1EVMCTL(1) EVMCTL(1)
2
3
4
6 evmctl - IMA/EVM signing utility
7
9 evmctl [options] <command> [OPTIONS]
10
12 The evmctl utility can be used for producing and verifying digital
13 signatures, which are used by Linux kernel integrity subsystem
14 (IMA/EVM). It can be also used to import keys into the kernel keyring.
15
17 --version
18 help <command>
19 import [--rsa] pubkey keyring
20 sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
21 verify file
22 ima_sign [--sigfile] [--key key] [--pass password] file
23 ima_verify file
24 ima_hash file
25 ima_measurement [--key "key1, key2, ..."] [--list] file
26 ima_fix [-t fdsxm] path
27 sign_hash [--key key] [--pass password]
28 hmac [--imahash | --imasig ] file
29
31 -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512
32 -s, --imasig make IMA signature
33 -d, --imahash make IMA hash
34 -f, --sigfile store IMA signature in .sig file instead of xattr
35 --rsa use RSA key type and signing scheme v1
36 -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
37 -o, --portable generate portable EVM signatures
38 -p, --pass password for encrypted signing key
39 -r, --recursive recurse into directories (sign)
40 -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
41 x - skip fixing if both ima and evm xattrs exist (use with caution)
42 m - stay on the same filesystem (like 'find -xdev')
43 -n print result to stdout instead of setting xattr
44 -u, --uuid use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
45 --smack use extra SMACK xattrs for EVM
46 --m32 force EVM hmac/signature for 32 bit target system
47 --m64 force EVM hmac/signature for 64 bit target system
48 -v increase verbosity level
49 -h, --help display this help and exit
50
52 Linux kernel integrity subsystem is comprised of a number of different
53 components including the Integrity Measurement Architecture (IMA),
54 Extended Verification Module (EVM), IMA-appraisal extension, digital
55 signature verification extension and audit measurement log support.
56
57 The evmctl utility is used for producing and verifying digital
58 signatures, which are used by the Linux kernel integrity subsystem. It
59 is also used for importing keys into the kernel keyring.
60
61 Linux integrity subsystem allows to use IMA and EVM signatures. EVM
62 signature protects file metadata, such as file attributes and extended
63 attributes. IMA signature protects file content.
64
65 For more detailed information about integrity subsystem it is
66 recommended to follow resources in RESOURCES section.
67
69 EVM protects file metadata by including following attributes into HMAC
70 and signature calculation: inode number, inode generation, UID, GID,
71 file mode, security.selinux, security.SMACK64, security.ima,
72 security.capability.
73
74 EVM HMAC and signature in may also include additional file and file
75 system attributes. Currently supported additional attributes are
76 filesystem UUID and extra SMACK extended attributes.
77
78 Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to
79 include filesystem UUID into HMAC and enabled by default. Therefore
80 evmctl also includes fsuuid by default. Providing --uuid option without
81 parameter allows to disable usage of fs uuid. Providing --uuid=UUID
82 option with parameter allows to use custom UUID. Providing the
83 --portable option will disable usage of the fs uuid and also the inode
84 number and generation.
85
86 Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls
87 whether to include additional SMACK extended attributes into HMAC. They
88 are following: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
89 security.SMACK64MMAP. evmctl --smack options enables that.
90
92 Linux integrity subsystem supports two type of signature and
93 respectively two key formats.
94
95 First key format (v1) is pure RSA key encoded in PEM a format and uses
96 own signature format. It is now non-default format and requires to
97 provide evmctl --rsa option for signing and importing the key.
98
99 Second key format uses X509 DER encoded public key certificates and
100 uses asymmetric key support in the kernel (since kernel 3.9).
101 CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
102
104 Integrity subsystem uses dedicated IMA/EVM keyrings to search for
105 signature verification keys - _ima and _evm respectively.
106
107 Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only
108 to load keys, signed by a key from the system keyring (.system). It
109 means self-signed keys are not allowed. This is a default behavior
110 unless CONFIG_IMA_TRUSTED_KEYRING is undefined. IMA trusted keyring is
111 has different name .ima. Trusted keyring requires X509 public key
112 certificates. Old version RSA public keys are not compatible with
113 trusted keyring.
