1001b9f992
New IMA kernel patches support appraisal of special files, such as links, device nodes, fifos. This patch adds support to calculate hash for special files to be set to security.ima extended attribute. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
1. Generate private key
# plain key
openssl genrsa -out privkey_evm.pem 1024
# encrypted key
openssl genrsa -des3 -out privkey_evm.pem 1024
# set password for the key
openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
or
openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
2. Generate public key
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys
scp pubkey_evm.pem mad:/etc/keys
4. Load keys and enable EVM
evm_enable.sh
This should be done at early phase, before mounting root filesystem.
5. Sign EVM and use hash value for IMA - common case
evmctl sign --imahash test.txt
6. Sign IMA and EVM - for immutable files and modules
evmctl sign --imasig test.txt
7. Sign whole filesystem
evm_sign_all.sh
or
find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
# security.ima needs to have signature for modules
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
# generate signatures in .sig files
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
8. Label filesystem in fix mode...
ima_fix_dir.sh <dir>