security - Integrity Measurement Architecture(IMA) & Linux Extended Verification Module (EVM) -


i trying activate ima appraisal & evm modules.

after compiling linux kernel 3.10.2 on bt5r3 , setting kernel boot option in first time this:

grub_cmdline_linux="rootflags=i_version ima_tcb ima_appraise=fix ima_appraise_tcb evm=fix"

and after running command generate xattr security.ima , security.evm 

find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec head -c 1 '{}' \;

like this:

grub_cmdline_linux="rootflags=i_version ima_tcb ima_appraise=enforce ima_appraise_tcb evm=enforce"

i try create digital signature of xattr it's recommended on tutorial tutorial ima & evm

every steps have been followed, creating rsa keys, loading them @ boot in initramfs keyctl.

session keyring        -3 --alswrv      0 65534  keyring: _uid_ses.0 977514165 --alswrv      0 65534   \_ keyring: _uid.0 572301790 --alswrv      0     0       \_ user: kmk-user 126316032 --alswrv      0     0       \_ encrypted: evm-key 570886575 --alswrv      0     0       \_ keyring: _ima 304346597 --alswrv      0     0       \_ keyring: _evm

however reboot os when try read signed , hashed file error "permission denied" running dmesg tells me :

[ 5461.175996] type=1800 audit(1375262160.913:57): pid=1756 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="**invalid-hmac**" comm="sh" name="/root/desktop/new.sh" dev="sda1" ino=546526 res=0

have idea why invalid hmac ? keys loaded tutorial says...

#!/bin/sh -e  prereq=""  # output pre-requisites prereqs() {         echo "$prereq" }  case "$1" in     prereqs)         prereqs         exit 0         ;; esac  grep -q "ima=off" /proc/cmdline && exit 1  mount -n -t securityfs securityfs /sys/kernel/security  ima_policy=/sys/kernel/security/ima/policy lsm_policy=/etc/ima_policy  grep -v "^#" $lsm_policy >$ima_policy  # import evm hmac key keyctl show |grep -q kmk || keyctl add user kmk "testing123" @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u #keyctl revoke kmk  # import module public key mod_id=`keyctl newring _module @u` evmctl import /etc/keys/pubkey_evm.pem $mod_id  # import ima public key ima_id=`keyctl newring _ima @u` evmctl import /etc/keys/pubkey_evm.pem $ima_id  # import evm public key evm_id=`keyctl newring _evm @u` evmctl import /etc/keys/pubkey_evm.pem $evm_id  # enable evm echo "1" > /sys/kernel/security/evm  # enable module checking #echo "1" > /sys/kernel/security/module_check

thanks help

solved, new kernel use hmac v2 , have activate asymmetric key when compile kernel.

cat .config should have entries: 

config_evm_hmac_version=2 config_asymmetric_key_type=y

then when hash or sign file use

evmctl -u - -x --imasig/--imahash $file

as should have create asymetric keys , load them in _evm , _ima keyring keyctl initramfs.


Comments

Post a Comment

Popular posts from this blog

basic authentication with http post params android -

i doing basic authentication passing username , password , using basicnamevaluepair sending post params response service. my method: public stringbuilder callservicehttppost(string username, string password, string type) { // create new httpclient , post header httpclient httpclient = new defaulthttpclient(); httppost httppost = new httppost(webservice + type); httpresponse response = null; stringbuilder total = new stringbuilder(); try { url url = new url(webservice + type); /*string base64encodedcredentials = base64.encodetostring((username + ":" + password).getbytes(), base64.url_safe | base64.no_wrap);*/ string base64encodedcredentials = "basic " + base64.encodetostring( (username + ":" + password).getbytes(), base64.no_wrap); httppost.setheader("auth...
Read more

vb.net - Virtual Keyboard commands -

i wondering difference between virtual these keyboard commands is: keyeventf_extendedkey , keyeventf_keyup is. everywhere have looked gives me description based off integers , not want know each of them does. you've tagged question vb.net, these have nothing @ vb.net. they're constants defined in windows header files, use win32 api functions. as far difference, can't tell looking @ values. individual values not particularly important, that's why named identifiers used. what's important used , documentation functions tells mean. the first one, keyeventf_extendedkey , used keybdinput structure (which used along e.g. sendinput function) pass information synthesized keyboard input. if flag used, means scan code should interpreted extended key. technically, means scan code preceded prefix byte value 224 (&he0 in hexadecimal notation). the second one, keyeventf_keyup , 1 of flags available use structure. means key being released (going up)...
Read more

css - Firefox for ubuntu renders wrong colors -

Image
i've got following problem: i'm developing website, while testing around i've noticed firefox , chromium display css bar in different colors. when switched between several machine come conclusion firefox ubuntu problem. on other devices i've tested website. it's fine. the differences between chrome , firefox rendering: firefox: chromium: note: firefox ubuntu problem. does knows why , came solution? https://bugzilla.mozilla.org/show_bug.cgi?id=655637 bug 629312 - firefox displays wrong colors on image (only linux) open about:config , rechange gfx.color_management.mode 2 0.
Read more