1EVMCTL(1) EVMCTL(1)
2
3
4
6 evmctl - IMA/EVM signing utility
7
9 evmctl [options] <command> [OPTIONS]
10
12 The evmctl utility can be used for producing and verifying digital
13 signatures, which are used by Linux kernel integrity subsystem
14 (IMA/EVM). It can be also used to import keys into the kernel keyring.
15
17 --version
18 help <command>
19 import [--rsa] pubkey keyring
20 sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
21 verify file
22 ima_sign [--sigfile] [--key key] [--pass password] file
23 ima_verify file
24 ima_hash file
25 ima_measurement [--key "key1, key2, ..."] [--list] file
26 ima_fix [-t fdsxm] path
27 sign_hash [--key key] [--pass password]
28 hmac [--imahash | --imasig ] file
29
31 -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512
32 -s, --imasig make IMA signature
33 -d, --imahash make IMA hash
34 -f, --sigfile store IMA signature in .sig file instead of xattr
35 --xattr-user store xattrs in user namespace (for testing purposes)
36 --rsa use RSA key type and signing scheme v1
37 -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
38 -o, --portable generate portable EVM signatures
39 -p, --pass password for encrypted signing key
40 -r, --recursive recurse into directories (sign)
41 -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
42 x - skip fixing if both ima and evm xattrs exist (use with caution)
43 m - stay on the same filesystem (like 'find -xdev')
44 -n print result to stdout instead of setting xattr
45 -u, --uuid use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
46 --smack use extra SMACK xattrs for EVM
47 --m32 force EVM hmac/signature for 32 bit target system
48 --m64 force EVM hmac/signature for 64 bit target system
49 --engine e preload OpenSSL engine e (such as: gost)
50 -v increase verbosity level
51 -h, --help display this help and exit
52
54 Linux kernel integrity subsystem is comprised of a number of different
55 components including the Integrity Measurement Architecture (IMA),
56 Extended Verification Module (EVM), IMA-appraisal extension, digital
57 signature verification extension and audit measurement log support.
58
59 The evmctl utility is used for producing and verifying digital
60 signatures, which are used by the Linux kernel integrity subsystem. It
61 is also used for importing keys into the kernel keyring.
62
63 Linux integrity subsystem allows to use IMA and EVM signatures. EVM
64 signature protects file metadata, such as file attributes and extended
65 attributes. IMA signature protects file content.
66
67 For more detailed information about integrity subsystem it is
68 recommended to follow resources in RESOURCES section.
69
71 EVM protects file metadata by including following attributes into HMAC
72 and signature calculation: inode number, inode generation, UID, GID,
73 file mode, security.selinux, security.SMACK64, security.ima,
74 security.capability.
75
76 EVM HMAC and signature in may also include additional file and file
77 system attributes. Currently supported additional attributes are
78 filesystem UUID and extra SMACK extended attributes.
79
80 Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to
81 include filesystem UUID into HMAC and enabled by default. Therefore
82 evmctl also includes fsuuid by default. Providing --uuid option without
83 parameter allows to disable usage of fs uuid. Providing --uuid=UUID
84 option with parameter allows to use custom UUID. Providing the
85 --portable option will disable usage of the fs uuid and also the inode
86 number and generation.
87
88 Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls
89 whether to include additional SMACK extended attributes into HMAC. They
90 are following: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
91 security.SMACK64MMAP. evmctl --smack options enables that.
92
94 Linux integrity subsystem supports two type of signature and
95 respectively two key formats.
96
97 First key format (v1) is pure RSA key encoded in PEM a format and uses
98 own signature format. It is now non-default format and requires to
99 provide evmctl --rsa option for signing and importing the key.
100
101 Second key format uses X509 DER encoded public key certificates and
102 uses asymmetric key support in the kernel (since kernel 3.9).
103 CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
104
106 Integrity subsystem uses dedicated IMA/EVM keyrings to search for
107 signature verification keys - _ima and _evm respectively.
108
109 Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only
110 to load keys, signed by a key from the system keyring (.system). It
111 means self-signed keys are not allowed. This is a default behavior
112 unless CONFIG_IMA_TRUSTED_KEYRING is undefined. IMA trusted keyring is
113 has different name .ima. Trusted keyring requires X509 public key
114 certificates. Old version RSA public keys are not compatible with
115 trusted keyring.
