dh/ima-evm-utils
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
43 Commits 3 Branches 11 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Dmitry Kasatkin 1d24a94bb5 added uuid support for EVM 
Latest version of EVM uses file system UUID as part of an HMAC
calculation to prevent pasting of inode metadata from other file
systems. This patch adds support for adding file system UUID
to HMAC calculation. It is necessary to specify '-u -' or '--uuid -'
on evmctl command line.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2013-02-11 16:07:30 +02:00
src
added uuid support for EVM
2013-02-11 16:07:30 +02:00
.gitignore
evmctl - IMA/EVM control tool
2011-11-24 17:03:43 +02:00
acinclude.m4
evmctl - IMA/EVM control tool
2011-11-24 17:03:43 +02:00
AUTHORS
evmctl - IMA/EVM control tool
2011-11-24 17:03:43 +02:00
autogen.sh
evmctl - IMA/EVM control tool
2011-11-24 17:03:43 +02:00
ChangeLog
Version 0.3
2012-09-06 14:08:53 +03:00
configure.ac
Remove test scripts
2012-09-10 15:17:42 +03:00
COPYING
Some files updated
2012-09-06 14:08:53 +03:00
ima-evm-utils.spec.in
evm-utils renamed to ima-evm-utils.
2012-09-06 14:08:53 +03:00
INSTALL
Some files updated
2012-09-06 14:08:53 +03:00
Makefile.am
Remove test scripts
2012-09-10 15:17:42 +03:00
NEWS
evmctl - IMA/EVM control tool
2011-11-24 17:03:43 +02:00
README
added uuid support for EVM
2013-02-11 16:07:30 +02:00

README 

ima-evm-utils - IMA/EVM signing utility
=========================================

Contents:


   1. Key and signature formats
   2. Key generation
   3. Initialization
   4. Signing


Key and signature formats
-------------------------

EVM support (v2) in latest version of the kernel adds the file system UUID to
the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
version 2 is enabled by default. To include the UUID to the signature calculation,
it is necessary to provide '--uuid -' or '-u -' parameter to the 'sign' command.

Key generation
--------------

Generate private key in plain text format

    $ openssl genrsa -out privkey_evm.pem 1024

Generate encrypted private key

    $ openssl genrsa -des3 -out privkey_evm.pem 1024

Make encrypted private key from unencrypted

    $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3

Get public key

    $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem

Copy keys to /etc/keys

    $ cp pubkey_evm.pem /etc/keys
    $ scp pubkey_evm.pem target:/etc/keys


Initialization
--------------

IMA/EVM initialization should be normally done from initial RAM file system
before mounting root filesystem.

Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh

    # import EVM HMAC key
    keyctl clear @u
    keyctl add user kmk "testing123" @u
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

    # import IMA public key
    ima_id=`keyctl newring _ima @u`
    evmctl import /etc/keys/pubkey_evm.pem $ima_id

    # import EVM public key
    evm_id=`keyctl newring _evm @u`
    evmctl import /etc/keys/pubkey_evm.pem $evm_id

    # enable EVM
    echo "1" > /sys/kernel/security/evm


Signing
-------

Signing for using new the EVM HMAC format is done using '-u -' or '--uuid -' parameter.

Sign file with EVM signature and use hash value for IMA - common case

    $ evmctl sign [-u -] --imahash test.txt

Sign file with both IMA and EVM signatures - for immutable files

    $ evmctl sign [-u -] --imasig test.txt

Label whole filesystem with EVM signatures

    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u -] --imahash '{}' \;

Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs

    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
Description
Integrity Measurement Architecture to know EXACTLY what has been run on your machine. Fork of https://git.code.sf.net/p/linux-ima/ima-evm-utils
Readme 227 KiB
Languages
C 93%
M4 2.9%
Makefile 2.2%
RPM Spec 1.3%
Shell 0.6%