key (For instance, a key
in the "BuiltIn Trusted Keys"), x509v3 SKI and AKI are different. Please
see below:
In this case, the ima-evm-utils sets a 4 byte key ID that does not match
the last 4 bytes of SKI.
ima_verify fails in this case.
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
85:51:2D:09:FC:12:C7:F3:8B:96:79:35:26:51:DC:B3:65:90:33:36
X509v3 Authority Key Identifier:
keyid:87:DC:69:C9:EC:ED:27:10:0C:8C:CA:1B:A9:DE:51:1C:6D:00:5D:E5
root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x030204b8847de90080a3e5d6e72fd7fa2f247f68ae675fa56f5b81f9274cb42c597b4c5507da3bfeba5c8636ea23857bcf1730a37fa871c7f592c254e0dd701b8b062f12cbc0db78f21495d5a7728c218b741c675053e998528cc0c8d12bef0e0671a28e64a7d933d36d76c1ec2633a07334b3480c7c0c4031d9c037a77085852f15a3669f2fdc3c7e
Is this expected?
In my setup, IMA signing key will be signed by a key in the "BuiltIn
Trusted Keys".
Thanks,
-lakshmi