When IMA and EVM are used for file appraisal then EVM verifies the
signature stored in security.evm. This signature covers file metadata
(uid, gid, mode bits, etc.) as well as the security.ima xattr.
Therefore, it is sufficient that only files' hashes are stored in
security.ima. This also leads to slight performance improvements
since IMA appraisal will then only verify that a file's hash matches
the expected hash stored in security.ima. EVM will ensure that the
signature over all the file metadata and security.ima xattr is
correct. Therefore, give the user control over whether to store file
signatures (--imasig) in ima.security or hashes (--imahash) by
setting the option in IMA_EVM_IMA_XATTR_OPT.
Only test-verify an IMA signature if --imasig is used as the option.
Signed-off-by: Stefan Berger <stef...@linux.ibm.com>
---
meta-integrity/README.md | 1 +
meta-integrity/classes/ima-evm-rootfs.bbclass | 10 ++++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 6845c21..79635a0 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -97,6 +97,7 @@ the image, enable image signing in the local.conf like this:
IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>"
IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
+ IMA_EVM_IMA_XATTR_OPT = "<whether to sign or hash for IMA>"
IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass
b/meta-integrity/classes/ima-evm-rootfs.bbclass
index d50a025..14639cf 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -15,6 +15,10 @@ IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
# Password for the private key
IMA_EVM_EVMCTL_KEY_PASSWORD ?= ""
+# Whether to create IMA signatures (--imasig) or hashes (--imahash).
+# Hashes are sufficient for IMA when EVM uses signatures.
+IMA_EVM_IMA_XATTR_OPT ?= "--imasig"
+
# Public part of certificates (used for both IMA and EVM).
# The default is okay when using the example key directory.
IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -78,11 +82,13 @@ ima_evm_sign_rootfs () {
export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD}
bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key
${IMA_EVM_PRIVKEY}"
- evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+ evmctl sign ${IMA_EVM_IMA_XATTR_OPT} ${evmctl_param} --portable -a sha256 \
--key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r
"${IMAGE_ROOTFS}"
# check signing key and signature verification key
- evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}"
"${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+ if [ "${IMA_EVM_IMA_XATTR_OPT}" = "--imasig" ]; then
+ evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}"
"${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+ fi
evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}"
"${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
# Optionally install custom policy for loading by systemd.
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#64734): https://lists.yoctoproject.org/g/yocto/message/64734
Mute This Topic: https://lists.yoctoproject.org/mt/111040602/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
