1EVMCTL(1) EVMCTL(1)
2
6 evmctl - IMA/EVM signing utility
7
9 evmctl [options] <command> [OPTIONS]
10
12 The evmctl utility can be used for producing and verifying digital
13 signatures, which are used by Linux kernel integrity subsystem
14 (IMA/EVM). It can be also used to import keys into the kernel keyring.
15
17 --version
18 help <command>
19 import [--rsa] pubkey keyring
20 sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
21 verify file
22 ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
23 ima_sign [--sigfile] [--key key] [--pass password] file
24 ima_verify file
25 ima_hash file
26 ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
27 ima_fix [-t fdsxm] path
28 sign_hash [--key key] [--pass password]
29 hmac [--imahash | --imasig ] file
30
32 -a, --hashalgo sha1, sha224, sha256, sha384, sha512
33 -s, --imasig make IMA signature
34 -d, --imahash make IMA hash
35 -f, --sigfile store IMA signature in .sig file instead of xattr
36 --xattr-user store xattrs in user namespace (for testing purposes)
37 --rsa use RSA key type and signing scheme v1
38 -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
39 or a pkcs11 URI
40 --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
41 --keyid-from-cert file
42 read keyid value from SKID of a x509 cert file
43 -o, --portable generate portable EVM signatures
44 -p, --pass password for encrypted signing key
45 -r, --recursive recurse into directories (sign)
46 -t, --type file types to fix 'fxm' (f: file)
47 x - skip fixing if both ima and evm xattrs exist (use with caution)
48 m - stay on the same filesystem (like 'find -xdev')
49 -n print result to stdout instead of setting xattr
50 -u, --uuid use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
51 --smack use extra SMACK xattrs for EVM
52 --m32 force EVM hmac/signature for 32 bit target system
53 --m64 force EVM hmac/signature for 64 bit target system
54 --engine e preload OpenSSL engine e (such as: gost)
55 --pcrs file containing TPM pcrs, one per hash-algorithm/bank
56 --ignore-violations ignore ToMToU measurement violations
57 --verify-sig verify the file signature based on the file hash, both
58 stored in the template data.
59 -v increase verbosity level
60 -h, --help display this help and exit
61 Environment variables:
63 EVMCTL_KEY_PASSWORD : Private key password to use; do not use --pass
65 option
66
68 Linux kernel integrity subsystem is comprised of a number of different
69 components including the Integrity Measurement Architecture (IMA),
70 Extended Verification Module (EVM), IMA-appraisal extension, digital
71 signature verification extension and audit measurement log support.
72 The evmctl utility is used for producing and verifying digital
74 signatures, which are used by the Linux kernel integrity subsystem. It
75 is also used for importing keys into the kernel keyring.
76 Linux integrity subsystem allows to use IMA and EVM signatures. EVM
78 signature protects file metadata, such as file attributes and extended
79 attributes. IMA signature protects file content.
80 For more detailed information about integrity subsystem it is
82 recommended to follow resources in RESOURCES section.
83
85 EVM protects file metadata by including following attributes into HMAC
86 and signature calculation: inode number, inode generation, UID, GID,
87 file mode, security.selinux, security.SMACK64, security.ima,
88 security.capability.
89 EVM HMAC and signature in may also include additional file and file
91 system attributes. Currently supported additional attributes are
92 filesystem UUID and extra SMACK extended attributes.
93 Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to
95 include filesystem UUID into HMAC and enabled by default. Therefore
96 evmctl also includes fsuuid by default. Providing --uuid option without
97 parameter allows to disable usage of fs uuid. Providing --uuid=UUID
98 option with parameter allows to use custom UUID. Providing the
99 --portable option will disable usage of the fs uuid and also the inode
100 number and generation.
101 Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls
103 whether to include additional SMACK extended attributes into HMAC. They
104 are following: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
105 security.SMACK64MMAP. evmctl --smack options enables that.
106
108 Linux integrity subsystem supports two type of signature and
109 respectively two key formats.
110 First key format (v1) is pure RSA key encoded in PEM a format and uses
112 own signature format. It is now non-default format and requires to
113 provide evmctl --rsa option for signing and importing the key.
114 Second key format uses X509 DER encoded public key certificates and
116 uses asymmetric key support in the kernel (since kernel 3.9).
