IMA-appraisal is unusable in Ubuntu 16.04

Bug #1558553 reported by bugproxy
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Tim Gardner
Fix Released
Tim Gardner

Bug Description

At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel.

To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6):

8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling

We need to include these Kconfig options to reserve the memory:


An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required:

scripts/insert-sys-cert -b vmlinux -c /dev/null

If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage.

scripts/insert-sys-cert -s <> -z <bzImage> -c <certfile>

Contact Information = George Wilson <email address hidden> / Mimi Zohar <email address hidden>

Revision history for this message
bugproxy (bugproxy) wrote : The patch updates scripts/insert-sys-cert.c

Default Comment by Bridge

tags: added: architecture-x8664 bugnameltc-139127 severity-high targetmilestone-inin1604
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
affects: ubuntu → linux (Ubuntu)
Changed in linux (Ubuntu):
assignee: Taco Screen team (taco-screen-team) → Canonical Kernel Team (canonical-kernel-team)
importance: Undecided → High
status: New → Triaged
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Xenial):
assignee: Canonical Kernel Team (canonical-kernel-team) → Tim Gardner (timg-tpi)
status: Triaged → In Progress
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (11.3 KiB)

This bug was fixed in the package linux - 4.4.0-15.31

linux (4.4.0-15.31) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1559252

  * Xilinx KU3 Capi card does not show up in Ubuntu 16.04 (LP: #1557001)
    - SAUCE: (noup) cxl: Allow initialization on timebase sync failures

  * policy namespace stacking (LP: #1379535)
    - Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc"
    - Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some cases correctly."
    - Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure"
    - Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create not being static"
    - Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child profile"
    - Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings"
    - Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning"
    - Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in __label_update"
    - Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid of build warning"
    - Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly update when ns is destroyed"
    - Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails"
    - Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels"
    - Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 hash is read"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission"
    - Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if the label has already been removed"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label that is directly freed."
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label update that transitions ns"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force replacement use it instead of remove_and_insert"
    - Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation"
    - Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done correctly"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be protected by the labelset lock"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on merge path"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from merge have a replacedby"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in labelset and get"
    - Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale"
    - Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate aa_label_next_not_in_set() use needs locking"
    - Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby ...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-03-23 10:29 EDT-------
Making comment from Mehmet Kayaalp external:

In the 4.4.0-15.31 kernel the reserved space is not filled with randomized bytes. The second step of the build seems to be skipped.

make vmlinux
scripts/insert-sys-cert -b vmlinux -c /dev/null
make bzImage

The 2nd step above changes the reserved memory to randomized.

This results in a larger vmlinux when the key is inserted:

ubuntu@ubuntu-xenial:~$ uname -a
Linux ubuntu-xenial 4.4.0-15-generic #31-Ubuntu SMP Fri Mar 18 19:08:31 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

ubuntu@ubuntu-xenial:~$ sudo grep SYSTEM_EXTRA /boot/config-4.4.0-15-generic

ubuntu@ubuntu-xenial:~$ sudo ./insert-sys-cert -s /boot/ -z /boot/vmlinuz-4.4.0-15-generic -c cert.x509
INFO: Inserted the contents of cert.x509 into ffffffff82075ffa.
INFO: Used 1308 bytes out of 4096 bytes reserved.
INFO: Executing: gzip -n -f -9 <vmlinux-PquuG7 >vmlinux-0ZuoLz
ERROR: Increase in compressed size is not supported.
ERROR: Old size was 6952429, new size is 6956652

Revision history for this message
Mehmet Kayaalp (mkayaalp) wrote :

This bug is not fixed yet, since the random bytes are not added to the build. The attached patch fixes it by adding the step for inserting the null key during build.

Revision history for this message
Mehmet Kayaalp (mkayaalp) wrote :

This trivial patch reduces the clutter from build output.

Revision history for this message
bugproxy (bugproxy) wrote : The patch updates scripts/insert-sys-cert.c

Default Comment by Bridge

Revision history for this message
bugproxy (bugproxy) wrote : 0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch

Default Comment by Bridge

Revision history for this message
bugproxy (bugproxy) wrote : 0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch

Default Comment by Bridge

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.