114
116 EVM encrypted key is used for EVM HMAC calculation:
117
118 # create and save the key kernel master key (user type)
119 # LMK is used to encrypt encrypted keys
120 keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
121 keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
122
123 # create the EVM encrypted key
124 keyctl add encrypted evm-key "new user:kmk 64" @u
125 keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
126
128 Trusted EVM keys are keys which a generate with the help of TPM. They
129 are not related to integrity trusted keys.
130
131 # create and save the key kernel master key (user type)
132 keyctl add trusted kmk "new 32" @u
133 keyctl pipe `keyctl search @u trusted kmk` >kmk
134
135 # create the EVM trusted key
136 keyctl add encrypted evm-key "new trusted:kmk 32" @u
137 keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
138
140 Generate private key in plain text format:
141
142 openssl genrsa -out privkey_evm.pem 1024
143
144 Generate encrypted private key:
145
146 openssl genrsa -des3 -out privkey_evm.pem 1024
147
148 Make encrypted private key from unencrypted:
149
150 openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
151
152 Generate self-signed X509 public key certificate and private key for
153 using kernel asymmetric keys support:
154
155 openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
156 -x509 -config x509_evm.genkey \
157 -outform DER -out x509_evm.der -keyout privkey_evm.pem
158
159 Configuration file x509_evm.genkey:
160
161 # Begining of the file
162 [ req ]
163 default_bits = 1024
164 distinguished_name = req_distinguished_name
165 prompt = no
166 string_mask = utf8only
167 x509_extensions = myexts
168
169 [ req_distinguished_name ]
170 O = Magrathea
171 CN = Glacier signing key
172 emailAddress = slartibartfast@magrathea.h2g2
173
174 [ myexts ]
175 basicConstraints=critical,CA:FALSE
176 keyUsage=digitalSignature
177 subjectKeyIdentifier=hash
178 authorityKeyIdentifier=keyid
179 # EOF
180
181 Generate public key for using RSA key format:
182
183 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
184
185 Copy keys to /etc/keys:
186
187 cp pubkey_evm.pem /etc/keys
188 scp pubkey_evm.pem target:/etc/keys
189 or
190 cp x509_evm.pem /etc/keys
191 scp x509_evm.pem target:/etc/keys
192
194 Generation of trusted keys is a bit more complicated process and
195 involves following steps:
196
197 · Creation of local IMA certification authority (CA). It consist of
198 private and public key certificate which are used to sign and
199 verify other keys.
200
201 · Build Linux kernel with embedded local IMA CA X509 certificate. It
202 is used to verify other keys added to the .ima trusted keyring
203
204 · Generate IMA private signing key and verification public key
205 certificate, which is signed using local IMA CA private key.
206
207 Configuration file ima-local-ca.genkey:
208
209 # Begining of the file
210 [ req ]
211 default_bits = 2048
212 distinguished_name = req_distinguished_name
213 prompt = no
214 string_mask = utf8only
215 x509_extensions = v3_ca
216
217 [ req_distinguished_name ]
218 O = IMA-CA
219 CN = IMA/EVM certificate signing key
220 emailAddress = ca@ima-ca
221
222 [ v3_ca ]
223 basicConstraints=CA:TRUE
224 subjectKeyIdentifier=hash
225 authorityKeyIdentifier=keyid:always,issuer
226 # keyUsage = cRLSign, keyCertSign
227 # EOF
228
229 Generate private key and X509 public key certificate:
230
231 openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
232 -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
233
234 Produce X509 in DER format for using while building the kernel:
235
236 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
237
238 Configuration file ima.genkey:
239
240 # Begining of the file
241 [ req ]
242 default_bits = 1024
243 distinguished_name = req_distinguished_name
244 prompt = no
245 string_mask = utf8only
246 x509_extensions = v3_usr
247
248 [ req_distinguished_name ]
249 O = `hostname`
250 CN = `whoami` signing key
251 emailAddress = `whoami`@`hostname`
252
253 [ v3_usr ]
254 basicConstraints=critical,CA:FALSE
255 #basicConstraints=CA:FALSE
256 keyUsage=digitalSignature
257 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
258 subjectKeyIdentifier=hash
259 authorityKeyIdentifier=keyid
260 #authorityKeyIdentifier=keyid,issuer
261 # EOF
262
263 Generate private key and X509 public key certificate signing request:
264
265 openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
266 -out csr_ima.pem -keyout privkey_ima.pem
267
268 Sign X509 public key certificate signing request with local IMA CA
269 private key:
270
271 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
272 -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
273 -outform DER -out x509_ima.der
274
276 Default key locations:
277
278 Private RSA key: /etc/keys/privkey_evm.pem
279 Public RSA key: /etc/keys/pubkey_evm.pem
280 X509 certificate: /etc/keys/x509_evm.der
281
282 Options to remember: -k, -r, --rsa, --uuid, --smack.
283
284 Sign file with EVM signature and calculate hash value for IMA:
285
286 evmctl sign --imahash test.txt
287
288 Sign file with both IMA and EVM signatures:
289
290 evmctl sign --imasig test.txt:
291
292 Sign file with IMA signature:
293
294 evmctl ima_sign test.txt
295
296 Sign recursively whole filesystem:
297
298 evmctl -r sign --imahash /
299
300 Fix recursively whole filesystem:
301
302 evmctl -r ima_fix /
303
304 Sign filesystem selectively using find command:
305
306 find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
307
308 Fix filesystem selectively using find command:
309
310 find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
311
313 IMA/EVM initialization should be normally done from initial RAM file
314 system before mounting root filesystem.
315
316 Here is Ubuntu initramfs example script
317 (/etc/initramfs-tools/scripts/local-top/ima.sh)
318
319 # mount securityfs if not mounted
320 SECFS=/sys/kernel/security
321 grep -q $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
322
323 # search for IMA trusted keyring, then for untrusted
324 ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
325 if [ -z "$ima_id" ]; then
326 ima_id=`keyctl search @u keyring _ima 2>/dev/null`
327 if [ -z "$ima_id" ]; then
328 ima_id=`keyctl newring _ima @u`
329 fi
330 fi
331 # import IMA X509 certificate
332 evmctl import /etc/keys/x509_ima.der $ima_id
333
334 # search for EVM keyring
335 evm_id=`keyctl search @u keyring _evm 2>/dev/null`
336 if [ -z "$evm_id" ]; then
337 evm_id=`keyctl newring _evm @u`
338 fi
339 # import EVM X509 certificate
340 evmctl import /etc/keys/x509_evm.der $evm_id
341
342 # a) import EVM encrypted key
343 cat /etc/keys/kmk | keyctl padd user kmk @u
344 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
345 # OR
346 # b) import EVM trusted key
347 keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
348 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
349
350 # enable EVM
351 echo "1" > /sys/kernel/security/evm
352
353 Optionally it is possible also to forbid adding, removing of new public
354 keys and certificates into keyrings and revoking keys using keyctl
355 setperm command:
356
357 # protect EVM keyring
358 keyctl setperm $evm_id 0x0b0b0000
359 # protect IMA keyring
360 keyctl setperm $ima_id 0x0b0b0000
361 # protecting IMA key from revoking (against DoS)
362 ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
363 keyctl setperm $ima_key 0x0b0b0000
364
365 When using plain RSA public keys in PEM format, use evmctl import --rsa
366 for importing keys:
367
368 evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
369
370 Latest version of keyctl allows to import X509 public key certificates:
371
372 cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
373
375 Examples of scripts to generate X509 public key certificates:
376
377 /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
378 /usr/share/doc/ima-evm-utils/ima-genkey.sh
379 /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
380
382 Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
383
385 http://sourceforge.net/p/linux-ima/wiki/Home
386 http://sourceforge.net/p/linux-ima/ima-evm-utils
387
389 Copyright (C) 2012 - 2014 Linux Integrity Project. Free use of this
390 software is granted under the terms of the GNU Public License (GPL).
391
392
393
394 07/20/2018 EVMCTL(1)