117 CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
118 For v2 signatures x509 certificate (containing the public key) could be
120 appended to the private key (they both are in PEM format) to
121 automatically extract keyid from its Subject Key Identifier (SKID).
122
124 Integrity subsystem uses dedicated IMA/EVM keyrings to search for
125 signature verification keys - _ima and _evm respectively.
126 Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only
128 to load keys, signed by a key from the system keyring (.system). It
129 means self-signed keys are not allowed. This is a default behavior
130 unless CONFIG_IMA_TRUSTED_KEYRING is undefined. IMA trusted keyring is
131 has different name .ima. Trusted keyring requires X509 public key
132 certificates. Old version RSA public keys are not compatible with
133 trusted keyring.
134
136 EVM encrypted key is used for EVM HMAC calculation:
137 # create and save the key kernel master key (user type)
139 # LMK is used to encrypt encrypted keys
140 keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
141 keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
142 # create the EVM encrypted key
144 keyctl add encrypted evm-key "new user:kmk 64" @u
145 keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
146
148 Trusted EVM keys are keys which a generate with the help of TPM. They
149 are not related to integrity trusted keys.
150 # create and save the key kernel master key (user type)
152 keyctl add trusted kmk "new 32" @u
153 keyctl pipe `keyctl search @u trusted kmk` >kmk
154 # create the EVM trusted key
156 keyctl add encrypted evm-key "new trusted:kmk 32" @u
157 keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
158
160 Generate private key in plain text format:
161 openssl genrsa -out privkey_evm.pem 1024
163 Generate encrypted private key:
165 openssl genrsa -des3 -out privkey_evm.pem 1024
167 Make encrypted private key from unencrypted:
169 openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
171 Generate self-signed X509 public key certificate and private key for
173 using kernel asymmetric keys support:
174 openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
176 -x509 -config x509_evm.genkey \
177 -outform DER -out x509_evm.der -keyout privkey_evm.pem
178 Configuration file x509_evm.genkey:
180 # Begining of the file
182 [ req ]
183 default_bits = 1024
184 distinguished_name = req_distinguished_name
185 prompt = no
186 string_mask = utf8only
187 x509_extensions = myexts
188 [ req_distinguished_name ]
190 O = Magrathea
191 CN = Glacier signing key
192 emailAddress = slartibartfast@magrathea.h2g2
193 [ myexts ]
195 basicConstraints=critical,CA:FALSE
196 keyUsage=digitalSignature
197 subjectKeyIdentifier=hash
198 authorityKeyIdentifier=keyid
199 # EOF
200 Generate public key for using RSA key format:
202 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
204 Copy keys to /etc/keys:
206 cp pubkey_evm.pem /etc/keys
208 scp pubkey_evm.pem target:/etc/keys
209 or
210 cp x509_evm.pem /etc/keys
211 scp x509_evm.pem target:/etc/keys
212
214 Generation of trusted keys is a bit more complicated process and
215 involves following steps:
216 • Creation of local IMA certification authority (CA). It consist of
218 private and public key certificate which are used to sign and
219 verify other keys.
220 • Build Linux kernel with embedded local IMA CA X509 certificate. It
222 is used to verify other keys added to the .ima trusted keyring
223 • Generate IMA private signing key and verification public key
225 certificate, which is signed using local IMA CA private key.
