All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, tadeusz.struk@intel.com
Subject: Re: [PATCH 0/8] X.509: Software public key subtype changes
Date: Mon, 22 Feb 2016 19:03:27 -0500	[thread overview]
Message-ID: <1456185807.4448.91.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1634.1456180145@warthog.procyon.org.uk>

On Mon, 2016-02-22 at 22:29 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > >  (1) - (3) These are Tadeusz's RSA akcipher conversion.
> > 
> > Up to here, IMA-appraisal works properly.
> 
> I don't have IMA set up anywhere.

I know.  With the "vfs: support for a common kernel file loader" patch
set, setting up a simple test becomes a lot simpler.  With this patch
set you can measure and appraise just the kexec image and initramfs,
firmware and/or kernel modules.

Create two key pairs.  Add one to the system keyring.*   The other key
load on the IMA keyring.  (Remember it needs to be signed with the
private key of a key on the system keyring.**)

To measure and appraise just the kexec initramfs, define a policy
containing:
measure func=INITRAMFS_CHECK
appraise func=INITRAMFS_CHECK appraise_type=imasig

To load the IMA policy, write the policy to the securityfs IMA policy
file:
cat <IMA policy> > /sys/kernel/securityfs/ima/policy.

Sign the kexec initramfs using evmctl:
evmctl ima_sign -k <privkey.pem> -a sha256 /boot/<initramfs>.img

Execute:  kexec -s -l /boot/<image> --initrd=/boot/<initramfs>.img
--reuse-cmdline
Failures to appraise the initramfs are audit logged.  The IMA
measurement list will contain the initramfs file hash.

*There are two or three methods for loading the key onto the system
keyring depending on the distro.
- builtin
- enroll in MoK db (on some distros)
- Mehmet's patch  (needs to be upstreamed)

** Refer to the ima-evm-utils package README for further details on
creating and signing a certificate to be loaded on the IMA keyring.

Mimi

  reply	other threads:[~2016-02-23  0:03 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-19 17:18 [PATCH 0/8] X.509: Software public key subtype changes David Howells
2016-02-19 17:18 ` [PATCH 1/8] crypto: KEYS: convert public key and digsig asym to the akcipher api David Howells
2016-02-19 17:18 ` [PATCH 2/8] integrity: convert digsig to " David Howells
2016-02-19 17:18 ` [PATCH 3/8] crypto: public_key: remove MPIs from public_key_signature struct David Howells
2016-02-19 17:18 ` [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto layer David Howells
2016-02-22 19:59   ` Tadeusz Struk
2016-02-22 22:28   ` David Howells
2016-02-22 23:35     ` Tadeusz Struk
2016-02-23  0:01     ` Andrew Zaborowski
2016-02-23 10:53     ` David Howells
2016-02-24 17:12       ` [PATCH 0/2] KEYS: Use pkcs1pad for padding in software_pkey Tadeusz Struk
2016-02-24 17:12         ` Tadeusz Struk
2016-02-24 17:12         ` [PATCH 1/2] crypto: Add hash param to pkcs1pad Tadeusz Struk
2016-02-24 17:12         ` [PATCH 2/2] crypto: remove padding logic from rsa.c Tadeusz Struk
2016-02-27 18:40           ` Herbert Xu
2016-02-28  3:20             ` Tadeusz Struk
2016-02-26 14:00         ` David Howells
2016-02-26 15:02         ` David Howells
2016-02-24 17:28       ` [PATCH 0/2] KEYS: Use pkcs1pad for padding in software_pkey David Howells
2016-02-23 10:55     ` [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto layer David Howells
2016-02-23 11:25       ` Andrew Zaborowski
2016-02-26 11:42       ` David Howells
2016-02-24  5:04   ` Mimi Zohar
2016-02-24  5:59     ` Mimi Zohar
2016-02-29 15:37     ` David Howells
2016-02-19 17:18 ` [PATCH 5/8] X.509: Make algo identifiers text instead of enum David Howells
2016-02-19 17:18 ` [PATCH 6/8] X.509: Make the public_key asymmetric key type internal data private David Howells
2016-02-19 17:18 ` [PATCH 7/8] X.509: Rename public_key.c to software_pkey.c David Howells
2016-02-19 17:19 ` [PATCH 8/8] X.509: Rename public_key* to software_pkey* David Howells
2016-02-22 18:57 ` [PATCH 0/8] X.509: Software public key subtype changes Mimi Zohar
2016-02-22 19:59 ` Tadeusz Struk
2016-02-22 22:29 ` David Howells
2016-02-23  0:03   ` Mimi Zohar [this message]
2016-02-23 10:16   ` David Howells
2016-02-23 12:28     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1456185807.4448.91.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tadeusz.struk@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.