* [linux-ima-user]Systemd cgroups freezes after activating EVM
@ 2020-08-14 8:13 Vranceanu, Vladut
0 siblings, 0 replies; only message in thread
From: Vranceanu, Vladut @ 2020-08-14 8:13 UTC (permalink / raw)
To: linux-integrity; +Cc: linux-kernel
Hello,
I have some questions regarding system freezing at boot after activating EVM. I receive this error message:
systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/system: No such file of device.
[!!!!!] Failed to mount API filesystems, freezing.
I am using Linux kernel 4.19.78 and system v2.34. My aim is to activate IMA/EVM with EVM in mode 0x80000006, as per https://www.kernel.org/doc/Documentation/ABI/testing/evm. I have a script running from an initramFS, which does the IMA/EVM setup like the following:
mount -n -t securityfs securityfs /sys/kernel/security
(set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy >/sys/kernel/security/ima/policy
ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $ima_id
evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
evmctl import /etc/keys/x509_ima_1.der $evm_id
cat /etc/keys/kmk | keyctl padd user kmk @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
echo -2147483642 > /sys/kernel/security/evm
, where the policy is:
dont_appraise fsmagic=0x9fa0
dont_appraise fsmagic=0x62656572
dont_appraise fsmagic=0x64626720
dont_appraise fsmagic=0x01021994
dont_appraise fsmagic=0x858458f6
dont_appraise fsmagic=0x1cd1
dont_appraise fsmagic=0x42494e4d
dont_appraise fsmagic=0x73636673
dont_appraise fsmagic=0xf97cff8c
This would be a dummy policy, with which I could still reproduce the issue.
Kernel command line parameters are:
bootargs = "console=ttyS0,921600n1 \
debugshell=1 printk.disable_uart=0 rootwait mem=1024m \
loglevel=8 earlycon=uart8250,mmio32,0x11002000 rootfstype=ext4 ima_appraise=log evm=fix cgroup_no_v1=all quiet ";
, where ima_appraise=log evm=fix should ensure that boot freeze does not occur cause of missing signatures and cgroup_no_v1=all is one of my attempts at solving the issue(not needed).
The problem occurs specifically only when running this instruction "echo -2147483642 > /sys/kernel/security/evm", of activating EVM. The same setup goes through boot fine when leaving that out. Moreover, when doing the instruction in user-space, that also works(though I get some EVM-related kernel messages which, at this point, I'm not sure whether are normal or not).
I would much appreciate any lead to what I could be doing wrong, as it is difficult for me to trace the problem both for my lack of expertise and the way the image is formed. I am not subscribed to this mailing list, as advised by the FAQ, so please reply to my email individually as well, if you do.
Thank you,
Vlad
P.S.: Already messaged systemd community and the answer was:
systemd is just the messenger here. It tries to mount cgroupfs and that's denied due to some permission problem. We don't know IMA/EVM here. Please contact the IMA community instead, they might be able to tell you why the kernel would refuse cgroupfs mounts.
cgroupfs is required to be mountable for systemd to work. There's no way around that.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-08-14 8:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-14 8:13 [linux-ima-user]Systemd cgroups freezes after activating EVM Vranceanu, Vladut
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).