Bug 2217410

Summary: Please ship the IMA certificates
Product: Red Hat Enterprise Linux 9 Reporter: Coiby <coxu>
Component: redhat-releaseAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED NOTABUG QA Contact: Release Test Team <release-test-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.3CC: asabadra, lisas, perobins, sgallagh, vdoubkov
Target Milestone: rcFlags: coxu: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-11 09:19:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Coiby 2023-06-26 08:12:22 UTC 
Description of problem:

Starting with RHEL9, package files have IMA signatures, for example,

    # dnf install attr rpm-plugin-ima -yq
    # dnf reinstall iproute -yq
   
    # getfattr -m - -d /usr/sbin/ip
    # file: usr/sbin/ip
    security.ima=0sAwIE0zIESQBnMGUCMArBSY0jCqiMiJSsMpCz+TUiu8gb39l4Lxm+5+XA7dNfrD/ja5DYaVWjZmWEcW5GFgIxAOFCQTeL27qbPn+FDAEBqzxXsG5uUtAa3Itu/BS/cJiFyQMwCLvE/74DYfF6pHonuQ==


Please ship the IMA CA and code-signing certificates as secureboot-ca-ima.cer and secureboot-kernel-ima.cer respectively. secureboot-ca-ima.cer will be built into the kernel's .builtin_trusted_keys keyring and secureboot-kernel-ima.cer will be added to the %:.ima keyring from userspace.

Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:
1.
2.
3.

Actual results:
    

Expected results:

    # rpm -ql redhat-sb-certs |grep ima
    /etc/pki/sb-certs/secureboot-ca-ima.cer
    /etc/pki/sb-certs/secureboot-kernel-ima.cer

Additional info:
Comment 3 Peter Robinson 2023-08-02 12:28:36 UTC 
> Expected results:
> 
>     # rpm -ql redhat-sb-certs |grep ima
>     /etc/pki/sb-certs/secureboot-ca-ima.cer
>     /etc/pki/sb-certs/secureboot-kernel-ima.cer

One thing to note here is that dracut expects the IMA certs to be in /etc/keys/ima/ (also they're not really secure boot certs).
Comment 4 Coiby 2023-08-11 09:19:30 UTC 
Closing this bug since there is a new approach to ship the IMA certificates. Thanks all for your attention!