diff options
Diffstat (limited to 'meta-integrity')
39 files changed, 326 insertions, 616 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 4607948..c333a9f 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -1,8 +1,24 @@ This README file contains information on the contents of the integrity layer. -Please see the corresponding sections below for details. +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'integrity' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES:append = " integrity" + +If meta-integrity is included, but integrity is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-integritry layer, but + 'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_INTEGRITY_SANITY_CHECK = 1 Dependencies ============ @@ -25,7 +41,7 @@ Patches ======= For discussion or patch submission via email, use the -yocto@yoctoproject.org mailing list. When submitting patches that way, +yocto-patches@yoctoproject.org mailing list. When submitting patches that way, make sure to copy the maintainer and add a "[meta-integrity]" prefix to the subject of the mails. @@ -60,7 +76,7 @@ other layers needed. e.g.: It has some dependencies on a suitable BSP; in particular the kernel must have a recent enough IMA/EVM subsystem. The layer was tested with -Linux 3.19 and uses some features (like loading X509 certificates +Linux 6.1 and uses some features (like loading X509 certificates directly from the kernel) which were added in that release. Your mileage may vary with older kernels. @@ -73,8 +89,17 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: - INHERIT += "ima-evm-rootfs" + DISTRO_FEATURES:append = " integrity ima" + + IMAGE_CLASSES += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" + IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" + IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" + + # The following policy enforces IMA & EVM signatures + IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -95,10 +120,7 @@ for that are included in the layer. This is also how the cd $IMA_EVM_KEY_DIR # In that shell, create the keys. Several options exist: - # 1. Self-signed keys. - $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh - - # 2. Keys signed by a new CA. + # 1. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. # Signing images then will not require entering that passphrase, # only creating new certificates does. Most likely the default @@ -107,13 +129,11 @@ for that are included in the layer. This is also how the # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh - # 3. Keys signed by an existing CA. + # 2. Keys signed by an existing CA. # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> exit -When using ``ima-self-signed.sh`` as described above, self-signed keys -are created. Alternatively, one can also use keys signed by a CA. The -``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then supports adding tha CA's public key to the kernel's system keyring by compiling it directly into the kernel. Because it is unknown whether @@ -169,7 +189,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` @@ -199,12 +219,16 @@ executing the file is no longer allowed: -sh: /usr/bin/rpm: Permission denied Enabling the audit kernel subsystem may help to debug appraisal -issues. Enable it by adding the meta-security-framework layer and +issues. Enable it by adding a kernel configuration fragment and changing your local.conf: - SRC_URI_append_pn-linux-yocto = " file://audit.cfg" + SRC_URI:append:pn-linux-yocto = " file://audit.cfg" CORE_IMAGE_EXTRA_INSTALL += "auditd" -Then boot with "ima_appraise=log ima_appraise_tcb". +Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1". +For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND +in your local.conf: + QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix" + QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1" Adding auditd is not strictly necessary but helps to capture a more complete set of events in /var/log/audit/ and search in diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index d6ade3b..7b73373 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" # with a .x509 suffix. See linux-%.bbappend for details. # # ima-local-ca.x509 is what ima-gen-local-ca.sh creates. -IMA_EVM_ROOT_CA ?= "" +IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" # Sign all regular files by default. IMA_EVM_ROOTFS_SIGNED ?= ". -type f" @@ -28,6 +28,12 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" # the iversion flags (needed by IMA when allowing writing). IMA_EVM_ROOTFS_IVERSION ?= "" +# Avoid re-generating fstab when ima is enabled. +WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" + +# Add necessary tools (e.g., keyctl) to image +IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}" + ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} @@ -37,15 +43,6 @@ ima_evm_sign_rootfs () { # reasons (including a change of the signing keys) without also # re-running do_rootfs. - # Copy file(s) which must be on the device. Note that - # evmctl uses x509_evm.der also for "ima_verify", which is probably - # a bug (should default to x509_ima.der). Does not matter for us - # because we use the same key for both. - install -d ./${sysconfdir}/keys - rm -f ./${sysconfdir}/keys/x509_evm.der - install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der - ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der - # Fix /etc/fstab: it must include the "i_version" mount option for # those file systems where writing files is allowed, otherwise # these changes will not get detected at runtime. @@ -65,28 +62,58 @@ ima_evm_sign_rootfs () { perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab fi - # Sign file with private IMA key. EVM not supported at the moment. - bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" - find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} - bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" - find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + # Detect 32bit target to pass --m32 to evmctl by looking at libc + tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')" + if [ "${tmp}" = "ELF 32-bit" ]; then + evmctl_param="--m32" + elif [ "${tmp}" = "ELF 64-bit" ]; then + evmctl_param="" + else + bberror "Unknown target architecture bitness: '${tmp}'" >&2 + exit 1 + fi + + bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}" + + # check signing key and signature verification key + evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 + evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 # Optionally install custom policy for loading by systemd. - if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + if [ "${IMA_EVM_POLICY}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy - install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy + + bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" + fi + + # Optionally write the file names and ima and evm signatures into files + if [ "${IMA_FILE_SIGNATURES_FILE}" ]; then + getfattr -R -m security.ima --e hex --dump ./ 2>/dev/null | \ + sed -n -e 's|# file: |/|p' -e 's|security.ima=|ima:|p' | \ + sed '$!N;s/\n/ /' > ./${IMA_FILE_SIGNATURES_FILE} + fi + if [ "${EVM_FILE_SIGNATURES_FILE}" ]; then + getfattr -R -m security.evm --e hex --dump ./ 2>/dev/null | \ + sed -n -e 's|# file: |/|p' -e 's|security.evm=|evm:|p' | \ + sed '$!N;s/\n/ /' > ./${EVM_FILE_SIGNATURES_FILE} fi } # Signing must run as late as possible in the do_rootfs task. -# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so -# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with -# _append instead of += because _append gets evaluated later. In -# particular, we must run after prelink_image in -# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. - -IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " +# To guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in +# RecipePreFinalise event handler, this ensures it's the last +# function in IMAGE_PREPROCESS_COMMAND. +python ima_evm_sign_handler () { + if not e.data or 'ima' not in e.data.getVar('DISTRO_FEATURES').split(): + return -# evmctl must have been installed first. -do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" + e.data.appendVar('IMAGE_PREPROCESS_COMMAND', ' ima_evm_sign_rootfs; ') + e.data.appendVar('IMAGE_INSTALL', ' ima-evm-keys') + e.data.appendVarFlag('do_rootfs', 'depends', ' ima-evm-utils-native:do_populate_sysroot') +} +addhandler ima_evm_sign_handler +ima_evm_sign_handler[eventmask] = "bb.event.RecipePreFinalise" diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass index 09025ba..d3aa7fb 100644 --- a/meta-integrity/classes/kernel-modsign.bbclass +++ b/meta-integrity/classes/kernel-modsign.bbclass @@ -2,7 +2,7 @@ # set explicitly in a local.conf before activating kernel-modsign. # To use the insecure (because public) example keys, use # MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" -MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" +MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET" # Private key for modules signing. The default is okay when # using the example key directory. @@ -13,9 +13,11 @@ MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" # If this class is enabled, disable stripping signatures from modules +# as well disable the debug symbols split INHIBIT_PACKAGE_STRIP = "1" +INHIBIT_PACKAGE_DEBUG_SPLIT = "1" -kernel_do_configure_prepend() { +kernel_do_configure:prepend() { if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ > "${B}/modsign_key.pem" @@ -24,6 +26,6 @@ kernel_do_configure_prepend() { fi } -do_shared_workdir_append() { +do_shared_workdir:append() { cp modsign_key.pem $kerneldir/ } diff --git a/meta-integrity/classes/sanity-meta-integrity.bbclass b/meta-integrity/classes/sanity-meta-integrity.bbclass new file mode 100644 index 0000000..6ba7e3f --- /dev/null +++ b/meta-integrity/classes/sanity-meta-integrity.bbclass @@ -0,0 +1,10 @@ +addhandler integrity_bbappend_distrocheck +integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" +python integrity_bbappend_distrocheck() { + skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1" + if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-integrity layer, but \ +'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-integrity README \ +for details on enabling integrity support.") +} diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index bfc9c6f..aab9652 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -2,8 +2,7 @@ BBPATH =. "${LAYERDIR}:" # We have a packages directory, add to BBFILES -BBFILES := "${BBFILES} \ - ${LAYERDIR}/recipes-*/*/*.bb \ +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" BBFILE_COLLECTIONS += "integrity" @@ -21,8 +20,20 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "zeus" +LAYERSERIES_COMPAT_integrity = "nanbield scarthgap" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" + +# Sanity check for meta-integrity layer. +# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-integrity" + +BBFILES_DYNAMIC += " \ +networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ +" + +addpylib ${LAYERDIR}/lib oeqa + +WARN_QA:append:integrity = " patch-status missing-metadata" diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md new file mode 100644 index 0000000..e613968 --- /dev/null +++ b/meta-integrity/data/debug-keys/README.md @@ -0,0 +1,17 @@ +# EVM & IMA keys + +The following IMA & EVM debug/test keys are in this directory + +- ima-local-ca.priv: The CA's private key (password: 1234) +- ima-local-ca.pem: The CA's self-signed certificate +- privkey_ima.pem: IMA & EVM private key used for signing files +- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures + +The CA's (self-signed) certificate can be used to verify the validity of +the x509_ima.der certificate. Since the CA certificate will be built into +the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must +pass this test: + +``` + openssl verify -CAfile ima-local-ca.pem x509_ima.der +```` diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem new file mode 100644 index 0000000..4b48be4 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9 +MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt +c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG +SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP +MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD +DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp +Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU +rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG +A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud +IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO +PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu +clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw== +-----END CERTIFICATE----- diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv new file mode 100644 index 0000000..e13de23 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.priv @@ -0,0 +1,7 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw +DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK +x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems +lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY +LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem index 502a0b6..8362cfe 100644 --- a/meta-integrity/data/debug-keys/privkey_ima.pem +++ b/meta-integrity/data/debug-keys/privkey_ima.pem @@ -1,16 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU -Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 -IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p -OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 -lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW -HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV -aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA -TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue -WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb -SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 -xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ -CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q -1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ -3vVaxg2EfqB1 +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm +SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj +cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv -----END PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der Binary files differindex 087ca6b..3f6f24e 100644 --- a/meta-integrity/data/debug-keys/x509_ima.der +++ b/meta-integrity/data/debug-keys/x509_ima.der diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py index 0c8617a..6b361ca 100644 --- a/meta-integrity/lib/oeqa/runtime/cases/ima.py +++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -58,21 +58,19 @@ class IMACheck(OERuntimeTestCase): @OETestDepends(['ima.IMACheck.test_ima_enabled']) def test_ima_hash(self): ''' Test if IMA stores correct file hash ''' - filename = "/etc/filetest" + filename = "/etc/ld.so.cache" ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" - status, output = self.target.run("echo test > %s" % filename) - self.assertEqual(status, 0, "Cannot create file %s on target" % filename) # wait for the IMA system to update the entry - maximum_tries = 30 + maximum_tries = 3 tries = 0 - status, output = self.target.run("sha1sum %s" %filename) + status, output = self.target.run("sha256sum %s" %filename) sleep(2) current_hash = output.split()[0] ima_hash = "" while tries < maximum_tries: - status, output = self.target.run("cat %s | grep %s" \ + status, output = self.target.run("cat %s | grep -e '%s'" \ % (ima_measure_file, filename)) # get last entry, 4th field if status == 0: diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-integrity/recipes-core/base-files/base-files-ima.inc index 7e9e210..cfa65a2 100644 --- a/meta-integrity/recipes-core/base-files/base-files-ima.inc +++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -1,5 +1,5 @@ # Append iversion option for auto types -do_install_append() { +do_install:append() { sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" } diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 1a3a30a..856249f 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -2,20 +2,18 @@ DESCRIPTION = "An image as an exmaple for Ima support" IMAGE_FEATURES += "ssh-server-openssh" +LICENSE = "MIT" + +inherit core-image -IMAGE_INSTALL = "\ +IMAGE_INSTALL += "\ packagegroup-base \ packagegroup-core-boot \ packagegroup-ima-evm-utils \ os-release" - -LICENSE = "MIT" - -inherit core-image - export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" +QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index dacdc8b..58cbe6e 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # to this recipe can just point towards one of its own files. IMA_POLICY ?= "ima-policy-hashed" +# Force proceed IMA procedure even 'no_ima' boot parameter is available. +IMA_FORCE ?= "false" + SRC_URI = " file://ima" inherit features_check @@ -23,9 +26,11 @@ do_install () { install -d ${D}/${sysconfdir}/ima install -d ${D}/init.d install ${WORKDIR}/ima ${D}/init.d/20-ima + + sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } -FILES_${PN} = "/init.d ${sysconfdir}" +FILES:${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" -RDEPENDS_${PN} += "initramfs-framework-base" +RDEPENDS:${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" +RDEPENDS:${PN} += "initramfs-framework-base" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index 8616f99..8971494 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -2,9 +2,15 @@ # # Loads IMA policy into the kernel. +force_ima=@@FORCE_IMA@@ + ima_enabled() { - if [ "$bootparam_no_ima" = "true" ]; then + if [ "$force_ima" = "true" ]; then + return 0 + elif [ "$bootparam_no_ima" = "true" ]; then return 1 + else + return 0 fi } @@ -46,7 +52,7 @@ ima_run() { # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when # checking the write of each line. To minimize the risk of policy loading going wrong we # also remove comments and blank lines ourselves. - if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then fatal "Could not load IMA policy." fi } diff --git a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb index 8196edb..484859f 100644 --- a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb +++ b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -6,6 +6,6 @@ inherit packagegroup features_check REQUIRED_DISTRO_FEATURES = "ima" # Only one at the moment, but perhaps more will come in the future. -RDEPENDS_${PN} = " \ +RDEPENDS:${PN} = " \ ima-evm-utils \ " diff --git a/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-integrity/recipes-core/systemd/systemd_%.bbappend index 3b45541..57b3684 100644 --- a/meta-integrity/recipes-core/systemd/systemd_%.bbappend +++ b/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -1,11 +1,11 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += " \ file://machine-id-commit-sync.conf \ file://random-seed-sync.conf \ " -do_install_append () { +do_install:append () { for i in machine-id-commit random-seed; do install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend deleted file mode 100644 index f9a48cd..0000000 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ /dev/null @@ -1,5 +0,0 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" - -KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" - -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend new file mode 100644 index 0000000..9c599aa --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/linux:" + +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)} diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch deleted file mode 100644 index 64016dd..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 -From: Mimi Zohar <zohar@linux.vnet.ibm.com> -Date: Tue, 8 Mar 2016 16:43:55 -0500 -Subject: [PATCH] ima: fix ima_inode_post_setattr - -Changing file metadata (eg. uid, guid) could result in having to -re-appraise a file's integrity, but does not change the "new file" -status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and -IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch -only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. - -With this patch, changing the file timestamp will not remove the -file signature on new files. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] - -Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> -Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> ---- - security/integrity/ima/ima_appraise.c | 2 +- - security/integrity/integrity.h | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..a384ba1 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) - if (iint) { - iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | - IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | -- IMA_ACTION_FLAGS); -+ IMA_ACTION_RULE_FLAGS); - if (must_appraise) - iint->flags |= IMA_APPRAISE; - } -diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h -index 0fc9519..f9decae 100644 ---- a/security/integrity/integrity.h -+++ b/security/integrity/integrity.h -@@ -28,6 +28,7 @@ - - /* iint cache flags */ - #define IMA_ACTION_FLAGS 0xff000000 -+#define IMA_ACTION_RULE_FLAGS 0x06000000 - #define IMA_DIGSIG 0x01000000 - #define IMA_DIGSIG_REQUIRED 0x02000000 - #define IMA_PERMIT_DIRECTIO 0x04000000 --- -2.5.0 - diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch deleted file mode 100644 index 6ab7ce2..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch +++ /dev/null @@ -1,138 +0,0 @@ -From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 -From: Mimi Zohar <zohar@linux.vnet.ibm.com> -Date: Thu, 10 Mar 2016 18:19:20 +0200 -Subject: [PATCH] ima: add support for creating files using the mknodat - syscall - -Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" -stopped identifying empty files as new files. However new empty files -can be created using the mknodat syscall. On systems with IMA-appraisal -enabled, these empty files are not labeled with security.ima extended -attributes properly, preventing them from subsequently being opened in -order to write the file data contents. This patch marks these empty -files, created using mknodat, as new in order to allow the file data -contents to be written. - -Files with security.ima xattrs containing a file signature are considered -"immutable" and can not be modified. The file contents need to be -written, before signing the file. This patch relaxes this requirement -for new files, allowing the file signature to be written before the file -contents. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] - -Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> ---- - fs/namei.c | 2 ++ - include/linux/ima.h | 7 ++++++- - security/integrity/ima/ima_appraise.c | 3 +++ - security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- - 4 files changed, 42 insertions(+), 2 deletions(-) - -diff --git a/fs/namei.c b/fs/namei.c -index ccd7f98..19502da 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -3526,6 +3526,8 @@ retry: - switch (mode & S_IFMT) { - case 0: case S_IFREG: - error = vfs_create(path.dentry->d_inode,dentry,mode,true); -+ if (!error) -+ ima_post_path_mknod(dentry); - break; - case S_IFCHR: case S_IFBLK: - error = vfs_mknod(path.dentry->d_inode,dentry,mode, -diff --git a/include/linux/ima.h b/include/linux/ima.h -index 120ccc5..7f51971 100644 ---- a/include/linux/ima.h -+++ b/include/linux/ima.h -@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); - extern int ima_file_mmap(struct file *file, unsigned long prot); - extern int ima_module_check(struct file *file); - extern int ima_fw_from_file(struct file *file, char *buf, size_t size); -- -+extern void ima_post_path_mknod(struct dentry *dentry); - #else - static inline int ima_bprm_check(struct linux_binprm *bprm) - { -@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) - return 0; - } - -+static inline void ima_post_path_mknod(struct dentry *dentry) -+{ -+ return; -+} -+ - #endif /* CONFIG_IMA */ - - #ifdef CONFIG_IMA_APPRAISE -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..20806ea 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -274,6 +274,11 @@ out: - xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { - if (!ima_fix_xattr(dentry, iint)) - status = INTEGRITY_PASS; -+ } else if ((inode->i_size == 0) && -+ (iint->flags & IMA_NEW_FILE) && -+ (xattr_value && -+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { -+ status = INTEGRITY_PASS; - } - integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, - op, cause, rc, 0); -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index eeee00dc..705bf78 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, - ima_audit_measurement(iint, pathname); - - out_digsig: -- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) -+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && -+ !(iint->flags & IMA_NEW_FILE)) - rc = -EACCES; - kfree(xattr_value); - out_free: -@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) - EXPORT_SYMBOL_GPL(ima_file_check); - - /** -+ * ima_post_path_mknod - mark as a new inode -+ * @dentry: newly created dentry -+ * -+ * Mark files created via the mknodat syscall as new, so that the -+ * file data can be written later. -+ */ -+void ima_post_path_mknod(struct dentry *dentry) -+{ -+ struct integrity_iint_cache *iint; -+ struct inode *inode; -+ int must_appraise; -+ -+ if (!dentry || !dentry->d_inode) -+ return; -+ -+ inode = dentry->d_inode; -+ if (inode->i_size != 0) -+ return; -+ -+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); -+ if (!must_appraise) -+ return; -+ -+ iint = integrity_inode_get(inode); -+ if (iint) -+ iint->flags |= IMA_NEW_FILE; -+} -+ -+/** - * ima_module_check - based on policy, collect/store/appraise measurement. - * @file: pointer to the file to be measured/appraised - * --- -2.5.0 - diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch deleted file mode 100644 index 157c007..