1# IMA + EVM testing 2 3## IMA tests 4 5Mandatory kernel configuration for IMA: 6``` 7CONFIG_INTEGRITY=y 8CONFIG_IMA=y 9``` 10 11### IMA measurement tests 12`ima_measurements.sh` require builtin IMA tcb policy to be loaded 13(`ima_policy=tcb` kernel parameter). 14Although a custom policy, loaded via dracut, systemd or manually from user 15space, may contain equivalent measurement tcb rules, detecting them would 16require `IMA_READ_POLICY=y` therefore ignore this option. 17 18### IMA key test 19The measuring keys test (first test) in `ima_keys.sh` requires a readable IMA 20policy, as well as a loaded measure policy with `func=KEY_CHECK keyrings=...`. 21 22The certificate import test (second test) requires measure policy with 23`func=KEY_CHECK keyrings=key_import_test`. 24 25For example of valid policy for both tests on all supported kernels see `keycheck.policy`. 26 27If the IMA key tests are executed on kernel v5.6 through v5.10, 28`ima-buf` template should be specified in the IMA policy rule for 29key measurement, e.g.: 30``` 31measure func=KEY_CHECK keyrings=key_import_test template=ima-buf 32``` 33 34Executing on kernel v5.11 or later, `template=ima-buf` is optional in the IMA 35policy rule for key measurement, e.g.: 36``` 37measure func=KEY_CHECK keyrings=key_import_test 38``` 39 40As well as what's required for the IMA tests, key tests require reading the IMA 41policy allowed in the kernel configuration: 42``` 43CONFIG_IMA_READ_POLICY=y 44``` 45 46### IMA kexec test 47 48`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`, 49see example in `kexec.policy`. 50 51The test attempts to kexec the existing running kernel image. 52To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`. 53 54### IMA SELinux test 55 56To enable IMA to measure SELinux state and policy, `ima_selinux.sh` 57requires a readable IMA policy, as well as a loaded measure policy with 58`measure func=CRITICAL_DATA label=selinux`, 59see example in `selinux.policy`. 60 61As well as what's required for the IMA tests, SELinux tests require SELinux enabled 62and reading the IMA policy allowed in the kernel configuration: 63``` 64CONFIG_SECURITY_SELINUX=y 65CONFIG_IMA_READ_POLICY=y 66``` 67 68## EVM tests 69 70`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` 71kernel parameter) which appraises the integrity of all files owned by root and EVM setup. 72Again, for simplicity ignore possibility to load requires rules via custom policy. 73 74Mandatory kernel configuration for EVM tests: 75``` 76CONFIG_INTEGRITY=y 77CONFIG_INTEGRITY_SIGNATURE=y 78CONFIG_IMA=y 79CONFIG_IMA_APPRAISE=y 80CONFIG_EVM=y 81CONFIG_KEYS=y 82CONFIG_TRUSTED_KEYS=y 83CONFIG_ENCRYPTED_KEYS=y 84``` 85 86Example of preparing environment on for EVM on openSUSE: 87 88* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters 89 (for IMA measurement, IMA appraisal and EVM protection) 90* Proceed with installation until summary screen, but do not start the installation yet 91* Select package `dracut-ima` (required for early boot EVM support) for installation 92 (Debian based distros already contain IMA + EVM support in `dracut` package) 93* Change to a console window and run commands to generate keys required by EVM: 94``` 95# mkdir /etc/keys 96# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u) 97# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob 98# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u) 99# keyctl pipe "$evm_key" >/etc/keys/evm.blob 100# cat <<END >/etc/sysconfig/masterkey 101MASTERKEYTYPE="user" 102MASTERKEY="/etc/keys/kmk-user.blob" 103END 104# cat <<END >/etc/sysconfig/evm 105EVMKEY="/etc/keys/evm.blob" 106END 107# mount -t securityfs security /sys/kernel/security 108# echo 1 >/sys/kernel/security/evm 109``` 110 111* Go back to the installation summary screen and start the installation 112* During the installation execute the following commands from the console: 113``` 114# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt 115# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/ 116``` 117 118This should work on any distribution using dracut. 119Loading EVM keys is also possible with initramfs-tools (Debian based distributions). 120 121Of course it's possible to install OS usual way, add keys later and fix missing xattrs with: 122``` 123evmctl -r ima_fix / 124``` 125 126or with `find` if evmctl is not available: 127``` 128find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \; 129``` 130Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters. 131