1IMA + EVM testing 2================= 3 4IMA tests 5--------- 6 7`ima_measurements.sh` require builtin IMA tcb policy to be loaded 8(`ima_policy=tcb` kernel parameter). 9Although a custom policy, loaded via dracut, systemd or manually from user 10space, may contain equivalent measurement tcb rules, detecting them would 11require `IMA_READ_POLICY=y` therefore ignore this option. 12 13Mandatory kernel configuration for IMA: 14``` 15CONFIG_INTEGRITY=y 16CONFIG_IMA=y 17``` 18 19EVM tests 20--------- 21 22`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` 23kernel parameter) which appraises the integrity of all files owned by root and EVM setup. 24Again, for simplicity ignore possibility to load requires rules via custom policy. 25 26Mandatory kernel configuration for IMA & EVM: 27``` 28CONFIG_INTEGRITY=y 29CONFIG_INTEGRITY_SIGNATURE=y 30CONFIG_IMA=y 31CONFIG_IMA_APPRAISE=y 32CONFIG_EVM=y 33CONFIG_KEYS=y 34CONFIG_TRUSTED_KEYS=y 35CONFIG_ENCRYPTED_KEYS=y 36``` 37 38Example of installing IMA + EVM on openSUSE: 39 40* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters 41 (for IMA measurement, IMA appraisal and EVM protection) 42* Proceed with installation until summary screen, but do not start the installation yet 43* Select package `dracut-ima` (required for early boot EVM support) for installation 44 (Debian based distros already contain IMA + EVM support in `dracut` package) 45* Change to a console window and run commands to generate keys required by EVM: 46``` 47# mkdir /etc/keys 48# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u) 49# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob 50# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u) 51# keyctl pipe "$evm_key" >/etc/keys/evm.blob 52# cat <<END >/etc/sysconfig/masterkey 53MASTERKEYTYPE="user" 54MASTERKEY="/etc/keys/kmk-user.blob" 55END 56# cat <<END >/etc/sysconfig/evm 57EVMKEY="/etc/keys/evm.blob" 58END 59# mount -t securityfs security /sys/kernel/security 60# echo 1 >/sys/kernel/security/evm 61``` 62 63* Go back to the installation summary screen and start the installation 64* During the installation execute the following commands from the console: 65``` 66# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt 67# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/ 68``` 69 70This should work on any distribution using dracut. 71Loading EVM keys is also possible with initramfs-tools (Debian based distributions). 72 73Of course it's possible to install OS usual way, add keys later and fix missing xattrs with: 74``` 75evmctl -r ima_fix / 76``` 77 78or with `find` if evmctl is not available: 79``` 80find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \; 81``` 82Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters. 83