Re: evmctl import -EPERM in initrd (dracut), but works after system boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

13.01.2021 17:09, Mikhail Novosyolov пишет:
> It is -EACCES, not -EPERM
>
> From strace inside initrd:
>
> 575   write(2, "Importing public key 5ac982c4 fr"..., 98) = 98
> 575   add_key("asymmetric", NULL, "0\202\2\2040\202\1\356\240\3\2\1\2\2\t\0\242\5\2726G\242\331\3220\f\6\10*\205\3\7"..., 648, 131199347) = -1 EACCES (Permission denied)
> 575   write(2, "add_key failed\n", 15)  = 15
> 575   write(2, "errno: Permission denied (13)\n", 30) = 30
>
> 13.01.2021 15:18, Mikhail Novosyolov пишет:
>> Hello
>>
>> I am trying to make IMA work properly and have faced a strange issue which I cannot explain.
>>
>> What I want to do is load IMA policy from /etc/sysconfig/ima-policy in initrd (it is loaded OK) and then load a self-created public key, I created a pair of keys (using LibreSSL, patch for ima-evm-utils is ready, but I need to make everyting work), and I configured the kernel to make it possible to load my own key which does not have to be signed with an in-kernel key. EVM is not configured, only IMA.
>>
>> dracut's itegrity module [1] tries to load the public key inside initrd, but receives -EPERM:

I have found a workaround:

add "KeyringMode=shared" to /usr/lib/dracut/modules.d/98dracut-systemd/dracut-pre-pivot.service

https://github.com/systemd/systemd/issues/5522 is what made me come to this workaround.

But for now I do not fully understand why this helped and how to solve this problem properly.

Seems that nobody uses dracut+integrity module+_ima keyring (not .ima)...

I've created a bug report in dracut to track this problem: https://github.com/dracutdevs/dracut/issues/1007

