meta-integrity: Enable choice of creating IMA signatures or hashes

When IMA and EVM are used for file appraisal then EVM verifies the signature stored in security.evm. This signature covers file metadata (uid, gid, mode bits, etc.) as well as the security.ima xattr. Therefore, it is sufficient that only files' hashes are stored in security.ima. This also leads to slight performance improvements since IMA appraisal will then only verify that a file's hash matches the expected hash stored in security.ima. EVM will ensure that the signature over all the file metadata and security.ima xattr is correct. Therefore, give the user control over whether to store file signatures (--imasig) in ima.security or hashes (--imahash) by setting the option in IMA_EVM_IMA_XATTR_OPT. Only test-verify an IMA signature if --imasig is used as the option. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-11 15:00:34 +00:00 · 2025-02-06 15:54:41 -05:00
parent 7307755636
commit a76a5c5128
2 changed files with 9 additions and 2 deletions
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -97,6 +97,7 @@ the image, enable image signing in the local.conf like this:
    IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
    IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>"
    IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
+    IMA_EVM_IMA_XATTR_OPT = "<whether to sign or hash for IMA>"
    IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
    IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"

--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -15,6 +15,10 @@ IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
 # Password for the private key
 IMA_EVM_EVMCTL_KEY_PASSWORD ?= ""

+# Whether to create IMA signatures (--imasig) or hashes (--imahash).
+# Hashes are sufficient for IMA when EVM uses signatures.
+IMA_EVM_IMA_XATTR_OPT ?= "--imasig"
+
 # Public part of certificates (used for both IMA and EVM).
 # The default is okay when using the example key directory.
 IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -78,11 +82,13 @@ ima_evm_sign_rootfs () {
    export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD}

    bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
-    evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+    evmctl sign ${IMA_EVM_IMA_XATTR_OPT} ${evmctl_param} --portable -a sha256 \
        --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"

    # check signing key and signature verification key
-    evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    if [ "${IMA_EVM_IMA_XATTR_OPT}" = "--imasig" ]; then
+        evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    fi
    evmctl verify     ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1

    # Optionally install custom policy for loading by systemd.