linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ignaz Forster <iforster@suse.de>
To: Petr Vorel <pvorel@suse.cz>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Fabian Vogt <FVogt@suse.com>, Marcus Meissner <meissner@suse.com>,
	linux-integrity@vger.kernel.org, ltp@lists.linux.it
Subject: Re: [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs
Date: Tue, 14 May 2019 21:19:04 +0200	[thread overview]
Message-ID: <bf41c3b5-baf4-ba7a-2136-dabbbb817473@suse.de> (raw)
In-Reply-To: <20190514121213.GA28655@dell5510>

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

Hi Petr,

Am 14.05.19 um 14:12 Uhr schrieb Petr Vorel:
> Could you, please, share your setup?

The system was installed with IMA and EVM enabled during installation, 
using the following kernel parameters:
"ima_policy=appraise_tcb ima_appraise=fix evm=fix"

The EVM key was generated in the live system before starting the actual 
installation and copied into the installed system later.

See the attached installation notes for an openSUSE system (which should 
also be usable on other distributions).

> ima_policy=appraise_tcb kernel parameter and loading IMA and EVM keys over
> dracut-ima scripts?

Exactly.

> (IMA appraisal and EVM using digital signatures? I guess
> using hashes for IMA appraisal would work as well).

I focused on hashes, as those are more relevant for the overlayfs use 
case I was thinking of.

Ignaz

[-- Attachment #2: IMA_EVM.txt --]
[-- Type: text/plain, Size: 1393 bytes --]

Manual IMA / EVM installation:
* Use a net install image (some of the necessary packages are not available in DVD image)
* Boot install system with "ima_policy=appraise_tcb ima_appraise=fix evm=fix" (for IMA measurement, IMA appraisal and EVM protection)
* Proceed with installation until summary screen, but do not start the installation yet
* Remove "evm=fix" from kernel boot parameters
* Change kernel boot parameter "ima_appraise=fix" to "ima_appraise=appraise_tcb"
* Select package "dracut-ima" (required for early boot EVM support) for installation
* Change to a console window
* mkdir /etc/keys
* /bin/keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
* /bin/keyctl pipe `/bin/keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob
* /bin/keyctl add encrypted evm-key "new user:kmk-user 64" @u
* /bin/keyctl pipe `/bin/keyctl search @u encrypted evm-key` >/etc/keys/evm.blob
* cat <<END >/etc/sysconfig/masterkey
MASTERKEYTYPE="user"
MASTERKEY="/etc/keys/kmk-user.blob"
END
* cat <<END >/etc/sysconfig/evm
EVMKEY="/etc/keys/evm.blob"
END
* mount -t securityfs security /sys/kernel/security
* echo 1 >/sys/kernel/security/evm
* Go back to the installation summary screen and start the installation
* During the installation execute the following commands from the console:
* cp -r /etc/keys /mnt/etc/
* cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/

  reply	other threads:[~2019-05-14 19:19 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-05 16:52 [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-04-05 16:52 ` [PATCH v2 1/3] ima: Call test's cleanup inside ima_setup.sh cleanup Petr Vorel
2019-04-11  0:59   ` Mimi Zohar
2019-04-11  5:51     ` Petr Vorel
2019-04-11 12:22       ` Mimi Zohar
2019-04-11 20:21         ` Petr Vorel
2019-04-05 16:52 ` [PATCH v2 2/3] shell: Add $TST_DEVICE as default parameter to tst_umount Petr Vorel
2019-04-05 16:52 ` [PATCH v2 3/3] ima: Add overlay test Petr Vorel
2019-05-14 18:42   ` Ignaz Forster
2019-05-15 11:32     ` Petr Vorel
2019-05-14 12:12 ` [PATCH v2 0/3] LTP reproducer on broken IMA on overlayfs Petr Vorel
2019-05-14 19:19   ` Ignaz Forster [this message]
2019-05-15 11:34     ` Petr Vorel
2019-05-15  3:01   ` Mimi Zohar
2019-05-15 12:08     ` Petr Vorel
2019-05-16 22:10       ` Mimi Zohar
2019-05-17  7:50         ` Petr Vorel
2019-05-17 11:00           ` Mimi Zohar
2019-05-17 15:41             ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bf41c3b5-baf4-ba7a-2136-dabbbb817473@suse.de \
    --to=iforster@suse.de \
    --cc=FVogt@suse.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=ltp@lists.linux.it \
    --cc=meissner@suse.com \
    --cc=pvorel@suse.cz \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).