[IMA-EVM] When "appraise" applied, kernel cannot start init process.

"Kim, Jeong-Hwan" <frog007.kernel.kr@xxxxxxxxx> · Sun, 19 Dec 2021 13:04:10 +0900



    Hi, everyone
    

    Now I'm testing ima-evm security module to see if it can be
      applied my embedded system board. (not using TPM)
    The kernel version is 5.4.91 (based on beaglebone black board).

    
    But, unfortunately I cannot verify the functions of ima-evm
      correctly.
    When I apply "appraise", kernel panic happens.
    This is what happened:

    
    (1) I set ima-evm keys as follows :
        # dd if=/dev/urandom bs=1 count=32 status=none | keyctl padd
      user kmk-user @u
        # keyctl link @u @s
        #keyctl pipe `key search @u user kmk-user` >
      /etc/keys/kmk-user.blob
        #keycl add encrypted evm-key "new user:kmk-user 32" @u
        #keyctl pipe `keyctl search @u encrypted evm-key` >
      /etc/keys/evm-user.blob
        # openssl genrsa -out /etc/keys/rsa_private.pem 1024
        # openssl rsa -pubout -in /etc/keys/rsa_private.pem -out
      /etc/keys/rsa_public.pem
    (2) I set kernel parameters with "ima_policy=appraise_tcb
        ima_appraise=fix evm=fix"
    (3) After boot, I loaded the keys lik this:
        # keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u

          # keyctl link @u @s

          # keyctl add encrypted evm-key "load `cat
      /etc/keys/evm-user.blob`" @u

          # evmctl import --rsa /etc/keys/rsa_public.pem $(keyctl
      newring _ima @u)

          # evmctl import --rsa /etc/keys/rsa_public.pem $(keyctl
      newring _evm @u)

          # echo 1 > /sys/kernel/security/evm
    (4) I created the ima-evm digital signatures :
        # find / -type f -exec evmctl ima_sign --key
      /etc/keys/rsa_private.pem '{}' \;
    (5) I changed the kernel parameter as this : "ima_policy=appraise_tcb
        ima_appraise=enforce"
    (6) When the board reboot, it stop because of kernel panic :
    [    3.546536] audit: type=1800 audit(946688023.636:2): pid=1
        uid=0 auid=4294967295 ses=4294967295 subj==unconfined
        op=appraise_data cause=unknown comm="swapper"
        name="/lib/systemd/systemd" dev="mmcblk0p1" ino=5684 res=0
    

    When the kernel parameter is "ima_policy=tcb 
      ima_appraise=enforce", kernel panic does not happen, but after
      boot, any executable file is not blocked although its contents is
      changed.

    
    Please give me an advice.
    Thanks in advance,
    J.Hwan Kim

    
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies