Hello,
I have some questions regarding system freezing at boot after activating EVM. I receive this error message:
systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/system: No such file of device.
[!!!!!] Failed to mount API filesystems, freezing.
I am using Linux kernel 4.19.78 and system v2.34. My aim is to activate IMA/EVM with EVM in mode 0x80000006, as per https://www.kernel.org/doc/Documentation/ABI/testing/evm. I have a script running from an initramFS, which does the IMA/EVM setup like the following:
mount -n -t securityfs securityfs /sys/kernel/security
(set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy
ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $ima_id
evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $evm_id
cat /etc/keys/kmk | keyctl padd user kmk @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
echo -2147483642 > /sys/kernel/security/evm
, where the policy is:
dont_appraise fsmagic=0x9fa0
dont_appraise fsmagic=0x62656572
dont_appraise fsmagic=0x64626720
dont_appraise fsmagic=0x01021994
dont_appraise fsmagic=0x858458f6
dont_appraise fsmagic=0x1cd1
dont_appraise fsmagic=0x42494e4d
dont_appraise fsmagic=0x73636673
dont_appraise fsmagic=0xf97cff8c
This would be a dummy policy, with which I could still reproduce the issue.
Kernel command line parameters are:
bootargs = "console=ttyS0,921600n1 \
debugshell=1 printk.disable_uart=0 rootwait mem=1024m \
loglevel=8 earlycon=uart8250,mmio32,0x11002000 rootfstype=ext4 ima_appraise=log evm=fix cgroup_no_v1=all quiet ";
, where ima_appraise=log evm=fix should ensure that boot freeze does not occur cause of missing signatures and cgroup_no_v1=all is one of my attempts at solving the issue(not needed).
The problem occurs specifically only when running this instruction "echo -2147483642 > /sys/kernel/security/evm", of activating EVM. The same setup goes through boot fine when leaving that out. Moreover, when doing the instruction in user-space, that also works(though I get some EVM-related kernel messages which, at this point, I'm not sure whether are normal or not).
I would much appreciate any lead to what I could be doing wrong, as it is difficult for me to trace the problem both for my lack of expertise and the way the image is formed.
Thank you,
Vlad
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[User question]Systemd cgroups freezes after activating EVM
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: [User question]Systemd cgroups freezes after activating EVM
- From: "Vranceanu, Vladut" <Vladut.Vranceanu@xxxxxxxxxx>
- Date: Thu, 13 Aug 2020 11:15:45 +0000
- Accept-language: en-US
- Follow-Ups:
- Re: [User question]Systemd cgroups freezes after activating EVM
- From: Lennart Poettering
- Re: [User question]Systemd cgroups freezes after activating EVM
- Prev by Date: Re: No signal sent to stop service
- Next by Date: Re: Shutdown order in systemd
- Previous by thread: protecting sshd against forkbombs, excessive memory usage by other processes
- Next by thread: Re: [User question]Systemd cgroups freezes after activating EVM
- Index(es):
 |