116
118 EVM encrypted key is used for EVM HMAC calculation:
119
120 # create and save the key kernel master key (user type)
121 # LMK is used to encrypt encrypted keys
122 keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
123 keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
124
125 # create the EVM encrypted key
126 keyctl add encrypted evm-key "new user:kmk 64" @u
127 keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
128
130 Trusted EVM keys are keys which a generate with the help of TPM. They
131 are not related to integrity trusted keys.
132
133 # create and save the key kernel master key (user type)
134 keyctl add trusted kmk "new 32" @u
135 keyctl pipe `keyctl search @u trusted kmk` >kmk
136
137 # create the EVM trusted key
138 keyctl add encrypted evm-key "new trusted:kmk 32" @u
139 keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
140
142 Generate private key in plain text format:
143
144 openssl genrsa -out privkey_evm.pem 1024
145
146 Generate encrypted private key:
147
148 openssl genrsa -des3 -out privkey_evm.pem 1024
149
150 Make encrypted private key from unencrypted:
151
152 openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
153
154 Generate self-signed X509 public key certificate and private key for
155 using kernel asymmetric keys support:
156
157 openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
158 -x509 -config x509_evm.genkey \
159 -outform DER -out x509_evm.der -keyout privkey_evm.pem
160
161 Configuration file x509_evm.genkey:
162
163 # Begining of the file
164 [ req ]
165 default_bits = 1024
166 distinguished_name = req_distinguished_name
167 prompt = no
168 string_mask = utf8only
169 x509_extensions = myexts
170
171 [ req_distinguished_name ]
172 O = Magrathea
173 CN = Glacier signing key
174 emailAddress = slartibartfast@magrathea.h2g2
175
176 [ myexts ]
177 basicConstraints=critical,CA:FALSE
178 keyUsage=digitalSignature
179 subjectKeyIdentifier=hash
180 authorityKeyIdentifier=keyid
181 # EOF
182
183 Generate public key for using RSA key format:
184
185 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
186
187 Copy keys to /etc/keys:
188
189 cp pubkey_evm.pem /etc/keys
190 scp pubkey_evm.pem target:/etc/keys
191 or
192 cp x509_evm.pem /etc/keys
193 scp x509_evm.pem target:/etc/keys
194
196 Generation of trusted keys is a bit more complicated process and
197 involves following steps:
198
199 · Creation of local IMA certification authority (CA). It consist of
200 private and public key certificate which are used to sign and
201 verify other keys.
202
203 · Build Linux kernel with embedded local IMA CA X509 certificate. It
204 is used to verify other keys added to the .ima trusted keyring
205
206 · Generate IMA private signing key and verification public key
207 certificate, which is signed using local IMA CA private key.
208
209 Configuration file ima-local-ca.genkey:
210
211 # Begining of the file
212 [ req ]
213 default_bits = 2048
214 distinguished_name = req_distinguished_name
215 prompt = no
216 string_mask = utf8only
217 x509_extensions = v3_ca
218
219 [ req_distinguished_name ]
220 O = IMA-CA
221 CN = IMA/EVM certificate signing key
222 emailAddress = ca@ima-ca
223
224 [ v3_ca ]
225 basicConstraints=CA:TRUE
226 subjectKeyIdentifier=hash
227 authorityKeyIdentifier=keyid:always,issuer
228 # keyUsage = cRLSign, keyCertSign
229 # EOF
230
231 Generate private key and X509 public key certificate:
232
233 openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
234 -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
235
236 Produce X509 in DER format for using while building the kernel:
237
238 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
239
240 Configuration file ima.genkey:
241
242 # Begining of the file
243 [ req ]
244 default_bits = 1024
245 distinguished_name = req_distinguished_name
246 prompt = no
247 string_mask = utf8only
248 x509_extensions = v3_usr
249
250 [ req_distinguished_name ]
251 O = `hostname`
252 CN = `whoami` signing key
253 emailAddress = `whoami`@`hostname`
254
255 [ v3_usr ]
256 basicConstraints=critical,CA:FALSE
257 #basicConstraints=CA:FALSE
258 keyUsage=digitalSignature
259 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
260 subjectKeyIdentifier=hash
261 authorityKeyIdentifier=keyid
262 #authorityKeyIdentifier=keyid,issuer
263 # EOF
264
265 Generate private key and X509 public key certificate signing request:
266
267 openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
268 -out csr_ima.pem -keyout privkey_ima.pem
269
270 Sign X509 public key certificate signing request with local IMA CA
271 private key:
272
273 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
274 -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
275 -outform DER -out x509_ima.der
276
278 Default key locations:
279
280 Private RSA key: /etc/keys/privkey_evm.pem
281 Public RSA key: /etc/keys/pubkey_evm.pem
282 X509 certificate: /etc/keys/x509_evm.der
283
284 Options to remember: -k, -r, --rsa, --uuid, --smack.
285
286 Sign file with EVM signature and calculate hash value for IMA:
287
288 evmctl sign --imahash test.txt
289
290 Sign file with both IMA and EVM signatures:
291
292 evmctl sign --imasig test.txt:
293
294 Sign file with IMA signature:
295
296 evmctl ima_sign test.txt
297
298 Sign recursively whole filesystem:
299
300 evmctl -r sign --imahash /
301
302 Fix recursively whole filesystem:
303
304 evmctl -r ima_fix /
305
306 Sign filesystem selectively using find command:
307
308 find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
309
310 Fix filesystem selectively using find command:
311
312 find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
313
315 IMA/EVM initialization should be normally done from initial RAM file
316 system before mounting root filesystem.
317
318 Here is Ubuntu initramfs example script
319 (/etc/initramfs-tools/scripts/local-top/ima.sh)
320
321 # mount securityfs if not mounted
322 SECFS=/sys/kernel/security
323 grep -q $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
324
325 # search for IMA trusted keyring, then for untrusted
326 ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
327 if [ -z "$ima_id" ]; then
328 ima_id=`keyctl search @u keyring _ima 2>/dev/null`
329 if [ -z "$ima_id" ]; then
330 ima_id=`keyctl newring _ima @u`
331 fi
332 fi
333 # import IMA X509 certificate
334 evmctl import /etc/keys/x509_ima.der $ima_id
335
336 # search for EVM keyring
337 evm_id=`keyctl search @u keyring _evm 2>/dev/null`
338 if [ -z "$evm_id" ]; then
339 evm_id=`keyctl newring _evm @u`
340 fi
341 # import EVM X509 certificate
342 evmctl import /etc/keys/x509_evm.der $evm_id
343
344 # a) import EVM encrypted key
345 cat /etc/keys/kmk | keyctl padd user kmk @u
346 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
347 # OR
348 # b) import EVM trusted key
349 keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
350 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
351
352 # enable EVM
353 echo "1" > /sys/kernel/security/evm
354
355 Optionally it is possible also to forbid adding, removing of new public
356 keys and certificates into keyrings and revoking keys using keyctl
357 setperm command:
358
359 # protect EVM keyring
360 keyctl setperm $evm_id 0x0b0b0000
361 # protect IMA keyring
362 keyctl setperm $ima_id 0x0b0b0000
363 # protecting IMA key from revoking (against DoS)
364 ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
365 keyctl setperm $ima_key 0x0b0b0000
366
367 When using plain RSA public keys in PEM format, use evmctl import --rsa
368 for importing keys:
369
370 evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
371
372 Latest version of keyctl allows to import X509 public key certificates:
373
374 cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
375
377 Examples of scripts to generate X509 public key certificates:
378
379 /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
380 /usr/share/doc/ima-evm-utils/ima-genkey.sh
381 /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
382
384 Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
385
387 http://sourceforge.net/p/linux-ima/wiki/Home
388 http://sourceforge.net/p/linux-ima/ima-evm-utils
389
391 Copyright (C) 2012 - 2014 Linux Integrity Project. Free use of this
392 software is granted under the terms of the GNU Public License (GPL).
393
394
395
396 01/29/2020 EVMCTL(1)