File: README

package info (click to toggle)
ima-evm-utils 1.3.2-2.1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 620 kB
  • sloc: ansic: 3,425; sh: 1,096; makefile: 66
file content (446 lines) | stat: -rw-r--r-- 14,204 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
EVMCTL(1)
=========

NAME
----

evmctl - IMA/EVM signing utility


SYNOPSIS
--------

evmctl [options] <command> [OPTIONS]


DESCRIPTION
-----------

The evmctl utility can be used for producing and verifying digital signatures,
which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also
used to import keys into the kernel keyring.

COMMANDS
--------

 --version
 help <command>
 import [--rsa] pubkey keyring
 sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
 verify file
 ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
 ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file


OPTIONS
-------

  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512
  -s, --imasig       make IMA signature
  -d, --imahash      make IMA hash
  -f, --sigfile      store IMA signature in .sig file instead of xattr
      --xattr-user   store xattrs in user namespace (for testing purposes)
      --rsa          use RSA key type and signing scheme v1
  -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
  -o, --portable     generate portable EVM signatures
  -p, --pass         password for encrypted signing key
  -r, --recursive    recurse into directories (sign)
  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
                     x - skip fixing if both ima and evm xattrs exist (use with caution)
                     m - stay on the same filesystem (like 'find -xdev')
  -n                 print result to stdout instead of setting xattr
  -u, --uuid         use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
      --smack        use extra SMACK xattrs for EVM
      --m32          force EVM hmac/signature for 32 bit target system
      --m64          force EVM hmac/signature for 64 bit target system
      --engine e     preload OpenSSL engine e (such as: gost)
      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
      --ignore-violations ignore ToMToU measurement violations
      --verify-sig   verify the file signature based on the file hash, both
                     stored in the template data.
  -v                 increase verbosity level
  -h, --help         display this help and exit


INTRODUCTION
------------

Linux kernel integrity subsystem is comprised of a number of different components
including the Integrity Measurement Architecture (IMA), Extended Verification Module
(EVM), IMA-appraisal extension, digital signature verification extension and audit
measurement log support.

The evmctl utility is used for producing and verifying digital signatures, which
are used by the Linux kernel integrity subsystem. It is also used for importing keys
into the kernel keyring.

Linux integrity subsystem allows one to use IMA and EVM signatures. EVM signature
protects file metadata, such as file attributes and extended attributes. IMA
signature protects file content.

For more detailed information about integrity subsystem it is recommended to follow
resources in RESOURCES section.


EVM HMAC and signature metadata
-------------------------------

EVM protects file metadata by including following attributes into HMAC and signature
calculation: inode number, inode generation, UID, GID, file mode, security.selinux,
security.SMACK64, security.ima, security.capability.

EVM HMAC and signature in may also include additional file and file system attributes.
Currently supported additional attributes are filesystem UUID and extra SMACK
extended attributes.

Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include
filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes
fsuuid by default. Providing '--uuid' option without parameter allows one to disable
usage of fs uuid. Providing '--uuid=UUID' option with parameter allows one to use
custom UUID. Providing the '--portable' option will disable usage of the fs uuid
and also the inode number and generation.

Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to
include additional SMACK extended attributes into HMAC. They are following:
security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP.
evmctl '--smack' options enables that.


Key and signature formats
-------------------------

Linux integrity subsystem supports two type of signature and respectively two
key formats.

First key format (v1) is pure RSA key encoded in PEM a format and uses own signature
format. It is now non-default format and requires to provide evmctl '--rsa' option
for signing and importing the key.

Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).


Integrity keyrings
----------------

Integrity subsystem uses dedicated IMA/EVM keyrings to search for signature verification
keys - '_ima' and '_evm' respectively.

Since 3.13 IMA allows one to declare IMA keyring as trusted. It allows only to load keys,
signed by a key from the system keyring (.system). It means self-signed keys are not
allowed. This is a default behavior unless CONFIG_IMA_TRUSTED_KEYRING is undefined.
IMA trusted keyring is has different name '.ima'. Trusted keyring requires X509
public key certificates. Old version RSA public keys are not compatible with trusted
keyring.


Generate EVM encrypted keys
---------------------------

EVM encrypted key is used for EVM HMAC calculation:

    # create and save the key kernel master key (user type)
    # LMK is used to encrypt encrypted keys
    keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
    keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk

    # create the EVM encrypted key
    keyctl add encrypted evm-key "new user:kmk 64" @u
    keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key


Generate EVM trusted keys (TPM based)
-------------------------------------

Trusted EVM keys are keys which a generate with the help of TPM.
They are not related to integrity trusted keys.

    # create and save the key kernel master key (user type)
    keyctl add trusted kmk "new 32" @u
    keyctl pipe `keyctl search @u trusted kmk` >kmk

    # create the EVM trusted key
    keyctl add encrypted evm-key "new trusted:kmk 32" @u
    keyctl pipe `keyctl search @u encrypted evm-key` >evm-key


Generate signing and verification keys
--------------------------------------

Generate private key in plain text format:

    openssl genrsa -out privkey_evm.pem 1024

Generate encrypted private key:

    openssl genrsa -des3 -out privkey_evm.pem 1024

Make encrypted private key from unencrypted:

    openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3

Generate self-signed X509 public key certificate and private key for using kernel
asymmetric keys support:

    openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
    	        -x509 -config x509_evm.genkey \
	        -outform DER -out x509_evm.der -keyout privkey_evm.pem

Configuration file x509_evm.genkey:

	# Beginning of the file
	[ req ]
	default_bits = 1024
	distinguished_name = req_distinguished_name
	prompt = no
	string_mask = utf8only
	x509_extensions = myexts

