[IMA-EVM] When "appraise" applied, kernel cannot start init process.

Kim, Jeong-Hwan frog007.kernel.kr at gmail.com
Sat Dec 18 23:04:10 EST 2021

Hi, everyone

Now I'm testing ima-evm security module to see if it can be applied my 
embedded system board. (not using TPM)

The kernel version is 5.4.91 (based on beaglebone black board).

But, unfortunately I cannot verify the functions of ima-evm correctly.

When I apply "appraise", kernel panic happens.

This is what happened:

(1) I set ima-evm keys as follows :

     # dd if=/dev/urandom bs=1 count=32 status=none | keyctl padd user 
kmk-user @u

     # keyctl link @u @s

     #keyctl pipe `key search @u user kmk-user` > /etc/keys/kmk-user.blob

     #keycl add encrypted evm-key "new user:kmk-user 32" @u

     #keyctl pipe `keyctl search @u encrypted evm-key` > 

     # openssl genrsa -out /etc/keys/rsa_private.pem 1024

     # openssl rsa -pubout -in /etc/keys/rsa_private.pem -out 

(2) I set kernel parameters with *"ima_policy=appraise_tcb 
ima_appraise=fix evm=fix"*

(3) After boot, I loaded the keys lik this:

     # keyctl add user kmk-user "`cat /etc/keys/kmk-user.blob`" @u
     # keyctl link @u @s
     # keyctl add encrypted evm-key "load `cat /etc/keys/evm-user.blob`" @u
     # evmctl import --rsa /etc/keys/rsa_public.pem $(keyctl newring 
_ima @u)
     # evmctl import --rsa /etc/keys/rsa_public.pem $(keyctl newring 
_evm @u)
     # echo 1 > /sys/kernel/security/evm

(4) I created the ima-evm digital signatures :

     # find / -type f -exec evmctl ima_sign --key 
/etc/keys/rsa_private.pem '{}' \;

(5) I changed the kernel parameter as this : *"ima_policy=appraise_tcb 

(6) When the board reboot, it stop because of kernel panic :

*[    3.546536] audit: type=1800 audit(946688023.636:2): pid=1 uid=0 
auid=4294967295 ses=4294967295 subj==unconfined op=appraise_data 
cause=unknown comm="swapper" name="/lib/systemd/systemd" dev="mmcblk0p1" 
ino=5684 res=0*

When the kernel parameter is "ima_policy=tcb ima_appraise=enforce", 
kernel panic does not happen, but after boot, any executable file is not 
blocked although its contents is changed.

Please give me an advice.

Thanks in advance,

J.Hwan Kim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20211219/cdb2ee82/attachment.html>

More information about the Kernelnewbies mailing list