226 Configuration file ima-local-ca.genkey:
228 # Begining of the file
230 [ req ]
231 default_bits = 2048
232 distinguished_name = req_distinguished_name
233 prompt = no
234 string_mask = utf8only
235 x509_extensions = v3_ca
236 [ req_distinguished_name ]
238 O = IMA-CA
239 CN = IMA/EVM certificate signing key
240 emailAddress = ca@ima-ca
241 [ v3_ca ]
243 basicConstraints=CA:TRUE
244 subjectKeyIdentifier=hash
245 authorityKeyIdentifier=keyid:always,issuer
246 # keyUsage = cRLSign, keyCertSign
247 # EOF
248 Generate private key and X509 public key certificate:
250 openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
252 -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
253 Produce X509 in DER format for using while building the kernel:
255 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
257 Configuration file ima.genkey:
259 # Begining of the file
261 [ req ]
262 default_bits = 1024
263 distinguished_name = req_distinguished_name
264 prompt = no
265 string_mask = utf8only
266 x509_extensions = v3_usr
267 [ req_distinguished_name ]
269 O = `hostname`
270 CN = `whoami` signing key
271 emailAddress = `whoami`@`hostname`
272 [ v3_usr ]
274 basicConstraints=critical,CA:FALSE
275 #basicConstraints=CA:FALSE
276 keyUsage=digitalSignature
277 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
278 subjectKeyIdentifier=hash
279 authorityKeyIdentifier=keyid
280 #authorityKeyIdentifier=keyid,issuer
281 # EOF
282 Generate private key and X509 public key certificate signing request:
284 openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
286 -out csr_ima.pem -keyout privkey_ima.pem
287 Sign X509 public key certificate signing request with local IMA CA
289 private key:
290 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
292 -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
293 -outform DER -out x509_ima.der
294
296 Default key locations:
297 Private RSA key: /etc/keys/privkey_evm.pem
299 Public RSA key: /etc/keys/pubkey_evm.pem
300 X509 certificate: /etc/keys/x509_evm.der
301 Options to remember: -k, -r, --rsa, --uuid, --smack.
303 Sign file with EVM signature and calculate hash value for IMA:
305 evmctl sign --imahash test.txt
307 Sign file with both IMA and EVM signatures:
309 evmctl sign --imasig test.txt:
311 Sign file with IMA signature:
313 evmctl ima_sign test.txt
315 Sign recursively whole filesystem:
317 evmctl -r sign --imahash /
319 Fix recursively whole filesystem:
321 evmctl -r ima_fix /
323 Sign filesystem selectively using find command:
325 find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
327 Fix filesystem selectively using find command:
329 find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
331
333 IMA/EVM initialization should be normally done from initial RAM file
334 system before mounting root filesystem.
335 Here is Ubuntu initramfs example script
337 (/etc/initramfs-tools/scripts/local-top/ima.sh)
338 # mount securityfs if not mounted
340 SECFS=/sys/kernel/security
341 grep -q $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
342 # search for IMA trusted keyring, then for untrusted
344 ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
345 if [ -z "$ima_id" ]; then
346 ima_id=`keyctl search @u keyring _ima 2>/dev/null`
347 if [ -z "$ima_id" ]; then
348 ima_id=`keyctl newring _ima @u`
349 fi
350 fi
351 # import IMA X509 certificate
352 evmctl import /etc/keys/x509_ima.der $ima_id
353 # search for EVM keyring
355 evm_id=`keyctl search @u keyring _evm 2>/dev/null`
356 if [ -z "$evm_id" ]; then
357 evm_id=`keyctl newring _evm @u`
358 fi
359 # import EVM X509 certificate
360 evmctl import /etc/keys/x509_evm.der $evm_id
361 # a) import EVM encrypted key
363 cat /etc/keys/kmk | keyctl padd user kmk @u
364 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
365 # OR
366 # b) import EVM trusted key
367 keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
368 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
369 # enable EVM
371 echo "1" > /sys/kernel/security/evm
372 Optionally it is possible also to forbid adding, removing of new public
374 keys and certificates into keyrings and revoking keys using keyctl
375 setperm command:
376 # protect EVM keyring
378 keyctl setperm $evm_id 0x0b0b0000
379 # protect IMA keyring
380 keyctl setperm $ima_id 0x0b0b0000
381 # protecting IMA key from revoking (against DoS)
382 ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
383 keyctl setperm $ima_key 0x0b0b0000
384 When using plain RSA public keys in PEM format, use evmctl import --rsa
386 for importing keys:
387 evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
389 Latest version of keyctl allows to import X509 public key certificates:
391 cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
393
395 Examples of scripts to generate X509 public key certificates:
396 /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
398 /usr/share/doc/ima-evm-utils/ima-genkey.sh
399 /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
400
402 Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
403
405 http://sourceforge.net/p/linux-ima/wiki/Home
406 http://sourceforge.net/p/linux-ima/ima-evm-utils
407
409 Copyright (C) 2012 - 2014 Linux Integrity Project. Free use of this
410 software is granted under the terms of the GNU Public License (GPL).
411 07/21/2022 EVMCTL(1)