>>
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: /lib/dracut-lib.sh@431(source_all): . //lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@3(source): SECURITYFSDIR=/sys/kernel/security
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@4(source): IMASECDIR=/sys/kernel/security/ima
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@5(source): IMACONFIG=/sysroot/etc/sysconfig/ima
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@43(source): '[' '!' -e /sys/kernel/security/ima ']'
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[565]: ////lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@51(source): keyctl describe %keyring:.ima
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[565]: Can't find 'keyring:.ima'
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@51(source): line=
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@52(source): '[' 1 -eq 0 ']'
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[566]: ////lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@55(source): keyctl search @u keyring _ima
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[566]: keyctl_search: Required key not available
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@55(source): _ima_id=
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@56(source): '[' -z '' ']'
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[567]: ////lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@57(source): keyctl newring _ima @u
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@57(source): _ima_id=541363765
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@62(source): load_x509_keys 541363765
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@9(load_x509_keys): KEYRING_ID=541363765
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@12(load_x509_keys): '[' -f /sysroot/etc/sysconfig/ima ']'
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@16(load_x509_keys): '[' -z '' ']'
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@17(load_x509_keys): IMAKEYSDIR=/etc/keys/ima
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[568]: ////lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@20(load_x509_keys): ls /sysroot/etc/keys/ima/x509_evm.der
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@20(load_x509_keys): PUBKEY_LIST=/sysroot/etc/keys/ima/x509_evm.der
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@21(load_x509_keys): for PUBKEY in ${PUBKEY_LIST}
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[554]: ///lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@23(load_x509_keys): '[' '!' -f /sysroot/etc/keys/ima/x509_evm.der ']'
>>> янв 13 14:06:36 rosa2019.1 dracut-pre-pivot[569]: ////lib/dracut/hooks/pre-pivot/61-ima-keys-load.sh@30(load_x509_keys): evmctl import /sysroot/etc/keys/ima/x509_evm.der 541363765
>>> янв 13 14:06:38 rosa2019.1 kernel: random: crng init done
>>> янв 13 14:06:38 rosa2019.1 kernel: random: 7 urandom warning(s) missed due to ratelimiting
>>> янв 13 14:06:38 rosa2019.1 dracut-pre-pivot[569]: Reading to /sysroot/etc/keys/ima/x509_evm.der
>>> янв 13 14:06:38 rosa2019.1 dracut-pre-pivot[569]: Importing public key 5ac982c4 from file /sysroot/etc/keys/ima/x509_evm.der into keyring 541363765
>>> янв 13 14:06:38 rosa2019.1 dracut-pre-pivot[569]: add_key failed
>>> янв 13 14:06:38 rosa2019.1 dracut-pre-pivot[569]: errno: Permission denied (13)
>> So, evmctl import /sysroot/etc/keys/ima/x509_evm.der 541363765 got -EPERM from the kernel.
>>
>> Now I do exactly the same in already booted system... and it works, no -EPERM!
>>
>> [root@rosa2019 ima-certs]# evmctl import /etc/keys/ima/x509_evm.der 541363765
>> Reading to /etc/keys/ima/x509_evm.der
>> Importing public key 5ac982c4 from file /etc/keys/ima/x509_evm.der into keyring 541363765
>> keyid: 483258747
>> 483258747
>>
>> [root@rosa2019 ima-certs]# cat /proc/keys | grep ima
>> 20448e35 I--Q---     2 perm 3f010000     0     0 keyring   _ima: 1
>>
>> Here are related kernel config parts:
>>
>>> [root@rosa2019 ima-certs]# cat /boot/config-5.10.4-generic-5rosa2019.1-x86_64 | grep -E '_IMA|INTEGRITY'
>>> CONFIG_BLK_DEV_INTEGRITY=y
>>> CONFIG_BLK_DEV_INTEGRITY_T10=y
>>> CONFIG_DM_INTEGRITY=m
>>> CONFIG_FB_CFB_IMAGEBLIT=y
>>> CONFIG_FB_SYS_IMAGEBLIT=m
>>> # CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set
>>> CONFIG_INTEGRITY=y
>>> CONFIG_INTEGRITY_SIGNATURE=y
>>> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
>>> # CONFIG_INTEGRITY_TRUSTED_KEYRING is not set
>>> CONFIG_INTEGRITY_PLATFORM_KEYRING=y
>>> CONFIG_INTEGRITY_AUDIT=y
>>> CONFIG_IMA=y
>>> CONFIG_IMA_MEASURE_PCR_IDX=10
>>> CONFIG_IMA_LSM_RULES=y
>>> # CONFIG_IMA_TEMPLATE is not set
>>> CONFIG_IMA_NG_TEMPLATE=y
>>> # CONFIG_IMA_SIG_TEMPLATE is not set
>>> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
>>> CONFIG_IMA_DEFAULT_HASH_SHA1=y
>>> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
>>> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
>>> CONFIG_IMA_DEFAULT_HASH="sha1"
>>> # CONFIG_IMA_WRITE_POLICY is not set
>>> CONFIG_IMA_READ_POLICY=y
>>> CONFIG_IMA_APPRAISE=y
>>> # CONFIG_IMA_ARCH_POLICY is not set
>>> # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
>>> CONFIG_IMA_APPRAISE_BOOTPARAM=y
>>> CONFIG_IMA_APPRAISE_MODSIG=y
>>> # CONFIG_IMA_TRUSTED_KEYRING is not set
>>> # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
>>> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
>>> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
>>> # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
>>> [root@rosa2019 ima-certs]# cat /proc/cmdline
>>> BOOT_IMAGE=/@rosa201910/boot/vmlinuz-5.10.4-generic-5rosa2019.1-x86_64 root=UUID=745b0c43-6a82-4bce-9821-7f5dd88a9246 ro rootflags=subvol=@rosa201910 ima_appraise=log rd.shell rd.debug resume=UUID=59b4ab95-b679-4c7c-8272-253715edc865
>>> [root@rosa2019 ima-certs]# 
>> I do not have ideas how it may happen. Kernel keyring _ima was created by dracut, then evemctl from initrd got -EPERM, but then evmctl worked OK with exectly the same keyring from booted system. Could some one please help to track the issue?
>>
>> # evmctl --version
>> evmctl 1.3.2
>>
>> Thanks!
>>
>> [1] https://github.com/dracutdevs/dracut/tree/master/modules.d/98integrity
>>
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux