Bug 2231404

Summary: The wrong IMA file signature verification key is on the .ima keyring
Product: [Fedora] Fedora Reporter: Stefan Berger <stefanb>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: acaringi, adscvr, airlied, alciregi, ansasaki, bskeggs, coxu, hdegoede, hpa, jarod, josef, kernel-maint, lgoncalv, linville, masami256, mchehab, ptalbert, ruyang, scorreia, steved
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-14 13:20:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Berger 2023-08-11 13:55:32 UTC
1. Please describe the problem:

The wrong IMA file signature verification key is on the .ima keyring.

2. What is the Version-Release number of the kernel:

fedora 6.4.9-200.fc38.x86_64

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :

I don't think that it was correct before, but I am not sure.

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

This is the key on the .ima keyring:

# keyctl show %keyring:.ima
Keyring
 938588217 ---lswrv      0     0  keyring: .ima
 459932351 ---lswrv      0     0   \_ asymmetric: Fedora kernel signing key: 76091380b4f96da2b73f660a58bb88e908ecd7ff

This key has id 0x08ecd7ff, which are the last 4 digits from the subject key identifier above.

The key that we need must have key id 0xe7b0c859, which are again the last 4 digits of its subject key identifier.

getfattr -m ^security.ima -e hex --dump /usr/bin/bash
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/bash
security.ima=0x030204e7b0c85900473045022100f2e4c6d574ae0080e51e836cfeec604f7096b060bb26768f533210ecfcd9c2b60220373d9dd9949a2fcd1397458cad0c87c65e8782620d1e92be4279d68b23590419

The key with the key id 0xe7b0c859 is required to verify this file, which corresponds to the 4th-7th bytes in the security.ima xattr.

This here is actually the correct key  'fedora-38-ima.pem' : https://src.fedoraproject.org/rpms/fedora-repos/c/93b2c8add81f2d6f83874ce53b080adbc4fe6826?branch=rawhide

5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:

The situation is similar on rawhide where the key built into the kernel has a different Id than what is required to verify the IMA file signatures.


Reproducible: Always

Comment 1 Coiby 2023-08-14 08:18:22 UTC
Hi Stefan,

I don't think this is a bug. This "Fedora kernel signing key: 76091380b4f96da2b73f660a58bb88e908ecd7ff" is use for verifying the kernel module signature by IMA. The module signing key gets automatically loaded into the .ima keyring as implemented by commit 6cbdfb3d91ba ("ima: enable loading of build time generated key on .ima keyring").

The key for signing package files hasn't bee be added to .ima keyring. I plan to build the IMA CA key into the .builtin_trusted_keys and let user space tools add the IMA code-signing key to the .ima keyring.

Comment 2 Stefan Berger 2023-08-14 16:20:44 UTC
On F39 now. There's still this issue here that unfortunately none of the x509 certs can be loaded:

[root@fedora ~]# keyctl padd asymmetric "" %keyring:.ima < /etc/keys/ima/fedora-39-ima.der
add_key: Required key not available
[root@fedora ~]# keyctl padd asymmetric "" %keyring:.ima < /etc/keys/ima/fedora-38-ima.der
add_key: Required key not available