|
|
|
|
# Directions for creating the encrypted key that will be used to initialize
|
|
|
|
|
# the EVM software.
|
|
|
|
|
|
|
|
|
|
# Create the EVM key (encrypted key type)
|
|
|
|
|
#
|
|
|
|
|
# The encrypted key is a random number encrypted/decrypted using the
|
|
|
|
|
# kernel master key. The encrypted key is only exposed to userspace
|
|
|
|
|
# as an encrypted datablob.
|
|
|
|
|
$ keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
|
|
|
|
|
782117972
|
|
|
|
|
|
|
|
|
|
# Save the encrypted key
|
|
|
|
|
$ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` > /etc/keys/evm-trusted.blob'
|
|
|
|
|
|
|
|
|
|
# The EVM key path name can be set in one of the following ways (specified in
|
|
|
|
|
# the order in which the variable is overwritten):
|
|
|
|
|
|
|
|
|
|
1) use the default value:
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|
EVMKEY="/etc/keys/evm-trusted.blob"
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
2) create the configuration file '/etc/sysconfig/evm' and set the EVMKEY variable;
|
|
|
|
|
|
|
|
|
|
3) specify the EVM key path name in the 'evmkey=' parameter of the kernel command
|
|
|
|
|
line.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Directions for loading a custom IMA policy.
|
|
|
|
|
|
|
|
|
|
# Write the policy following the instructions provided in the file
|
|
|
|
|
# 'Documentation/ABI/testing/ima_policy' of the kernel documentation.
|
|
|
|
|
|
|
|
|
|
# Save the policy in a file.
|
|
|
|
|
|
|
|
|
|
# Create the configuration file '/etc/sysconfig/ima' to override the path name of
|
|
|
|
|
# the IMA custom policy.
|
|
|
|
|
------------- '/etc/sysconfig/ima' (with the default value) -------------
|
|
|
|
|
IMAPOLICY="/etc/sysconfig/ima-policy"
|
|
|
|
|
-------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Information on loading distro, third party or local keys on the trusted IMA keyring
|
|
|
|
|
|
|
|
|
|
# Loading distro, third party or local keys on the trusted IMA keyring requires
|
|
|
|
|
# creating a local certificate authority(local-CA), installing the local-CA's
|
|
|
|
|
# public key on the system-keyring and signing the certificates with the local-CA
|
|
|
|
|
# key.
|
|
|
|
|
#
|
|
|
|
|
# Many directions for creating a mini certificate authority exist on the web
|
|
|
|
|
# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is
|
|
|
|
|
# really important, especially in the case of the local-CA's private key.) The
|
|
|
|
|
# local-CA's public key can be loaded onto the system keyring either by building
|
|
|
|
|
# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As
|
|
|
|
|
# of writing, the patches for loading the UEFI/Mok keys on the system-keyring
|
|
|
|
|
# have not been upstreamed.)
|
|
|
|
|
#
|
|
|
|
|
# To view the system keyring: keyctl show %keyring:.system_keyring
|
|
|
|
|
#
|
|
|
|
|
# Most on-line directions for signing certificates requires creating a Certificate
|
|
|
|
|
# Signing Request (CSR). Creating such a request requires access to the private
|
|
|
|
|
# key, which would not be available when signing distro or 3rd party certificates.
|
|
|
|
|
# Openssl provides the "-ss_cert" option for directly signing certificates.
|
|
|
|
|
|
|
|
|
|
# 98integrity/ima-keys-load.sh script loads the signed certificates stored
|
|
|
|
|
# in the $IMAKEYSDIR onto the trusted IMA keyring. The default $IMAKEYSDIR
|
|
|
|
|
# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima
|
|
|
|
|
# policy.
|
