meta-integrity: Enable choice of creating IMA signatures or hashes

When IMA and EVM are used for file appraisal then EVM verifies the signature stored in security.evm. This signature covers file metadata (uid, gid, mode bits, etc.) as well as the security.ima xattr. Therefore, it is sufficient that only files' hashes are stored in security.ima. This also leads to slight performance improvements since IMA appraisal will then only verify that a file's hash matches the expected hash stored in security.ima. EVM will ensure that the signature over all the file metadata and security.ima xattr is correct. Therefore, give the user control over whether to store file signatures (--imasig) in ima.security or hashes (--imahash) by setting the option in IMA_EVM_IMA_XATTR_OPT. Only test-verify an IMA signature if --imasig is used as the option. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Stefan Berger <stefanb@linux.ibm.com> 2025-02-06 15:54:41 -0500
committer: Armin Kuster <akuster808@gmail.com> 2025-03-12 15:31:15 -0400
commit: a76a5c51283b9d361caf514dc5cdebd72b5b4ca1 (patch)
tree: 00849209e291ed354cc300d3dcf57cd4d921bdc0
parent: 73077556362fb99520e452cf32501a759125d298 (diff)
download: meta-security-a76a5c51283b9d361caf514dc5cdebd72b5b4ca1.tar.gz
2 files changed, 9 insertions, 2 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 6845c21..79635a0 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -97,6 +97,7 @@ the image, enable image signing in the local.conf like this:
    IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
    IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>"
    IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
+    IMA_EVM_IMA_XATTR_OPT = "<whether to sign or hash for IMA>"
    IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
    IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index d50a025..14639cf 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -15,6 +15,10 @@ IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
 # Password for the private key
 IMA_EVM_EVMCTL_KEY_PASSWORD ?= ""
+# Whether to create IMA signatures (--imasig) or hashes (--imahash).
+# Hashes are sufficient for IMA when EVM uses signatures.
+IMA_EVM_IMA_XATTR_OPT ?= "--imasig"
 # Public part of certificates (used for both IMA and EVM).
 # The default is okay when using the example key directory.
 IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -78,11 +82,13 @@ ima_evm_sign_rootfs () {
    export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD}
    bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
-    evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+    evmctl sign ${IMA_EVM_IMA_XATTR_OPT} ${evmctl_param} --portable -a sha256 \
        --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"
    # check signing key and signature verification key
-    evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    if [ "${IMA_EVM_IMA_XATTR_OPT}" = "--imasig" ]; then
+        evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    fi
    evmctl verify     ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
    # Optionally install custom policy for loading by systemd.
author	Stefan Berger <stefanb@linux.ibm.com>	2025-02-06 15:54:41 -0500
committer	Armin Kuster <akuster808@gmail.com>	2025-03-12 15:31:15 -0400
commit	a76a5c51283b9d361caf514dc5cdebd72b5b4ca1 (patch)
tree	00849209e291ed354cc300d3dcf57cd4d921bdc0
parent	73077556362fb99520e452cf32501a759125d298 (diff)
download	meta-security-a76a5c51283b9d361caf514dc5cdebd72b5b4ca1.tar.gz