On Mon, 2016-02-22 at 22:29 +0000, David Howells wrote: > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > > > (1) - (3) These are Tadeusz's RSA akcipher conversion. > > > > Up to here, IMA-appraisal works properly. > > I don't have IMA set up anywhere.
I know. With the "vfs: support for a common kernel file loader" patch set, setting up a simple test becomes a lot simpler. With this patch set you can measure and appraise just the kexec image and initramfs, firmware and/or kernel modules. Create two key pairs. Add one to the system keyring.* The other key load on the IMA keyring. (Remember it needs to be signed with the private key of a key on the system keyring.**) To measure and appraise just the kexec initramfs, define a policy containing: measure func=INITRAMFS_CHECK appraise func=INITRAMFS_CHECK appraise_type=imasig To load the IMA policy, write the policy to the securityfs IMA policy file: cat <IMA policy> > /sys/kernel/securityfs/ima/policy. Sign the kexec initramfs using evmctl: evmctl ima_sign -k <privkey.pem> -a sha256 /boot/<initramfs>.img Execute: kexec -s -l /boot/<image> --initrd=/boot/<initramfs>.img --reuse-cmdline Failures to appraise the initramfs are audit logged. The IMA measurement list will contain the initramfs file hash. *There are two or three methods for loading the key onto the system keyring depending on the distro. - builtin - enroll in MoK db (on some distros) - Mehmet's patch (needs to be upstreamed) ** Refer to the ima-evm-utils package README for further details on creating and signing a certificate to be loaded on the IMA keyring. Mimi
