179664d7e9
To enable module signature verification working on file systems without extended attributes, or to be able to copy modules by methods, which does not support extended attribute copying, it is necessary to store signature in the file. This patch provides command line parameter for storing signature in .sig file. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
53 lines
1.4 KiB
Plaintext
53 lines
1.4 KiB
Plaintext
|
|
1. Generate private key
|
|
|
|
# plain key
|
|
openssl genrsa -out privkey_evm.pem 1024
|
|
|
|
# encrypted key
|
|
openssl genrsa -des3 -out privkey_evm.pem 1024
|
|
|
|
# set password for the key
|
|
openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
|
|
or
|
|
openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
|
|
|
|
2. Generate public key
|
|
|
|
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
|
|
|
|
3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys
|
|
|
|
scp pubkey_evm.pem mad:/etc/keys
|
|
|
|
4. Load keys and enable EVM
|
|
|
|
evm_enable.sh
|
|
|
|
This should be done at early phase, before mounting root filesystem.
|
|
|
|
5. Sign EVM and use hash value for IMA - common case
|
|
|
|
evmctl sign --imahash test.txt
|
|
|
|
6. Sign IMA and EVM - for immutable files and modules
|
|
|
|
evmctl sign --imasig test.txt
|
|
|
|
7. Sign whole filesystem
|
|
|
|
evm_sign_all.sh
|
|
or
|
|
find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
|
|
find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
|
|
# security.ima needs to have signature for modules
|
|
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
|
|
|
|
# generate signatures in .sig files
|
|
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
|
|
|
|
8. Label filesystem in fix mode...
|
|
|
|
ima_fix_dir.sh <dir>
|
|
|