dh/ima-evm-utils
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update README

Browse Source 
README updated.
Module signing info has been removed. Module signing is done now in kernel
source tree and uses appended signatures. No need to create sig files or
set extended attributes. Information about test scripts has been removed.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
This commit is contained in:
Dmitry Kasatkin 2012-09-10 13:29:39 +03:00
parent a58cd9f4af
commit 5be54eaca4
1 changed files with 58 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
README
View File

@ -1,52 +1,79 @@
ima-evm-utils - IMA/EVM signing utility
=========================================
1. Generate private key Contents:
# plain key 1. Key generation
openssl genrsa -out privkey_evm.pem 1024 2. Initialization
3. Signing
# encrypted key
openssl genrsa -des3 -out privkey_evm.pem 1024
# set password for the key Key generation
openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3 --------------
or
openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
2. Generate public key Generate private key in plain text format
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem $ openssl genrsa -out privkey_evm.pem 1024
3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys Generate encrypted private key
scp pubkey_evm.pem mad:/etc/keys $ openssl genrsa -des3 -out privkey_evm.pem 1024
4. Load keys and enable EVM Make encrypted private key from unencrypted
evm_enable.sh $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
This should be done at early phase, before mounting root filesystem. Get public key
5. Sign EVM and use hash value for IMA - common case $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
evmctl sign --imahash test.txt Copy keys to /etc/keys
6. Sign IMA and EVM - for immutable files and modules $ cp pubkey_evm.pem /etc/keys
$ scp pubkey_evm.pem target:/etc/keys
evmctl sign --imasig test.txt
7. Sign whole filesystem Initialization
--------------
evm_sign_all.sh IMA/EVM initialization should be normally done from initial RAM file system
or before mounting root filesystem.
find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
# security.ima needs to have signature for modules
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
# generate signatures in .sig files Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
8. Label filesystem in fix mode... # import EVM HMAC key
keyctl clear @u
keyctl add user kmk "testing123" @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
ima_fix_dir.sh <dir> # import IMA public key
ima_id=`keyctl newring _ima @u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id
# import EVM public key
evm_id=`keyctl newring _evm @u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
# enable EVM
echo "1" > /sys/kernel/security/evm
Signing
-------
Sign file with EVM signature and use hash value for IMA - common case
$ evmctl sign --imahash test.txt
Sign file with both IMA and EVM signatures - for immutable files
$ evmctl sign --imasig test.txt
Label whole filesystem with EVM signatures
$ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
$ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;