From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=6d/K=TX=vger.kernel.org=linux-integrity-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 11F37C282DD
	for <linux-integrity@archiver.kernel.org>; Thu, 23 May 2019 17:23:11 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id E39A620862
	for <linux-integrity@archiver.kernel.org>; Thu, 23 May 2019 17:23:10 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731304AbfEWRXK (ORCPT
        <rfc822;linux-integrity@archiver.kernel.org>);
        Thu, 23 May 2019 13:23:10 -0400
Received: from linux.microsoft.com ([13.77.154.182]:48754 "EHLO
        linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731235AbfEWRXK (ORCPT
        <rfc822;linux-integrity@vger.kernel.org>);
        Thu, 23 May 2019 13:23:10 -0400
Received: from [10.200.157.26] (unknown [131.107.160.154])
        by linux.microsoft.com (Postfix) with ESMTPSA id 90E9420B7192;
        Thu, 23 May 2019 10:23:09 -0700 (PDT)
Subject: Re: IMA signature generated by evmctl has unexpected key identifier
To:     Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
References: <alpine.LRH.2.21.1905092048590.7180@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.inter>
 <90a4d769-4c32-4b2b-ceaa-6e0980d5c193@linux.microsoft.com>
 <1557854750.4139.65.camel@linux.ibm.com>
 <4b810e48-6ddc-19d0-9fc1-70cd29c7c01b@linux.microsoft.com>
 <1557869914.4139.73.camel@linux.ibm.com>
 <5d1ab46e-ea01-b7a7-4a9b-6e4bcb63c331@linux.microsoft.com>
 <cea244c1-f457-cdc0-e39b-c9381cb4dc79@linux.microsoft.com>
 <1558485033.4039.215.camel@linux.ibm.com>
 <c4637e97-7d7f-22da-fad2-b8ec4518c3e1@linux.microsoft.com>
 <c8e2a1e3-706b-459a-7921-8823313eabf3@linux.microsoft.com>
 <3b8e6688-3d3e-18bf-239b-a0bc47d60a58@linux.microsoft.com>
 <1558617961.4347.161.camel@linux.ibm.com>
From:   Lakshmi <nramas@linux.microsoft.com>
Message-ID: <34aaf13b-1d99-c8b5-a75f-88449e5ffdfe@linux.microsoft.com>
Date:   Thu, 23 May 2019 10:23:09 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <1558617961.4347.161.camel@linux.ibm.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org

On 5/23/19 6:26 AM, Mimi Zohar wrote:

> The last two steps show how to create a certificate
> signing request (CSR) and sign the certificate with a CA key.  The CA
> public key should be loaded onto the builtin keyring.

Yes - I followed those steps in the README to create a CSR and signed 
the IMA signing cert with the CA key.
The CA public key is loaded into the builtin keyring.
IMA cert is loaded to IMA keyring.

The problem I am facing is:

When the IMA cert is signed with the CA key, the key id set by 
ima-evm-utils does not match the last 4 bytes of SKI.
I also hit ima_verify error.

Please see below:

             X509v3 Subject Key Identifier:
85:51:2D:09:FC:12:C7:F3:8B:96:79:35:26:51:DC:B3:65:90:33:36

             X509v3 Authority Key Identifier:
keyid:87:DC:69:C9:EC:ED:27:10:0C:8C:CA:1B:A9:DE:51:1C:6D:00:5D:E5

root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security 
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x030204b8847de90080a3e5d6e72fd7fa2f247f68ae675fa56f5b81f9274cb42c597b4c5507da3bfeba5c8636ea23857bcf1730a37fa871c7f592c254e0dd701b8b062f12cbc0db78f21495d5a7728c218b741c675053e998528cc0c8d12bef0e0671a28e64a7d933d36d76c1ec2633a07334b3480c7c0c4031d9c037a77085852f15a3669f2fdc3c7e


  => But if I don't sign the IMA cert with the CA cert, everything works 
as expected: Key Id matches the last 4 bytes of the SKI, ima_verify 
works fine.

		X509v3 Subject Key Identifier:
36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10

		X509v3 Authority Key Identifier:
keyid:36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10

root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security 
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x03020415f374100080c11a06d7fc7626467d6abb08a8a573f27412fd2dcf726f40f238f226792b1787cddee1aac094e695795f6b7e07fc8749902623e78b69566b1d0c22c311f6e5b4b76a2af981eaa2cb69c326cc9566e29d5ff8ea37188bb262fa3bef991deacd58ee6350299c0f4beaf49f20ae1ac1ceac58ff593a544f14603c2e600cf116a6e5

Thanks,
  -lakshmi