Hello,
I have some questions regarding system freezing at boot after activating EVM. I
receive this error message:
systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/system: No such file
of device.
[!!!!!] Failed to mount API filesystems, freezing.
I am using Linux kernel 4.19.78 and system v2.34. My aim is to activate IMA/EVM
with EVM in mode 0x80000006, as per
https://www.kernel.org/doc/Documentation/ABI/testing/evm. I have a script
running from an initramFS, which does the IMA/EVM setup like the following:
mount -n -t securityfs securityfs /sys/kernel/security
(set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy
>/sys/kernel/security/ima/policy
ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $ima_id
evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $evm_id
cat /etc/keys/kmk | keyctl padd user kmk @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
echo -2147483642 > /sys/kernel/security/evm
, where the policy is:
dont_appraise fsmagic=0x9fa0
dont_appraise fsmagic=0x62656572
dont_appraise fsmagic=0x64626720
dont_appraise fsmagic=0x01021994
dont_appraise fsmagic=0x858458f6
dont_appraise fsmagic=0x1cd1
dont_appraise fsmagic=0x42494e4d
dont_appraise fsmagic=0x73636673
dont_appraise fsmagic=0xf97cff8c
This would be a dummy policy, with which I could still reproduce the issue.
Kernel command line parameters are:
bootargs = "console=ttyS0,921600n1 \
debugshell=1 printk.disable_uart=0 rootwait mem=1024m \
loglevel=8 earlycon=uart8250,mmio32,0x11002000 rootfstype=ext4
ima_appraise=log evm=fix cgroup_no_v1=all quiet ";
, where ima_appraise=log evm=fix should ensure that boot freeze does not occur
cause of missing signatures and cgroup_no_v1=all is one of my attempts at
solving the issue(not needed).
The problem occurs specifically only when running this instruction "echo
-2147483642 > /sys/kernel/security/evm", of activating EVM. The same setup goes
through boot fine when leaving that out. Moreover, when doing the instruction
in user-space, that also works(though I get some EVM-related kernel messages
which, at this point, I'm not sure whether are normal or not).
I would much appreciate any lead to what I could be doing wrong, as it is
difficult for me to trace the problem both for my lack of expertise and the way
the image is formed.
Thank you,
Vlad
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