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch +++ /dev/null @@ -1,60 +0,0 @@ -From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Tue, 15 Nov 2016 10:10:23 +0100 -Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log - modes" - -This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. - -The original motivation was security hardening ("File hashes are -automatically set and updated and should not be manually set.") - -However, that hardening ignores and breaks some valid use cases: -- File hashes might not be set because the file is currently - outside of the policy and therefore have to be set by the - creator. Examples: - - Booting into an initramfs with an IMA-enabled kernel but - without setting an IMA policy, then installing - the OS onto the target partition by unpacking a rootfs archive - which has the file hashes pre-computed. - - Unpacking a file into a staging area with meta data (like owner) - that leaves the file outside of the current policy, then changing - the meta data such that it becomes part of the current policy. -- "should not be set manually" implies that the creator is aware - of IMA semantic, the current system's configuration, and then - skips setting file hashes in security.ima if (and only if) the - kernel would prevent it. That's not the case for standard, unmodified - tools. Example: unpacking an archive with security.ima xattrs with - bsdtar or GNU tar. - -Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> ---- - security/integrity/ima/ima_appraise.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4b9b4a4..b8b2dd9 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - result = ima_protect_xattr(dentry, xattr_name, xattr_value, - xattr_value_len); - if (result == 1) { -- bool digsig; -- - if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) - return -EINVAL; -- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); -- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) -- return -EPERM; -- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); -+ ima_reset_appraise_flags(d_backing_inode(dentry), -+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); - result = 0; - } - return result; --- -2.1.4 - diff --git a/meta-integrity/recipes-kernel/linux/linux/audit.cfg b/meta-integrity/recipes-kernel/linux/linux/audit.cfg new file mode 100644 index 0000000..214dbe3 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/audit.cfg @@ -0,0 +1,2 @@ +CONFIG_AUDIT=y +CONFIG_AUDITSYSCALL=y diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc new file mode 100644 index 0000000..415476a --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -0,0 +1,11 @@ + +do_configure:append() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config + fi +} + +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' features/ima/ima.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb new file mode 100644 index 0000000..230c859 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb @@ -0,0 +1,17 @@ +SUMMARY = "IMA/EMV public keys" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +ALLOW_EMPTY:${PN} = "1" + +do_install () { + if [ -e "${IMA_EVM_X509}" ]; then + install -d ${D}/${sysconfdir}/keys + install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der + ln -rs ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der + fi +} +do_install[file-checksums] += "${@'${IMA_EVM_X509}:%s' % os.path.exists('${IMA_EVM_X509}')}" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch new file mode 100644 index 0000000..f0d8975 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch @@ -0,0 +1,39 @@ +From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.ibm.com> +Date: Tue, 18 Apr 2023 11:43:55 -0400 +Subject: [PATCH] Do not get generation using ioctl when evm_portable is true + +If a signatures is detected as being portable do not attempt to read the +generation with the ioctl since in some cases this may not be supported +by the filesystem and is also not needed for computing a portable +signature. + +This avoids the current work-around of passing --generation 0 when the +ioctl is not supported by the filesystem. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +--- +Upstream-Status: Pending + + src/evmctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 6d2bb67..c35a28c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + if (mode_str) + st.st_mode = strtoul(mode_str, NULL, 10); + +- if (!evm_immutable) { ++ if (!evm_immutable && !evm_portable) { + if (S_ISREG(st.st_mode) && !generation_str) { + int fd = open(file, 0); + +--- +Upstream-Status: Pending + +2.39.2 + + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch deleted file mode 100644 index 35c3162..0000000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Fri, 30 Sep 2016 10:22:16 +0200 -Subject: [PATCH] command line: apply operation to all paths - -Previously, invocations like "evmctl ima_hash foo bar" silently -ignored all