On Fri, 2018-03-16 at 14:34 +0000, Martin Townsend wrote: > Hi Mimi, > > On Fri, Mar 16, 2018 at 1:25 PM, Mimi Zohar <zohar(a)linux.vnet.ibm.com&gt; wrote: >> On Fri, 2018-03-16 at 09:32 +0000, Martin Townsend wrote: >>> [Resending to new integrity mailing list] >>> >>> Hi, >>> >>> I have a system with a pre-signed UBI root filesystem image with both >>> IMA/EVM signatures on all files. The Root CA Cert is compiled into >>> the kernel and the public keys is in the rootfs. All SMACK labels >>> have also been applied although at this early stage there aren't many >>> (just a few application specific ones) so it's mainly the defaults.

>>> This image is then flashed to the on board NAND. >>> >>> The kernel bootargs for IMA are >>> >>> "ima_audit=1 ima_template=ima-ng ima_hash=sha1 ima_tcb >>> ima_appraise_tcb rootflags=i_version" >>> >>> and I'm enabling SMACK by using the kernel bootarg >>> >>> "security=smack" >>> >>> now if I boot without the "security=smack" it boots fine and I can >>> check the IMA/EVM signatures and can see that measurements are being >>> taken, but if I enable SMACK using the above kernel bootarg it fails >>> to boot and it looks like some problem early in systemd where it >>> mounts the required filesystems in mount-setup.c (log provided below). >>> Now if I flash an image that hasn't been signed and enable SMACK it >>> boots fine and I can use SMACK to enforce access control. So there >>> seems to some interaction between the two when mounting the early >>> filesystems. >>> >>> Before I delve into this I would appreciate any pointers to where to >>> start looking, any printk's to put in SMACK/IMA/mount code to help >>> diagnose this would be really appreciated. >>> >>> The Kernel is 4.9 LTSI, systemd is v229

>>> >>> Apologies if I have the wrong mailing list for SMACK, I couldn't find >>> one on vger.kernel.org.

>>> >>> >>> Boot log. >>> ... >>> Security Framework initialized >>> Smack: Initializing. >>> Smack: IPv6 port labeling enabled. >>> Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) >>> Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) >>> CPU: Testing write buffer coherency: ok >>> Setting up static identity map for 0x80100000 - 0x80100058 >>> devtmpfs: initialized >>> evm: security.SMACK64 >>> evm: security.SMACK64EXEC >>> evm: security.SMACK64TRANSMUTE >>> evm: security.SMACK64MMAP >>> evm: security.ima >>> evm: security.capability >>> ... >>> Loading compiled-in X.509 certificates >>> Loaded X.509 cert 'IMA-EVM Root CA: cc972d25acf7c1efaa5329a48104efa303f0833a' >>> ... >>> UBIFS (ubi0:0): FS size: 201764864 bytes (192 MiB, 1589 LEBs), journal >>> size 9023488 bytes (8 MiB, 72 LEBs) >>> UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB) >>> UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID >>> F6EA70A5-1931-4049-89CB-93B82F37F6A4, small LPT model >>> VFS: Mounted root (ubifs filesystem) readonly on device 0:16. >>> devtmpfs: mounted >>> integrity: Loaded X.509 cert 'IMA Certificate Authority: >>> e2c191a6e31fd02d6beba0c7c7847720a35fd9c6': /etc/keys/ima-x509.der >>> Freeing unused kernel memory: 1024K >>> systemd[1]: Successfully loaded Smack policies.

>>> systemd[1]: Successfully loaded Smack/CIPSO policies. >>> systemd[1]: System time before build time, advancing clock. >>> systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory >>> systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory >>> systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/systemd: No such >>> file or directory

>>> [!!!!!!] Failed to mount API filesystems, freezing. >>> systemd[1]: Freezing execution. >> [Cc'ing Sascha] >> >> Are there any additional messages in /var/log/audit/audit.log? >> >> Mimi >> > Sadly I can't see this file, I don't even think the relevant > filesystems have been mounted as this point. I tried the emergency > shell but no joy. Is there a way of patching the kernel to show audit > messages to the console? If you point me at the relevant code I'll > hack something in. I'm currently putting printk's everywhere I can > think of to see what's going on. If you can think of anywhere in the > IMA that would be good to see a debug print let me know, currently I > have something in process_measurements and a few other places in > ima_main.c. I would think the audit messages would go to the console.  With dracut, I use a couple of boot command line options for debugging (eg. rd.debug rd.break=pre-mount, rd.shell). Mimi