1 ima-evm-utils - IMA/EVM signing utility
2 =========================================
6 1. Key and signature formats
12 Key and signature formats
13 -------------------------
15 EVM support (v2) in latest version of the kernel adds the file system UUID to
16 the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
17 version 2 is enabled by default. To include the UUID to the signature calculation,
18 it is necessary to provide '--uuid -' or '-u -' parameter to the 'sign' command.
20 Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
21 support for verifying digital signatures. The new command line parameter
22 '-x' or '--x509' was added to the evmctl to enable using of X509 certificates
23 and new signature format.
29 Generate private key in plain text format
31 $ openssl genrsa -out privkey_evm.pem 1024
33 Generate encrypted private key
35 $ openssl genrsa -des3 -out privkey_evm.pem 1024
37 Make encrypted private key from unencrypted
39 $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
41 Generate self-signed X509 certificate and private key for using kernel asymmetric
44 $ openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
45 -x509 -config x509_evm.genkey \
46 -outform DER -out x509_evm.der -keyout privkey_evm.pem
48 Configuration file x509_evm.genkey:
50 # Begining of the file
53 distinguished_name = req_distinguished_name
55 string_mask = utf8only
56 x509_extensions = myexts
58 [ req_distinguished_name ]
60 CN = Glacier signing key
61 emailAddress = slartibartfast@magrathea.h2g2
64 basicConstraints=critical,CA:FALSE
65 keyUsage=digitalSignature
66 subjectKeyIdentifier=hash
67 authorityKeyIdentifier=keyid
73 $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
75 Copy keys to /etc/keys
77 $ cp pubkey_evm.pem /etc/keys
78 $ scp pubkey_evm.pem target:/etc/keys
81 $ cp x509_evm.pem /etc/keys
82 $ scp x509_evm.pem target:/etc/keys
88 IMA/EVM initialization should be normally done from initial RAM file system
89 before mounting root filesystem.
91 Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
95 keyctl add user kmk "testing123" @u
96 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
98 # import IMA public key
99 ima_id=`keyctl newring _ima @u`
100 evmctl import /etc/keys/pubkey_evm.pem $ima_id
102 # import EVM public key
103 evm_id=`keyctl newring _evm @u`
104 evmctl import /etc/keys/pubkey_evm.pem $evm_id
107 echo "1" > /sys/kernel/security/evm
110 Import X509 certificate into the kernel keyring (since kernel 3.9?)
112 $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
113 $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
119 Default public key: /etc/keys/pubkey_evm.pem
120 Default private key: /etc/keys/privkey_evm.pem
121 Default X509 certificate: /etc/keys/x509_evm.der
123 Signing for using X509 certificates is done using '-x' or '--x509' parameter.
124 Signing for using new the EVM HMAC format is done using '-u -' or '--uuid -' parameter.
126 Sign file with EVM signature and use hash value for IMA - common case
128 $ evmctl sign [-u -] [-x] --imahash test.txt
130 Sign file with both IMA and EVM signatures - for immutable files
132 $ evmctl sign [-u -] [-x] --imasig test.txt
134 Sign file with IMA signature - for immutable files
136 $ evmctl ima_sign [-x] test.txt
138 Label whole filesystem with EVM signatures
140 $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u -] [-x] --imahash '{}' \;
142 Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
144 $ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;