On Thu, 2025-04-24 at 20:29 +0300, Lev Olshvang wrote: > Hi List, > > I work on a ARM64 ubuntu 22 system, with installed > ima-evm-utils 1.1-0ubuntu2 > > > I succedeed in implementing IMA and now I want to add EMV hmac > functionality. > > I booted kernel command line "ima=on ima_appraise=log" > > Then I made _evm keyring and added kmk and emv keys: > EVM_KR=`keyctl newring _evm @u` > keyctl add user kmk "$(dd if=/dev/urandom bs=1 count=32 2> /dev/null)" @u > keyctl add encrypted evm-key "new user:kmk 64" $EVM_KR > keyctl shows > 711205770 ----s-rv 0 0 \_ keyring: _ima > 1066122475 --als--v 0 0 | \_ asymmetric: mra: > adm_signing key: 9375cf2445606beba28208741540ad1897d59051 > 315058417 --alswrv 0 0 \_ keyring: _evm > 685369470 --alswrv 0 0 | \_ encrypted: evm-key > 35009219 --alswrv 0 0 \_ user: kmk > > > But evmctl hmac command returns error: > evmctl hmac /etc/init.d/netconsole > setxattr failed: /etc/init.d/netconsole > errno: Operation not permitted (1) > > > > I cloned ima-evmctl and compiled version 1.6.2 for x86_64, same ubuntu , > I got same result > sudo /usr/local/bin/evmctl -d hmac --hmackey /etc/keys/plain.txt > ../IMA_EVM/DEMO > hash(sha256): > 0404a6cffb233ebd759555c7070d9985961bbd1d3007e7c8d9cba5e9c5c28496c51f > Reading to /etc/keys/plain.txt > generation: 3093355876 > no xattr: security.selinux > no xattr: security.SMACK64 > no xattr: security.apparmor > name: security.ima, size: 34 > no xattr: security.capability > uuid: 069df3798ff14641a6e0f1db2b852380 > hmac: 9df5db81cf089c22c4c128070c36827d7983284f > Setting EVM hmac xattr failed: ../IMA_EVM/DEMO (errno: Operation not > permitted) > > > It must be something trivial, please help
Correct the EVM HMAC cannot be written directly, only the EVM portable signature can be written directly. EVM verifies the existing security.evm before allowing it to be updated. In EVM "fix" mode the existing EVM verification status is ignored. To label the filesystem, boot with the "evm=fix" boot command line option, after loading the EVM HMAC key (trusted key), walk the filesystem opening each file. This will calculate and write out the EVM HMAC. Refer to the ima-evm-utils README. Mimi
