I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") has changed public keys APIs, but the IMA usage of that API was fixed only by commit eb5798f2e28f ("integrity: convert digsig to akcipher api")
I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps: SYSTEM_ TRUSTED_ KEYS to my key type=imasig
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at /home/rapoport/ git/ubuntu- xenial/ crypto/ asymmetric_ keys/public_ key.c:80! iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper psmouse cryptd floppy 1.8.2-1ubuntu1 04/01/2014 ffffffff813bdb7 6>] [<ffffffff813bd b76>] public_ key_verify_ signature+ 0x46/0x50 52fa98 EFLAGS: 00010246 0(0000) GS:ffff88043fd8 0000(0000) knlGS:000000000 0000000 b95>] ? public_ key_verify_ signature_ 2+0x15/ 0x20 aec>] verify_ signature+ 0x3c/0x50 59e>] asymmetric_ verify+ 0x17e/0x2a0 380>] integrity_ digsig_ verify+ 0x70/0x110 424>] ima_appraise_ measurement+ 0x244/0x420 3fa>] process_ measurement+ 0x3fa/0x480 498>] ima_file_ check+0x18/ 0x20 0f3>] path_openat+ 0x1f3/0x1330 49b>] ? __slab_ free+0xcb/ 0x2c0 421>] do_filp_ open+0x91/ 0x100 3df>] ? apparmor_ cred_prepare+ 0x2f/0x50 483>] ? security_ prepare_ creds+0x43/ 0x60 148>] do_open_ execat+ 0x78/0x1d0 1b0>] do_execveat_ common. isra.33+ 0x240/0x760 92a>] SyS_execve+ 0x3a/0x50 a95>] stub_execve+0x5/0x5 7f2>] ? entry_SYSCALL_ 64_fastpath+ 0x16/0x71 b76>] public_ key_verify_ signature+ 0x46/0x50
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti: ffff88042c52c000
[ 1395.054763] RIP: 0010:[<
[ 1395.056406] RSP: 0018:ffff88042c
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX: 0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI: ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09: 0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12: 0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15: ffff88042a849ac4
[ 1395.063404] FS: 00007f5e2195870
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4: 00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000 0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100 0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bd
[ 1395.073605] [<ffffffff813bd
[ 1395.074526] [<ffffffff813a7
[ 1395.075475] [<ffffffff813a7
[ 1395.076481] [<ffffffff813ab
[ 1395.077518] [<ffffffff813a8
[ 1395.078479] [<ffffffff813a8
[ 1395.079381] [<ffffffff8121f
[ 1395.080274] [<ffffffff811ef
[ 1395.081165] [<ffffffff81221
[ 1395.082050] [<ffffffff81393
[ 1395.083046] [<ffffffff8134b
[ 1395.084056] [<ffffffff81216
[ 1395.084952] [<ffffffff81218
[ 1395.086016] [<ffffffff81218
[ 1395.086877] [<ffffffff81844
[ 1395.087711] [<ffffffff81844
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5 b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bd
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") has changed public keys APIs, but the IMA usage of that API was fixed only by commit eb5798f2e28f ("integrity: convert digsig to akcipher api")