On Wed, 2015-05-06 at 17:36 +0200, Zbigniew Jasiński wrote:
> > According to the Wiki, one creates privkey_ima.pem but does not copy it to
> > the image (at least in that use case - there's another one about converting
> > a
> > live image where the key gets copied temporarily).
> >
> > http://sourceforge.net/p/linux-ima/wiki/Home/ talks about "Creating
> > trusted and EVM encrypted keys". Is that what's missing in the Tizen Wiki
> > for
> > "evm=fix" to work? If so, will signing files with evmctl use privkey_ima.pem
> > for EVM while "evm=fix" uses some other key?
>
> You're right. It's missing from Tizen's Wiki. I will make changes.
Good to hear that I understood something right ;-} Please ping me when
you are done.
> > That problem aside, should IMA/EVM do any checking on /etc at all according
> > to the policy in the Wiki? The instructions only mention the creation of
> > checksums for /usr /bin /sbin and /lib, but not /etc. Is the policy in
> > /etc/ima/ima_policy perhaps extending the policies activated by
> > "ima_appraise_tcb ima_tcb" instead of replacing it?
> >
>
> Are you sure that this example policy is loaded? You can check it by cat'ing
> policy file.
Good point. It turns out that /sys/kernel/security/ima/policy is empty
unless I boot with ima_tcb or ima_appraise_tcb. So my /etc/ima/policy
does not get loaded - need to check whether it's set up correctly.
But my question still stands: if I get policy loading to work, will that
append or replace the existing policy? If yes, then the Wiki
instructions are a bit misleading, because the "prepare Tizen image" use
case describes how to set up a custom policy and in addition, mentions
"ima_tcb" and "ima_appraise_tcb" as boot parameters although they are
redundant in that case (right?).
Here's another source of confusion for me: how does the ima policy
affect evm? Does it perhaps control ima/evm together for a certain file,
despite the name ("IMA policy")?
Let's ignore the policy loading problem for a second. When I boot with
"i_version ima_appraise=log ima_tcb ima_template_fmt=d-ng|n-ng|status",
I still have the problem that files like /etc/resolv.conf cannot be
created.
In that case I have:
root@qemux86:~# cat /sys/kernel/security/ima/policy
dont_measure fsmagic=0x9fa0
dont_measure fsmagic=0x62656572
dont_measure fsmagic=0x64626720
dont_measure fsmagic=0x1021994
dont_measure fsmagic=0x1cd1
dont_measure fsmagic=0x42494e4d
dont_measure fsmagic=0x73636673
dont_measure fsmagic=0xf97cff8c
measure func=MMAP_CHECK mask=MAY_EXEC
measure func=BPRM_CHECK mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK
measure func=5
measure func=6
root@qemux86:~# cat /sys/kernel/security/ima/ima_state
4
root@qemux86:~# cat /sys/kernel/security/evm
1
root@qemux86:~#
In that state, what is preventing the creation of files in /etc by
root?
Example:
# touch /etc/ld.so.cache~
evm: init_desc failed
touch: /etc/ld.so.cache~: Required key not available
> If it is not loaded I assume that default policy is loaded (ima_tcb
> and ima_appraise_tcb). You can omit this parameters in kernel
> arguments.
I get the same result when booting without ima_tcb and without
ima_appraise_tcb. The policy is completely empty in that case, and still
I get the same error for "touch /etc/ld.so.cache~".
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