parameters after the first path name ("foo" in this -example). - -Now evmctl iterates over all specified paths. It aborts with an -error as soon as the selected operation fails for a path. - -Supporting more than one parameter is useful in combination with -"find" and "xargs" because it is noticably faster than invoking -evmutil separately for each file, in particular when run under pseudo -(a fakeroot environment used by the OpenEmbedded build system). - -This complements the recursive mode and can be used when more control -over file selection is needed. - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> ---- - src/evmctl.c | 21 ++++++++++++--------- - 1 file changed, 12 insertions(+), 9 deletions(-) - -diff --git a/src/evmctl.c b/src/evmctl.c -index 23cf54c..2072034 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) - static int do_cmd(struct command *cmd, find_cb_t func) - { - char *path = g_argv[optind++]; -- int err, dts = REG_MASK; /* only regular files by default */ -+ int err = 0, dts = REG_MASK; /* only regular files by default */ - - if (!path) { - log_err("Parameters missing\n"); -@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) - return -1; - } - -- if (recursive) { -- if (search_type) { -- dts = get_file_type(path, search_type); -- if (dts < 0) -- return dts; -+ while (path && !err) { -+ if (recursive) { -+ if (search_type) { -+ dts = get_file_type(path, search_type); -+ if (dts < 0) -+ return dts; -+ } -+ err = find(path, dts, func); -+ } else { -+ err = func(path); - } -- err = find(path, dts, func); -- } else { -- err = func(path); -+ path = g_argv[optind++]; - } - - return err; --- -2.1.4 - diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch deleted file mode 100644 index 75076f5..0000000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Wed, 13 May 2015 03:41:02 -0700 -Subject: [PATCH] Makefile.am: disable man page creation - -Depends on asciidoc, which is not available. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> ---- - Makefile.am | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/Makefile.am b/Makefile.am -index 06ebf59..4ddd52c 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1,5 +1,5 @@ - SUBDIRS = src --dist_man_MANS = evmctl.1 -+# dist_man_MANS = evmctl.1 - - doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh - EXTRA_DIST = autogen.sh $(doc_DATA) -@@ -39,4 +39,21 @@ rmman: - - doc: evmctl.1.html rmman evmctl.1 - -+# requires asciidoc, xslproc, docbook-xsl -+# FIXME Disabled until docbook-xsl is unavaliable on tizen.org -+#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl -+# -+#evmctl.1.html: README -+# @asciidoc -o $@ $< -+# -+#evmctl.1: -+# asciidoc -d manpage -b docbook -o evmctl.1.xsl README -+# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl -+# rm -f evmctl.1.xsl -+# -+#rmman: -+# rm -f evmctl.1 -+# -+#doc: evmctl.1.html rmman evmctl.1 -+ - .PHONY: $(tarname) --- -1.8.4.5 - diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch deleted file mode 100644 index ffa65df..0000000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Wed, 17 Jun 2015 14:28:18 +0200 -Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines - -Compilation on older Linux distros (like Ubuntu 12.04) fails -because linux/xattr.h does not yet have the IMA defines. Compiling -there makes sense when only the tools are needed, for example when -signing an image in cross-compile mode. - -To support this, add fallbacks for the two defines which are needed. -Their value is part of the Linux ABI and thus fixed. - -Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> - ---- - src/evmctl.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/evmctl.c b/src/evmctl.c -index c54efbb..23cf54c 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -57,6 +57,18 @@ - #include <termios.h> - #include <assert.h> - -+/* -+ * linux/xattr.h might be old to have this. Allow compilation on older -+ * Linux distros (like Ubuntu 12.04) by falling back to our own -+ * definition. -+ */ -+#ifndef XATTR_IMA_SUFFIX -+# define XATTR_IMA_SUFFIX "ima" -+#endif -+#ifndef XATTR_NAME_IMA -+# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX -+#endif -+ - #include <openssl/sha.h> - #include <openssl/pem.h> - #include <openssl/hmac.h> --- -2.1.4 - diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb new file mode 100644 index 0000000..8ac080c --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb @@ -0,0 +1,30 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS += "openssl attr keyutils" + +DEPENDS:class-native += "openssl-native keyutils-native" + +FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" + +SRC_URI = " \ + https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ +" +SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" + +inherit pkgconfig autotools features_check + +REQUIRED_DISTRO_FEATURES = "ima" +REQUIRED_DISTRO_FEATURES:class-native = "" + +EXTRA_OECONF += "MANPAGE_DOCBOOK_XSL=0" +EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb deleted file mode 100644 index 7f649c2..0000000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ /dev/null @@ -1,37 +0,0 @@ -DESCRIPTION = "IMA/EVM control utility" -LICENSE = "GPL-2.0-with-OpenSSL-exception" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -DEPENDS += "openssl attr keyutils" - -DEPENDS_class-native += "openssl-native keyutils-native" - -PV = "1.2.1+git${SRCPV}" -SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" -SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y" - -# Documentation depends on asciidoc, which we do not have, so -# do not build documentation. -SRC_URI += "file://disable-doc-creation.patch" - -# Workaround for upstream incompatibility with older Linux distros. -# Relevant for us when compiling ima-evm-utils-native. -SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" - -# Required for xargs with more than one path as argument (better for performance). -SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" - -S = "${WORKDIR}/git" - -inherit pkgconfig autotools features_check - -REQUIRED_DISTRO_FEATURES = "ima" - -EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" - -# blkid is called by evmctl when creating evm checksums. -# This is less useful when signing files on the build host, -# so disable it when compiling on the host. -RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all index 36e71a7..3498025 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -25,5 +25,12 @@ dont_appraise fsmagic=0xf97cff8c dont_appraise fsmagic=0x6e736673 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 +# Cgroup +dont_appraise fsmagic=0x27e0eb +# Cgroup2 +dont_appraise fsmagic=0x63677270 -appraise +# Appraise libraries +appraise func=MMAP_CHECK mask=MAY_EXEC +# Appraise executables +appraise func=BPRM_CHECK diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb index da62a4c..5f2244e 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -2,20 +2,15 @@ SUMMARY = "IMA sample simple appraise policy " LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_appraise_all" - -SRC_URI = " file://${IMA_POLICY}" +SRC_URI = " file://ima_policy_appraise_all" inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed index 7f89c8d..4d9e4ca 100644 --- a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed +++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -53,6 +53,9 @@ dont_measure fsmagic=0x43415d53 # CGROUP_SUPER_MAGIC dont_appraise fsmagic=0x27e0eb dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC +dont_appraise fsmagic=0x63677270 +dont_measure fsmagic=0x63677270 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 dont_measure fsmagic=0xde5e81e4 diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb index ebb0426..57c0640 100644 --- a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -2,13 +2,8 @@ SUMMARY = "IMA sample hash policy" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_hashed" - SRC_URI = " \ - file://${IMA_POLICY} \ + file://ima_policy_hashed \ " inherit features_check @@ -16,8 +11,8 @@ REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb index cb4b6b8..8fed410 100644 --- a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -2,20 +2,15 @@ SUMMARY = "IMA sample simple policy" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_simple" - -SRC_URI = " file://${IMA_POLICY}" +SRC_URI = " file://ima_policy_simple" inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh index 5f3a728..b10b1ba 100755 --- a/meta-integrity/scripts/ima-gen-CA-signed.sh +++ b/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -20,7 +20,6 @@ CAKEY=${2:-ima-local-ca.priv} cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -36,13 +35,15 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ -openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ - -out csr_ima.pem -keyout privkey_ima.pem -openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ +openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 +openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \ -CA $CA -CAkey $CAKEY -CAcreateserial \ -outform DER -out x509_ima.der diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh index b600761..339d3e3 100755 --- a/meta-integrity/scripts/ima-gen-local-ca.sh +++ b/meta-integrity/scripts/ima-gen-local-ca.sh @@ -18,7 +18,6 @@ GENKEY=ima-local-ca.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -33,10 +32,11 @@ emailAddress = john.doe@example.com basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign __EOF__ -openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh deleted file mode 100755 index 5ee876c..0000000 --- a/meta-integrity/scripts/ima-gen-self-signed.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# -# Copied from ima-evm-utils. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# version 2 as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -GENKEY=ima.genkey - -cat << __EOF__ >$GENKEY -[ req ] -default_bits = 1024 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts - -[ req_distinguished_name ] -O = example.com -CN = meta-intel-iot-security example signing key -emailAddress = john.doe@example.com - -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -__EOF__ - -openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ - -x509 -config $GENKEY \ - -outform DER -out x509_ima.der -keyout privkey_ima.pem |