IMA-appraisal is unusable in Ubuntu 16.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Tim Gardner | ||
Xenial |
Fix Released
|
High
|
Tim Gardner |
Bug Description
At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel.
To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6):
8e16789 KEYS: Use the symbol value for list size, updated by scripts/
c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling
We need to include these Kconfig options to reserve the memory:
CONFIG_
CONFIG_
An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required:
scripts/
If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage.
scripts/
Contact Information = George Wilson <email address hidden> / Mimi Zohar <email address hidden>
Related branches
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
assignee: | Taco Screen team (taco-screen-team) → Canonical Kernel Team (canonical-kernel-team) |
importance: | Undecided → High |
status: | New → Triaged |
Changed in linux (Ubuntu Xenial): | |
assignee: | Canonical Kernel Team (canonical-kernel-team) → Tim Gardner (timg-tpi) |
status: | Triaged → In Progress |
status: | In Progress → Fix Committed |
Default Comment by Bridge