I'm trying to activate IMA and EVM to protect a filesystem with digital signatures. On a Raspberry Pi with kernel 4.1.20 this worked perfectly. Keys were loaded into the _ima and _evm keyrings (using evmctl import) and I could sign files and verify signatures. Now on another device with kernel 4.7.6 I cannot load the keys.

If I disable CONFIG_INTEGRITY_TRUSTED_KEYRING and compile my kernel then IMA just doesn't work:
Cannot evmctl sign, not even with --imahash.

If I enable that option and recompile, keys are loaded into the _ima and _evm keyrings, but the kernel doesn't look for them there:
cat /proc/keys shows that .ima, _ima, .evm and _evm are distinct keyrings. My keys have been loaded into _ima and _evm, while .ima and .evm are empty. This happens after I've followed the instructions in https://sourceforge.net/p/linux-ima/...ivate-keypairs

The evmctl manpage uses the .ima and .evm keyring ids from /proc/keys instead. If I try to do that:
or
But the key has been loaded into _ima. What if I try to link it in .ima?
The permission sets I have into the .evm and .ima keyrings are: -lswrv--swrv------------. Since I have write permission as root user, I should be able to create or link the keys there.

I don't know if this is caused by IMA/EVM requiring the keys to be trusted. I have loaded the kmk and evm-user keys as encrypted keys instead, which worked fine on a raspberry pi, but doesn't seem to work now on my new device (produces the errors above). I cannot create trusted keys because I get "no such device" errors. (The TPM is enabled in the EFI setup and in the kernel config, but still get that error).

Hoping someone has more experience than me with kernel keyrings. I've googled a lot but none of the results are specific to this problem.