Bug 2217410 - Please ship the IMA certificates
Summary: Please ship the IMA certificates
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: redhat-release
Version: 9.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-26 08:12 UTC by Coiby
Modified: 2023-08-11 09:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-11 09:19:30 UTC
Type: Bug
Target Upstream Version:
Embargoed:
coxu: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELBLD-13134 0 None None None 2023-06-26 08:13:25 UTC
Red Hat Issue Tracker RHELPLAN-160740 0 None None None 2023-06-26 08:13:28 UTC

Description Coiby 2023-06-26 08:12:22 UTC 
Description of problem:

Starting with RHEL9, package files have IMA signatures, for example,

    # dnf install attr rpm-plugin-ima -yq
    # dnf reinstall iproute -yq
   
    # getfattr -m - -d /usr/sbin/ip
    # file: usr/sbin/ip
    security.ima=0sAwIE0zIESQBnMGUCMArBSY0jCqiMiJSsMpCz+TUiu8gb39l4Lxm+5+XA7dNfrD/ja5DYaVWjZmWEcW5GFgIxAOFCQTeL27qbPn+FDAEBqzxXsG5uUtAa3Itu/BS/cJiFyQMwCLvE/74DYfF6pHonuQ==


Please ship the IMA CA and code-signing certificates as secureboot-ca-ima.cer and secureboot-kernel-ima.cer respectively. secureboot-ca-ima.cer will be built into the kernel's .builtin_trusted_keys keyring and secureboot-kernel-ima.cer will be added to the %:.ima keyring from userspace.

Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:
1.
2.
3.

Actual results:
    

Expected results:

    # rpm -ql redhat-sb-certs |grep ima
    /etc/pki/sb-certs/secureboot-ca-ima.cer
    /etc/pki/sb-certs/secureboot-kernel-ima.cer

Additional info:
Comment 3 Peter Robinson 2023-08-02 12:28:36 UTC 
> Expected results:
> 
>     # rpm -ql redhat-sb-certs |grep ima
>     /etc/pki/sb-certs/secureboot-ca-ima.cer
>     /etc/pki/sb-certs/secureboot-kernel-ima.cer

One thing to note here is that dracut expects the IMA certs to be in /etc/keys/ima/ (also they're not really secure boot certs).
Comment 4 Coiby 2023-08-11 09:19:30 UTC 
Closing this bug since there is a new approach to ship the IMA certificates. Thanks all for your attention!
Note You need to log in before you can comment on or make changes to this bug.