	[ req_distinguished_name ]
	O = Magrathea
	CN = Glacier signing key
	emailAddress = slartibartfast@magrathea.h2g2

	[ myexts ]
	basicConstraints=critical,CA:FALSE
	keyUsage=digitalSignature
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid
	# EOF


Generate public key for using RSA key format:

    openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem


Copy keys to /etc/keys:

    cp pubkey_evm.pem /etc/keys
    scp pubkey_evm.pem target:/etc/keys
 or
    cp x509_evm.pem /etc/keys
    scp x509_evm.pem target:/etc/keys


Generate trusted keys
---------------------

Generation of trusted keys is a bit more complicated process and involves
following steps:

* Creation of local IMA certification authority (CA).
  It consist of private and public key certificate which are used
  to sign and verify other keys.
* Build Linux kernel with embedded local IMA CA X509 certificate.
  It is used to verify other keys added to the '.ima' trusted keyring
* Generate IMA private signing key and verification public key certificate,
  which is signed using local IMA CA private key.

Configuration file ima-local-ca.genkey:

	# Beginning of the file
	[ req ]
	default_bits = 2048
	distinguished_name = req_distinguished_name
	prompt = no
	string_mask = utf8only
	x509_extensions = v3_ca

	[ req_distinguished_name ]
	O = IMA-CA
	CN = IMA/EVM certificate signing key
	emailAddress = ca@ima-ca

	[ v3_ca ]
	basicConstraints=CA:TRUE
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid:always,issuer
	# keyUsage = cRLSign, keyCertSign
	# EOF

Generate private key and X509 public key certificate:

 openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
             -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv

Produce X509 in DER format for using while building the kernel:

 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem

Configuration file ima.genkey:

	# Beginning of the file
	[ req ]
	default_bits = 1024
	distinguished_name = req_distinguished_name
	prompt = no
	string_mask = utf8only
	x509_extensions = v3_usr

	[ req_distinguished_name ]
	O = `hostname`
	CN = `whoami` signing key
	emailAddress = `whoami`@`hostname`

	[ v3_usr ]
	basicConstraints=critical,CA:FALSE
	#basicConstraints=CA:FALSE
	keyUsage=digitalSignature
	#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid
	#authorityKeyIdentifier=keyid,issuer
	# EOF


Generate private key and X509 public key certificate signing request:

 openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
             -out csr_ima.pem -keyout privkey_ima.pem

Sign X509 public key certificate signing request with local IMA CA private key:

 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
              -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
              -outform DER -out x509_ima.der


Sign file data and metadata
---------------------------

Default key locations:

 Private RSA key: /etc/keys/privkey_evm.pem
 Public RSA key: /etc/keys/pubkey_evm.pem
 X509 certificate: /etc/keys/x509_evm.der

Options to remember: '-k', '-r', '--rsa', '--uuid', '--smack'.

Sign file with EVM signature and calculate hash value for IMA:

    evmctl sign --imahash test.txt

Sign file with both IMA and EVM signatures:

    evmctl sign --imasig test.txt:

Sign file with IMA signature:

    evmctl ima_sign test.txt

Sign recursively whole filesystem:

    evmctl -r sign --imahash /

Fix recursively whole filesystem:

    evmctl -r ima_fix /

Sign filesystem selectively using 'find' command:

    find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;

Fix filesystem selectively using 'find' command:

    find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;


Initialize IMA/EVM at early boot
--------------------------------

IMA/EVM initialization should be normally done from initial RAM file system
before mounting root filesystem.

Here is Ubuntu initramfs example script (/etc/initramfs-tools/scripts/local-top/ima.sh)

    # mount securityfs if not mounted
    SECFS=/sys/kernel/security
    grep -q  $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS

    # search for IMA trusted keyring, then for untrusted
    ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
    if [ -z "$ima_id" ]; then
        ima_id=`keyctl search @u keyring _ima 2>/dev/null`
        if [ -z "$ima_id" ]; then
	    ima_id=`keyctl newring _ima @u`
        fi
    fi
    # import IMA X509 certificate
    evmctl import /etc/keys/x509_ima.der $ima_id

    # search for EVM keyring
    evm_id=`keyctl search @u keyring _evm 2>/dev/null`
    if [ -z "$evm_id" ]; then
        evm_id=`keyctl newring _evm @u`
    fi
    # import EVM X509 certificate
    evmctl import /etc/keys/x509_evm.der $evm_id

    # a) import EVM encrypted key
    cat /etc/keys/kmk | keyctl padd user kmk @u
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
    # OR
    # b) import EVM trusted key
    keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

    # enable EVM
    echo "1" > /sys/kernel/security/evm

Optionally it is possible also to forbid adding, removing of new public keys
and certificates into keyrings and revoking keys using 'keyctl setperm' command:

    # protect EVM keyring
    keyctl setperm $evm_id 0x0b0b0000
    # protect IMA keyring
    keyctl setperm $ima_id 0x0b0b0000
    # protecting IMA key from revoking (against DoS)
    ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
    keyctl setperm $ima_key 0x0b0b0000


When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for importing keys:

    evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id

Latest version of keyctl allows one to import X509 public key certificates:

    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id


FILES
-----

Examples of scripts to generate X509 public key certificates:

 /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
 /usr/share/doc/ima-evm-utils/ima-genkey.sh
 /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh


AUTHOR
------

Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.


RESOURCES
---------

 http://sourceforge.net/p/linux-ima/wiki/Home
 http://sourceforge.net/p/linux-ima/ima-evm-utils


COPYING
-------

Copyright \(C) 2012 - 2014 Linux Integrity Project. Free use of this software is granted under
the terms of the GNU General Public License (GPL).