Re: IMA signature generated by evmctl has unexpected key identifier

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/21/19 5:30 PM, Mimi Zohar wrote:
I did some more investigation on this one and see different behavior when the IMA signing key is self-signed and signed by a another key. 


Perhaps it's something with the key.  If you haven't already used the
scripts for generating the keys in the ima-evm-utils examples/
directory, you might try that.
When the IMA signer key is self-signed x509v3 Subject Key ID and Authority Key ID are the same - please see below.
In this case, the ima-evm-utils sets the 4 byte key ID correctly in the IMA Signature set in security.ima. 
ima_verify successfully verifies the IMA signature.

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature
            X509v3 Subject Key Identifier:
36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10

            X509v3 Authority Key Identifier:
keyid:36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10
root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security /home/lakshmi/msftsrc/myfiles/myfile.txt 
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x03020415f374100080c11a06d7fc7626467d6abb08a8a573f27412fd2dcf726f40f238f226792b1787cddee1aac094e695795f6b7e07fc8749902623e78b69566b1d0c22c311f6e5b4b76a2af981eaa2cb69c326cc9566e29d5ff8ea37188bb262fa3bef991deacd58ee6350299c0f4beaf49f20ae1ac1ceac58ff593a544f14603c2e600cf116a6e5
But if the IMA signer key is signed by another key (For instance, a key in the "BuiltIn Trusted Keys"), x509v3 SKI and AKI are different. Please see below:
In this case, the ima-evm-utils sets a 4 byte key ID that does not match the last 4 bytes of SKI. 
ima_verify fails in this case.

	X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature
            X509v3 Subject Key Identifier:
85:51:2D:09:FC:12:C7:F3:8B:96:79:35:26:51:DC:B3:65:90:33:36

            X509v3 Authority Key Identifier:
keyid:87:DC:69:C9:EC:ED:27:10:0C:8C:CA:1B:A9:DE:51:1C:6D:00:5D:E5
root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security /home/lakshmi/msftsrc/myfiles/myfile.txt 
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x030204b8847de90080a3e5d6e72fd7fa2f247f68ae675fa56f5b81f9274cb42c597b4c5507da3bfeba5c8636ea23857bcf1730a37fa871c7f592c254e0dd701b8b062f12cbc0db78f21495d5a7728c218b741c675053e998528cc0c8d12bef0e0671a28e64a7d933d36d76c1ec2633a07334b3480c7c0c4031d9c037a77085852f15a3669f2fdc3c7e

Is this expected?
In my setup, IMA signing key will be signed by a key in the "BuiltIn Trusted Keys". 

Thanks,
 -lakshmi
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux