LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-19-2016, 03:46 PM   #1
accrig
LQ Newbie
 
Registered: Apr 2016
Posts: 6

Rep: Reputation: Disabled
Cannot load keys into the .ima keyring: Operation not supported (95)


I'm trying to activate IMA and EVM to protect a filesystem with digital signatures. On a Raspberry Pi with kernel 4.1.20 this worked perfectly. Keys were loaded into the _ima and _evm keyrings (using evmctl import) and I could sign files and verify signatures. Now on another device with kernel 4.7.6 I cannot load the keys.

If I disable CONFIG_INTEGRITY_TRUSTED_KEYRING and compile my kernel then IMA just doesn't work:
Code:
integrity: no _ima keyring: -126
Cannot evmctl sign, not even with --imahash.

If I enable that option and recompile, keys are loaded into the _ima and _evm keyrings, but the kernel doesn't look for them there:
Code:
integrity: Request for unknown key 'id:86f9a53f' err -11
cat /proc/keys shows that .ima, _ima, .evm and _evm are distinct keyrings. My keys have been loaded into _ima and _evm, while .ima and .evm are empty. This happens after I've followed the instructions in https://sourceforge.net/p/linux-ima/...ivate-keypairs

The evmctl manpage uses the .ima and .evm keyring ids from /proc/keys instead. If I try to do that:
Code:
	# evmctl import /etc/keys/x509_ima.der <.ima keyring id>
	add_key failed
	errno: Required key not available (126)
or
Code:
	# evmctl import --rsa /etc/keys/pubkey_ima.pem <.ima keyring id>
	add_key failed
	errno: Operation not supported (95)
But the key has been loaded into _ima. What if I try to link it in .ima?
Code:
	# keyctl list <_ima keyring id>
	1 key in keyring:
	<id>: --alswrv     0     0 user: <blah>
	# keyctl link <key id> <.ima keyring id>
	keyctl_link: Operation not supported
The permission sets I have into the .evm and .ima keyrings are: -lswrv--swrv------------. Since I have write permission as root user, I should be able to create or link the keys there.

I don't know if this is caused by IMA/EVM requiring the keys to be trusted. I have loaded the kmk and evm-user keys as encrypted keys instead, which worked fine on a raspberry pi, but doesn't seem to work now on my new device (produces the errors above). I cannot create trusted keys because I get "no such device" errors. (The TPM is enabled in the EFI setup and in the kernel config, but still get that error).

Hoping someone has more experience than me with kernel keyrings. I've googled a lot but none of the results are specific to this problem.

Last edited by accrig; 10-20-2016 at 01:49 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] chattr: Operation not supported chris101.park Linux - Newbie 1 07-15-2015 06:18 AM
setfacl: operation not supported viewcam Linux - Newbie 7 03-25-2013 01:01 PM
[SOLVED] setfacl error: Operation not supported jayakumar01 Linux - Server 1 02-02-2012 01:45 AM
setfacl: Operation not supported nekton Linux - Security 1 05-09-2008 01:57 PM
SIOCETHTOOL: Operation not supported tallen Linux - Newbie 2 01-26-2006 09:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration