1EVMCTL(1)                                                            EVMCTL(1)
2
3
4

NAME

6       evmctl - IMA/EVM signing utility
7

SYNOPSIS

9       evmctl [options] <command> [OPTIONS]
10

DESCRIPTION

12       The evmctl utility can be used for producing and verifying digital
13       signatures, which are used by Linux kernel integrity subsystem
14       (IMA/EVM). It can be also used to import keys into the kernel keyring.
15

COMMANDS

17           --version
18           help <command>
19           import [--rsa] pubkey keyring
20           sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
21           verify file
22           ima_sign [--sigfile] [--key key] [--pass password] file
23           ima_verify file
24           ima_hash file
25           ima_measurement [--key "key1, key2, ..."] [--list] file
26           ima_fix [-t fdsxm] path
27           sign_hash [--key key] [--pass password]
28           hmac [--imahash | --imasig ] file
29

OPTIONS

31           -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512
32           -s, --imasig       make IMA signature
33           -d, --imahash      make IMA hash
34           -f, --sigfile      store IMA signature in .sig file instead of xattr
35               --xattr-user   store xattrs in user namespace (for testing purposes)
36               --rsa          use RSA key type and signing scheme v1
37           -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
38           -o, --portable     generate portable EVM signatures
39           -p, --pass         password for encrypted signing key
40           -r, --recursive    recurse into directories (sign)
41           -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
42                              x - skip fixing if both ima and evm xattrs exist (use with caution)
43                              m - stay on the same filesystem (like 'find -xdev')
44           -n                 print result to stdout instead of setting xattr
45           -u, --uuid         use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
46               --smack        use extra SMACK xattrs for EVM
47               --m32          force EVM hmac/signature for 32 bit target system
48               --m64          force EVM hmac/signature for 64 bit target system
49               --engine e     preload OpenSSL engine e (such as: gost)
50           -v                 increase verbosity level
51           -h, --help         display this help and exit
52

INTRODUCTION

54       Linux kernel integrity subsystem is comprised of a number of different
55       components including the Integrity Measurement Architecture (IMA),
56       Extended Verification Module (EVM), IMA-appraisal extension, digital
57       signature verification extension and audit measurement log support.
58
59       The evmctl utility is used for producing and verifying digital
60       signatures, which are used by the Linux kernel integrity subsystem. It
61       is also used for importing keys into the kernel keyring.
62
63       Linux integrity subsystem allows to use IMA and EVM signatures. EVM
64       signature protects file metadata, such as file attributes and extended
65       attributes. IMA signature protects file content.
66
67       For more detailed information about integrity subsystem it is
68       recommended to follow resources in RESOURCES section.
69

EVM HMAC AND SIGNATURE METADATA

71       EVM protects file metadata by including following attributes into HMAC
72       and signature calculation: inode number, inode generation, UID, GID,
73       file mode, security.selinux, security.SMACK64, security.ima,
74       security.capability.
75
76       EVM HMAC and signature in may also include additional file and file
77       system attributes. Currently supported additional attributes are
78       filesystem UUID and extra SMACK extended attributes.
79
80       Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to
81       include filesystem UUID into HMAC and enabled by default. Therefore
82       evmctl also includes fsuuid by default. Providing --uuid option without
83       parameter allows to disable usage of fs uuid. Providing --uuid=UUID
84       option with parameter allows to use custom UUID. Providing the
85       --portable option will disable usage of the fs uuid and also the inode
86       number and generation.
87
88       Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls
89       whether to include additional SMACK extended attributes into HMAC. They
90       are following: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
91       security.SMACK64MMAP. evmctl --smack options enables that.
92

KEY AND SIGNATURE FORMATS

94       Linux integrity subsystem supports two type of signature and
95       respectively two key formats.
96
97       First key format (v1) is pure RSA key encoded in PEM a format and uses
98       own signature format. It is now non-default format and requires to
99       provide evmctl --rsa option for signing and importing the key.
100
101       Second key format uses X509 DER encoded public key certificates and
102       uses asymmetric key support in the kernel (since kernel 3.9).
103       CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
104

INTEGRITY KEYRINGS

106       Integrity subsystem uses dedicated IMA/EVM keyrings to search for
107       signature verification keys - _ima and _evm respectively.
108
109       Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only
110       to load keys, signed by a key from the system keyring (.system). It
111       means self-signed keys are not allowed. This is a default behavior
112       unless CONFIG_IMA_TRUSTED_KEYRING is undefined. IMA trusted keyring is
113       has different name .ima. Trusted keyring requires X509 public key
114       certificates. Old version RSA public keys are not compatible with
115       trusted keyring.
116

GENERATE EVM ENCRYPTED KEYS

118       EVM encrypted key is used for EVM HMAC calculation:
119
120           # create and save the key kernel master key (user type)
121           # LMK is used to encrypt encrypted keys
122           keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
123           keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
124
125           # create the EVM encrypted key
126           keyctl add encrypted evm-key "new user:kmk 64" @u
127           keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
128

GENERATE EVM TRUSTED KEYS (TPM BASED)

130       Trusted EVM keys are keys which a generate with the help of TPM. They
131       are not related to integrity trusted keys.
132
133           # create and save the key kernel master key (user type)
134           keyctl add trusted kmk "new 32" @u
135           keyctl pipe `keyctl search @u trusted kmk` >kmk
136
137           # create the EVM trusted key
138           keyctl add encrypted evm-key "new trusted:kmk 32" @u
139           keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
140

GENERATE SIGNING AND VERIFICATION KEYS

142       Generate private key in plain text format:
143
144           openssl genrsa -out privkey_evm.pem 1024
145
146       Generate encrypted private key:
147
148           openssl genrsa -des3 -out privkey_evm.pem 1024
149
150       Make encrypted private key from unencrypted:
151
152           openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
153
154       Generate self-signed X509 public key certificate and private key for
155       using kernel asymmetric keys support:
156
157           openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
158                       -x509 -config x509_evm.genkey \
159                       -outform DER -out x509_evm.der -keyout privkey_evm.pem
160
161       Configuration file x509_evm.genkey:
162
163           # Begining of the file
164           [ req ]
165           default_bits = 1024
166           distinguished_name = req_distinguished_name
167           prompt = no
168           string_mask = utf8only
169           x509_extensions = myexts
170
171           [ req_distinguished_name ]
172           O = Magrathea
173           CN = Glacier signing key
174           emailAddress = slartibartfast@magrathea.h2g2
175
176           [ myexts ]
177           basicConstraints=critical,CA:FALSE
178           keyUsage=digitalSignature
179           subjectKeyIdentifier=hash
180           authorityKeyIdentifier=keyid
181           # EOF
182
183       Generate public key for using RSA key format:
184
185           openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
186
187       Copy keys to /etc/keys:
188
189              cp pubkey_evm.pem /etc/keys
190              scp pubkey_evm.pem target:/etc/keys
191           or
192              cp x509_evm.pem /etc/keys
193              scp x509_evm.pem target:/etc/keys
194

GENERATE TRUSTED KEYS

196       Generation of trusted keys is a bit more complicated process and
197       involves following steps:
198
199       ·   Creation of local IMA certification authority (CA). It consist of
200           private and public key certificate which are used to sign and
201           verify other keys.
202
203       ·   Build Linux kernel with embedded local IMA CA X509 certificate. It
204           is used to verify other keys added to the .ima trusted keyring
205
206       ·   Generate IMA private signing key and verification public key
207           certificate, which is signed using local IMA CA private key.
208
209       Configuration file ima-local-ca.genkey:
210
211           # Begining of the file
212           [ req ]
213           default_bits = 2048
214           distinguished_name = req_distinguished_name
215           prompt = no
216           string_mask = utf8only
217           x509_extensions = v3_ca
218
219           [ req_distinguished_name ]
220           O = IMA-CA
221           CN = IMA/EVM certificate signing key
222           emailAddress = ca@ima-ca
223
224           [ v3_ca ]
225           basicConstraints=CA:TRUE
226           subjectKeyIdentifier=hash
227           authorityKeyIdentifier=keyid:always,issuer
228           # keyUsage = cRLSign, keyCertSign
229           # EOF
230
231       Generate private key and X509 public key certificate:
232
233           openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
234                       -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
235
236       Produce X509 in DER format for using while building the kernel:
237
238           openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
239
240       Configuration file ima.genkey:
241
242           # Begining of the file
243           [ req ]
244           default_bits = 1024
245           distinguished_name = req_distinguished_name
246           prompt = no
247           string_mask = utf8only
248           x509_extensions = v3_usr
249
250           [ req_distinguished_name ]
251           O = `hostname`
252           CN = `whoami` signing key
253           emailAddress = `whoami`@`hostname`
254
255           [ v3_usr ]
256           basicConstraints=critical,CA:FALSE
257           #basicConstraints=CA:FALSE
258           keyUsage=digitalSignature
259           #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
260           subjectKeyIdentifier=hash
261           authorityKeyIdentifier=keyid
262           #authorityKeyIdentifier=keyid,issuer
263           # EOF
264
265       Generate private key and X509 public key certificate signing request:
266
267           openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
268                       -out csr_ima.pem -keyout privkey_ima.pem
269
270       Sign X509 public key certificate signing request with local IMA CA
271       private key:
272
273           openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
274                        -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
275                        -outform DER -out x509_ima.der
276

SIGN FILE DATA AND METADATA

278       Default key locations:
279
280           Private RSA key: /etc/keys/privkey_evm.pem
281           Public RSA key: /etc/keys/pubkey_evm.pem
282           X509 certificate: /etc/keys/x509_evm.der
283
284       Options to remember: -k, -r, --rsa, --uuid, --smack.
285
286       Sign file with EVM signature and calculate hash value for IMA:
287
288           evmctl sign --imahash test.txt
289
290       Sign file with both IMA and EVM signatures:
291
292           evmctl sign --imasig test.txt:
293
294       Sign file with IMA signature:
295
296           evmctl ima_sign test.txt
297
298       Sign recursively whole filesystem:
299
300           evmctl -r sign --imahash /
301
302       Fix recursively whole filesystem:
303
304           evmctl -r ima_fix /
305
306       Sign filesystem selectively using find command:
307
308           find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
309
310       Fix filesystem selectively using find command:
311
312           find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
313

INITIALIZE IMA/EVM AT EARLY BOOT

315       IMA/EVM initialization should be normally done from initial RAM file
316       system before mounting root filesystem.
317
318       Here is Ubuntu initramfs example script
319       (/etc/initramfs-tools/scripts/local-top/ima.sh)
320
321           # mount securityfs if not mounted
322           SECFS=/sys/kernel/security
323           grep -q  $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
324
325           # search for IMA trusted keyring, then for untrusted
326           ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
327           if [ -z "$ima_id" ]; then
328               ima_id=`keyctl search @u keyring _ima 2>/dev/null`
329               if [ -z "$ima_id" ]; then
330                   ima_id=`keyctl newring _ima @u`
331               fi
332           fi
333           # import IMA X509 certificate
334           evmctl import /etc/keys/x509_ima.der $ima_id
335
336           # search for EVM keyring
337           evm_id=`keyctl search @u keyring _evm 2>/dev/null`
338           if [ -z "$evm_id" ]; then
339               evm_id=`keyctl newring _evm @u`
340           fi
341           # import EVM X509 certificate
342           evmctl import /etc/keys/x509_evm.der $evm_id
343
344           # a) import EVM encrypted key
345           cat /etc/keys/kmk | keyctl padd user kmk @u
346           keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
347           # OR
348           # b) import EVM trusted key
349           keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
350           keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
351
352           # enable EVM
353           echo "1" > /sys/kernel/security/evm
354
355       Optionally it is possible also to forbid adding, removing of new public
356       keys and certificates into keyrings and revoking keys using keyctl
357       setperm command:
358
359           # protect EVM keyring
360           keyctl setperm $evm_id 0x0b0b0000
361           # protect IMA keyring
362           keyctl setperm $ima_id 0x0b0b0000
363           # protecting IMA key from revoking (against DoS)
364           ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
365           keyctl setperm $ima_key 0x0b0b0000
366
367       When using plain RSA public keys in PEM format, use evmctl import --rsa
368       for importing keys:
369
370           evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
371
372       Latest version of keyctl allows to import X509 public key certificates:
373
374           cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
375

FILES

377       Examples of scripts to generate X509 public key certificates:
378
379           /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
380           /usr/share/doc/ima-evm-utils/ima-genkey.sh
381           /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
382

AUTHOR

384       Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
385

RESOURCES

387           http://sourceforge.net/p/linux-ima/wiki/Home
388           http://sourceforge.net/p/linux-ima/ima-evm-utils
389

COPYING

391       Copyright (C) 2012 - 2014 Linux Integrity Project. Free use of this
392       software is granted under the terms of the GNU Public License (GPL).
393
394
395
396                                  07/31/2019                         EVMCTL(1)
Impressum