From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=6d/K=TX=vger.kernel.org=linux-integrity-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A9B79C282CE
	for <linux-integrity@archiver.kernel.org>; Thu, 23 May 2019 01:10:48 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 6A31521019
	for <linux-integrity@archiver.kernel.org>; Thu, 23 May 2019 01:10:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729300AbfEWBKs (ORCPT
        <rfc822;linux-integrity@archiver.kernel.org>);
        Wed, 22 May 2019 21:10:48 -0400
Received: from linux.microsoft.com ([13.77.154.182]:46108 "EHLO
        linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727691AbfEWBKs (ORCPT
        <rfc822;linux-integrity@vger.kernel.org>);
        Wed, 22 May 2019 21:10:48 -0400
Received: from [10.200.157.26] (unknown [131.107.160.154])
        by linux.microsoft.com (Postfix) with ESMTPSA id E8AFA20B7186;
        Wed, 22 May 2019 18:10:46 -0700 (PDT)
Subject: Re: IMA signature generated by evmctl has unexpected key identifier
From:   Lakshmi <nramas@linux.microsoft.com>
To:     Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
References: <alpine.LRH.2.21.1905092048590.7180@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.inter>
 <90a4d769-4c32-4b2b-ceaa-6e0980d5c193@linux.microsoft.com>
 <1557854750.4139.65.camel@linux.ibm.com>
 <4b810e48-6ddc-19d0-9fc1-70cd29c7c01b@linux.microsoft.com>
 <1557869914.4139.73.camel@linux.ibm.com>
 <5d1ab46e-ea01-b7a7-4a9b-6e4bcb63c331@linux.microsoft.com>
 <cea244c1-f457-cdc0-e39b-c9381cb4dc79@linux.microsoft.com>
 <1558485033.4039.215.camel@linux.ibm.com>
 <c4637e97-7d7f-22da-fad2-b8ec4518c3e1@linux.microsoft.com>
 <c8e2a1e3-706b-459a-7921-8823313eabf3@linux.microsoft.com>
Message-ID: <3b8e6688-3d3e-18bf-239b-a0bc47d60a58@linux.microsoft.com>
Date:   Wed, 22 May 2019 18:10:46 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <c8e2a1e3-706b-459a-7921-8823313eabf3@linux.microsoft.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org

On 5/21/19 5:30 PM, Mimi Zohar wrote:

I did some more investigation on this one and see different behavior 
when the IMA signing key is self-signed and signed by a another key.

>>> Perhaps it's something with the key.  If you haven't already used the
>>> scripts for generating the keys in the ima-evm-utils examples/
>>> directory, you might try that.

When the IMA signer key is self-signed x509v3 Subject Key ID and 
Authority Key ID are the same - please see below.

In this case, the ima-evm-utils sets the 4 byte key ID correctly in the 
IMA Signature set in security.ima.
ima_verify successfully verifies the IMA signature.

         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage:
                 Digital Signature
             X509v3 Subject Key Identifier:
36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10

             X509v3 Authority Key Identifier:
keyid:36:41:D8:3B:59:04:BB:D3:4B:23:DE:45:70:43:D6:1C:15:F3:74:10

root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security 
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x03020415f374100080c11a06d7fc7626467d6abb08a8a573f27412fd2dcf726f40f238f226792b1787cddee1aac094e695795f6b7e07fc8749902623e78b69566b1d0c22c311f6e5b4b76a2af981eaa2cb69c326cc9566e29d5ff8ea37188bb262fa3bef991deacd58ee6350299c0f4beaf49f20ae1ac1ceac58ff593a544f14603c2e600cf116a6e5


But if the IMA signer key is signed by another key (For instance, a key 
in the "BuiltIn Trusted Keys"), x509v3 SKI and AKI are different. Please 
see below:

In this case, the ima-evm-utils sets a 4 byte key ID that does not match 
the last 4 bytes of SKI.
ima_verify fails in this case.

	X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage:
                 Digital Signature
             X509v3 Subject Key Identifier:
85:51:2D:09:FC:12:C7:F3:8B:96:79:35:26:51:DC:B3:65:90:33:36

             X509v3 Authority Key Identifier:
keyid:87:DC:69:C9:EC:ED:27:10:0C:8C:CA:1B:A9:DE:51:1C:6D:00:5D:E5

root@Lakshmi-ThinkStation-P520:/etc/keys# getfattr -d -e hex -m security 
/home/lakshmi/msftsrc/myfiles/myfile.txt
getfattr: Removing leading '/' from absolute path names
# file: home/lakshmi/msftsrc/myfiles/myfile.txt
security.ima=0x030204b8847de90080a3e5d6e72fd7fa2f247f68ae675fa56f5b81f9274cb42c597b4c5507da3bfeba5c8636ea23857bcf1730a37fa871c7f592c254e0dd701b8b062f12cbc0db78f21495d5a7728c218b741c675053e998528cc0c8d12bef0e0671a28e64a7d933d36d76c1ec2633a07334b3480c7c0c4031d9c037a77085852f15a3669f2fdc3c7e

Is this expected?

In my setup, IMA signing key will be signed by a key in the "BuiltIn 
Trusted Keys".

Thanks,
  -lakshmi