Bug 2231404 - The wrong IMA file signature verification key is on the .ima keyring
Summary: The wrong IMA file signature verification key is on the .ima keyring
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 38
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-11 13:55 UTC by Stefan Berger
Modified: 2023-08-14 16:20 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-14 13:20:18 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Stefan Berger 2023-08-11 13:55:32 UTC 
1. Please describe the problem:

The wrong IMA file signature verification key is on the .ima keyring.

2. What is the Version-Release number of the kernel:

fedora 6.4.9-200.fc38.x86_64

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :

I don't think that it was correct before, but I am not sure.

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

This is the key on the .ima keyring:

# keyctl show %keyring:.ima
Keyring
 938588217 ---lswrv      0     0  keyring: .ima
 459932351 ---lswrv      0     0   \_ asymmetric: Fedora kernel signing key: 76091380b4f96da2b73f660a58bb88e908ecd7ff

This key has id 0x08ecd7ff, which are the last 4 digits from the subject key identifier above.

The key that we need must have key id 0xe7b0c859, which are again the last 4 digits of its subject key identifier.

getfattr -m ^security.ima -e hex --dump /usr/bin/bash
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/bash
security.ima=0x030204e7b0c85900473045022100f2e4c6d574ae0080e51e836cfeec604f7096b060bb26768f533210ecfcd9c2b60220373d9dd9949a2fcd1397458cad0c87c65e8782620d1e92be4279d68b23590419

The key with the key id 0xe7b0c859 is required to verify this file, which corresponds to the 4th-7th bytes in the security.ima xattr.

This here is actually the correct key  'fedora-38-ima.pem' : https://src.fedoraproject.org/rpms/fedora-repos/c/93b2c8add81f2d6f83874ce53b080adbc4fe6826?branch=rawhide

5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:

The situation is similar on rawhide where the key built into the kernel has a different Id than what is required to verify the IMA file signatures.


Reproducible: Always
Comment 1 Coiby 2023-08-14 08:18:22 UTC 
Hi Stefan,

I don't think this is a bug. This "Fedora kernel signing key: 76091380b4f96da2b73f660a58bb88e908ecd7ff" is use for verifying the kernel module signature by IMA. The module signing key gets automatically loaded into the .ima keyring as implemented by commit 6cbdfb3d91ba ("ima: enable loading of build time generated key on .ima keyring").

The key for signing package files hasn't bee be added to .ima keyring. I plan to build the IMA CA key into the .builtin_trusted_keys and let user space tools add the IMA code-signing key to the .ima keyring.
Comment 2 Stefan Berger 2023-08-14 16:20:44 UTC 
On F39 now. There's still this issue here that unfortunately none of the x509 certs can be loaded:

[root@fedora ~]# keyctl padd asymmetric "" %keyring:.ima < /etc/keys/ima/fedora-39-ima.der
add_key: Required key not available
[root@fedora ~]# keyctl padd asymmetric "" %keyring:.ima < /etc/keys/ima/fedora-38-ima.der
add_key: Required key not available
Note You need to log in before you can comment on or make changes to this bug.