Consultation on the invalidation of OpenBMC IMA/EVM function

Vantler Fan (范益) fanyi at ieisystem.com
Thu Dec 19 18:52:55 AEDT 2024 

Dear OpenBMC developer(s):

       I have a problem with IMA/EVM func of OpenBMC. I enabled IMA
function, but it doesn't seem to work.

       I change the policy in IMA (appraise func=MMAP_CHECK mask=MAY_EXEC
appraise_type=imasig  &&  appraise func=BPRM_CHECK mask=MAY_EXEC
appraise_type=imasig), and upload a program (by SSH, without sig), It can
run without any blocking. The expectation is that it should be rejected.

       I check /sys/kernel/security/ima/ascii_runtime_measurements, it has
the value like “10 XXXXXXXXXXXX ima-sig sha256:YYYYYYYYYYYYYYY
/root/home/root/program”. 

After that I use “echo TEST >> program” to change the program file, and it
can run as usual, and a new item like “10 AAAAAAAAAA ima-sig
sha256:BBBBBBBBBBBBBB /root/run/media/rwfs-alt/cow/home/root/program”shows
in /sys/kernel/security/ima/ascii_runtime_measurements. Every time I change
the file and run it, a new item will add to ascii_runtime_measurements. I
don’t know why and how to fix it.

(XXXX/YYYY/AAAA/BBBB represent hash values or other hexadecimal strings)

 

       Env: Qemu with AST2600

       Local.conf of project (what I modified):

               DISTRO_FEATURES:append = " integrity ima"

 

         IMAGE_CLASSES += "ima-evm-rootfs"

 

         IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"   (replaced
by my keys)

         IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"

         IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"

         IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"

 

       Boot log: Log file in email attachment

       System Env:

root at NULL:~# cat /sys/kernel/security/ima/policy

dont_measure fsmagic=0x9fa0

dont_measure fsmagic=0x62656572

dont_measure fsmagic=0x64626720

dont_measure fsmagic=0x1021994

dont_measure fsmagic=0x1cd1

dont_measure fsmagic=0x42494e4d

dont_measure fsmagic=0x73636673

dont_measure fsmagic=0xf97cff8c

dont_measure fsmagic=0x43415d53

dont_measure fsmagic=0x27e0eb

dont_measure fsmagic=0x63677270

dont_measure fsmagic=0x6e736673

dont_measure fsmagic=0xde5e81e4

measure func=MMAP_CHECK mask=MAY_EXEC

measure func=BPRM_CHECK mask=MAY_EXEC

measure func=FILE_CHECK mask=^MAY_READ euid=0

measure func=FILE_CHECK mask=^MAY_READ uid=0

measure func=MODULE_CHECK

measure func=FIRMWARE_CHECK

measure func=POLICY_CHECK

dont_appraise fsmagic=0x9fa0

dont_appraise fsmagic=0x62656572

dont_appraise fsmagic=0x64626720

dont_appraise fsmagic=0x1021994

dont_appraise fsmagic=0x858458f6

dont_appraise fsmagic=0x1cd1

dont_appraise fsmagic=0x42494e4d

dont_appraise fsmagic=0x73636673

dont_appraise fsmagic=0xf97cff8c

dont_appraise fsmagic=0x43415d53

dont_appraise fsmagic=0x6e736673

dont_appraise fsmagic=0xde5e81e4

dont_appraise fsmagic=0x27e0eb

dont_appraise fsmagic=0x63677270

appraise func=POLICY_CHECK appraise_type=imasig

appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig

appraise func=BPRM_CHECK mask=MAY_EXEC appraise_type=imasig               (I
rewirte the default appraise policy in ima_policy.c in kernel, so I can
appraise progs with sig by default)

 

root at NULL:~# fw_printenv

baudrate=115200

bootargs=console=ttyS4,115200n8 root=/dev/ram rw ima_policy=tcb
ima_policy=appraise_tcb

bootcmd=run bootspi

bootdelay=2

bootfile=all.bin

bootspi=fdt addr 20100000 && fdt header get fitsize totalsize && cp.b
20100000 ${loadaddr} ${fitsize} && bootm; echo Error loading kernel FIT
image

currentpartition=0

fdtcontroladdr=bcf8a6e8

gatewayip=192.168.0.1

ipaddr=192.168.0.45

loadaddr=0x83000000

netmask=255.255.255.0

rollback-reason=no_rollback

serverip=192.168.0.81

stderr=serial at 1e784000

stdin=serial at 1e784000

stdout=serial at 1e784000

verify=yes                   

nextpartition=0

 

Thank you very much for your help

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20241219/2705c240/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ima.log
Type: application/octet-stream
Size: 47931 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20241219/2705c240/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3855 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20241219/2705c240/attachment-0001.p7s>

More information about the openbmc mailing list