> > Hello! > Hello,
> > First, a general question: who is currently working on the kernel patches, and > where? There are: > * > git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git > and the ima-control-experimental branch This is Dmitry's (one of integrity sub-system maintainers) private/development branch which is now rebased on 4.0rc-1 and which is used by us (me and my colleague Janusz) for development processes. From here we want to push patches to mainline. > * Tizen's profile/common/kernel-common with > sandbox/jkozerski/ima-evm This one is Tizen Common kernel 3.14.* with needful IMA/EVM patches ported from mainline kernel. > * upstream Linux kernel > > Is the code in the Linux kernel as merged for 3.19 considered ready for > production or are there additional fixes needed from the work done in the > Tizen repo? > > What is the plan for getting the enhancements which are currently in the > Tizen repo also accepted upstream? For example, "ima: make IMA policy > replaceable at runtime" and "evm: add interface to read and write EVM state > (ENABLE/DISABLE/FIX)." are only in the Tizen sandbox branch. > Let my clarify few things. Basic idea was to produce Tizen Common image with working IMA/EVM integrity sub-system and this was done. Additionally we prepared few patches which one can describe as 'ima-control-experimental' which helped us in development process. This patches are not essential at all to fully use IMA/EVM integrity subsystem but are helpful. Basically one is able to change IMA/EVM state and manipulate IMA's policy inside running system without need of constant rebooting device to change kernel parameters. I will push this patches to IMA/EVM mailing list for review because we want them in mainline kernel. Of course it's not our decision to make it happen. Patches need to be updated to last IMA/EVM changes and I will push them. > > The instructions at the bottom of the page say that one should boot with > "evm=fix" if there are problems. My guess is that this will update incorrect > EVM checksums on-the-fly. However, doesn't the kernel need the private > key for that, which is normally not contained in the image? Yes, evm=fix permits 'security.evm' xattr to be updated regardless of current integrity status but you need private key for that. > > According to the Wiki, one creates privkey_ima.pem but does not copy it to > the image (at least in that use case - there's another one about converting a > live image where the key gets copied temporarily). > > http://sourceforge.net/p/linux-ima/wiki/Home/ talks about "Creating > trusted and EVM encrypted keys". Is that what's missing in the Tizen Wiki for > "evm=fix" to work? If so, will signing files with evmctl use privkey_ima.pem > for EVM while "evm=fix" uses some other key? You're right. It's missing from Tizen's Wiki. I will make changes. > > That problem aside, should IMA/EVM do any checking on /etc at all according > to the policy in the Wiki? The instructions only mention the creation of > checksums for /usr /bin /sbin and /lib, but not /etc. Is the policy in > /etc/ima/ima_policy perhaps extending the policies activated by > "ima_appraise_tcb ima_tcb" instead of replacing it? > Are you sure that this example policy is loaded? You can check it by cat'ing policy file. If it is not loaded I assume that default policy is loaded (ima_tcb and ima_appraise_tcb). You can omit this parameters in kernel arguments. > Anyway, my image obviously isn't ready yet. So how do I boot it without IMA > and EVM active? "ima_appraise=off" was not enough, I still get the same > errors during booting. /sys/kernel/security/evm contains 1 and > /sys/kernel/security/ima/ima_state contains 0. evm_main.c only allows > enabling the fix mode, but does not check for something like "off". So I can > only turn off IMA, but not EVM? > My advice is - try start with something small like IMA policy for directory. IMA policy allows to specify only directory for integrity checking: measure path=vda:/sbin appraise path=vda:/sbin At least this won’t lock your entire system. If you have any question please don't hesitate to contact me. Regards Zbigniew Jasinski _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
