ima-evm-utils - IMA/EVM signing utility
=========================================

Contents:


   1. Key and signature formats
   2. Key generation
   3. Initialization
   4. Signing


Key and signature formats
-------------------------

EVM support (v2) in latest version of the kernel adds the file system UUID to
the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
version 2 is enabled by default. To include the UUID to the signature calculation,
it is necessary to provide '--uuid -' or '-u -' parameter to the 'sign' command.

Key generation
--------------

Generate private key in plain text format

    $ openssl genrsa -out privkey_evm.pem 1024

Generate encrypted private key

    $ openssl genrsa -des3 -out privkey_evm.pem 1024

Make encrypted private key from unencrypted

    $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3

Get public key

    $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem

Copy keys to /etc/keys

    $ cp pubkey_evm.pem /etc/keys
    $ scp pubkey_evm.pem target:/etc/keys


Initialization
--------------

IMA/EVM initialization should be normally done from initial RAM file system
before mounting root filesystem.

Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh

    # import EVM HMAC key
    keyctl clear @u
    keyctl add user kmk "testing123" @u
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

    # import IMA public key
    ima_id=`keyctl newring _ima @u`
    evmctl import /etc/keys/pubkey_evm.pem $ima_id

    # import EVM public key
    evm_id=`keyctl newring _evm @u`
    evmctl import /etc/keys/pubkey_evm.pem $evm_id

    # enable EVM
    echo "1" > /sys/kernel/security/evm


Signing
-------

Signing for using new the EVM HMAC format is done using '-u -' or '--uuid -' parameter.

Sign file with EVM signature and use hash value for IMA - common case

    $ evmctl sign [-u -] --imahash test.txt

Sign file with both IMA and EVM signatures - for immutable files

    $ evmctl sign [-u -] --imasig test.txt

Label whole filesystem with EVM signatures

    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u -] --imahash '{}' \;

Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs

    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;