From: Lakshmi <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Subject: Re: IMA signature generated by evmctl has unexpected key identifier
Date: Thu, 23 May 2019 10:23:09 -0700 [thread overview]
Message-ID: <34aaf13b-1d99-c8b5-a75f-88449e5ffdfe@linux.microsoft.com> (raw)
In-Reply-To: <1558617961.4347.161.camel@linux.ibm.com>
On 5/23/19 6:26 AM, Mimi Zohar wrote:
> The last two steps show how to create a certificate
> signing request (CSR) and sign the certificate with a CA key. The CA
> public key should be loaded onto the builtin keyring.
Yes - I followed those steps in the README to create a CSR and signed
the IMA signing cert with the CA key.
The CA public key is loaded into the builtin keyring.
IMA cert is loaded to IMA keyring.
The problem I am facing is:
When the IMA cert is signed with the CA key, the key id set by
ima-evm-utils does not match the last 4 bytes of SKI.
I also hit ima_verify error.
Please see below:
X509v3 Subject Key Identifier:
85:51:2D:09:FC:12:C7:F3:8B:96:79:35:26:51:DC:B3:65:90:33:36
X509v3 Authority Key Identifier:
keyid:87:DC:69:C9:EC:ED:27:10:0C:8C:CA:1B:A9:DE:51:1C:6D:00:5D:E5
root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x030204b8847de90080a3e5d6e72fd7fa2f247f68ae675fa56f5b81f9274cb42c597b4c5507da3bfeba5c8636ea23857bcf1730a37fa871c7f592c254e0dd701b8b062f12cbc0db78f21495d5a7728c218b741c675053e998528cc0c8d12bef0e0671a28e64a7d933d36d76c1ec2633a07334b3480c7c0c4031d9c037a77085852f15a3669f2fdc3c7e
=> But if I don't sign the IMA cert with the CA cert, everything works
as expected: Key Id matches the last 4 bytes of the SKI, ima_verify
works fine.
X509v3 Subject Key Identifier:
36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10
X509v3 Authority Key Identifier:
keyid:36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10
root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x03020415f374100080c11a06d7fc7626467d6abb08a8a573f27412fd2dcf726f40f238f226792b1787cddee1aac094e695795f6b7e07fc8749902623e78b69566b1d0c22c311f6e5b4b76a2af981eaa2cb69c326cc9566e29d5ff8ea37188bb262fa3bef991deacd58ee6350299c0f4beaf49f20ae1ac1ceac58ff593a544f14603c2e600cf116a6e5
Thanks,
-lakshmi
prev parent reply other threads:[~2019-05-23 17:23 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-13 0:37 IMA signature generated by evmctl has unexpected key identifier nramas
2019-05-14 17:18 ` Lakshmi
2019-05-14 17:25 ` Mimi Zohar
2019-05-14 17:57 ` Lakshmi
2019-05-14 21:38 ` Mimi Zohar
2019-05-14 22:07 ` Lakshmi
2019-05-21 17:48 ` Lakshmi
2019-05-22 0:30 ` Mimi Zohar
2019-05-22 1:39 ` Lakshmi
2019-05-22 2:16 ` Lakshmi
2019-05-23 1:10 ` Lakshmi
2019-05-23 13:26 ` Mimi Zohar
2019-05-23 17:23 ` Lakshmi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=34aaf13b-1d99-c8b5-a75f-88449e5ffdfe@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).