[Bug 1187654] New: MicroOS IMA enabled system, dracut-pre-privot error
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 Bug ID: 1187654 Summary: MicroOS IMA enabled system, dracut-pre-privot error Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: aplanas@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- In a MicroOS IMA enabled system, via de system role, the first boot shows this error: localhost dracut-pre-pivot[394]: ls: cannot access '/sysroot/etc/keys/ima/*': No such file or directory -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Other |Basesystem Assignee|screening-team-bugs@suse.de |dracut-maintainers@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c1 --- Comment #1 from Alberto Planas Dominguez <aplanas@suse.com> --- Seems to come from here: https://github.com/openSUSE/dracut/blob/SUSE/054/modules.d/98integrity/ima-k... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c17 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dracut-maintainers@suse.de Flags|needinfo? |needinfo?(dracut-maintainer | |s@suse.de) --- Comment #17 from Alberto Planas Dominguez <aplanas@suse.com> --- Seems that MicroOS still have the issue (dracut-ima+suse.275.g4ce7a6a7-2.3) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c18 Antonio Feijoo <antonio.feijoo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |antonio.feijoo@suse.com Flags|needinfo?(dracut-maintainer | |s@suse.de) | --- Comment #18 from Antonio Feijoo <antonio.feijoo@suse.com> --- (In reply to Alberto Planas Dominguez from comment #10)
(In reply to Thomas Blume from comment #9)
(In reply to Alberto Planas Dominguez from comment #8)
As a parallel works I added the /etc/keys and /usr/etc/keys directory in keyctl. Lets see the review, I am not confident about the correct owner.
Thanks Alberto, lets discuss how to go on with this when you have results.
Sure. Still it makes sense to do something here. If the [/usr]/etc/keys/ima is present but empty, we will still have the same error. IMHO this will be a cosmetic error now, but could still make sense to address it properly.
This minor ls error is fixed upstream (https://github.com/dracutdevs/dracut/commit/f63f411) and will be backported. You may already know that IMA appraisal can be used without digital signatures, just by storing hash digests instead and protecting the security.ima against tampering using EVM. And the IMA policy (comment #6) loaded in dracut refers to the custom policy, which is also optional (the main policy is added via kernel command line). So, apart from hiding this ls error, I think we don't need to do anything else here. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c19 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? --- Comment #19 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Antonio Feijoo from comment #18)
This minor ls error is fixed upstream (https://github.com/dracutdevs/dracut/commit/f63f411) and will be backported.
You may already know that IMA appraisal can be used without digital signatures, just by storing hash digests instead and protecting the security.ima against tampering using EVM.
And the IMA policy (comment #6) loaded in dracut refers to the custom policy, which is also optional (the main policy is added via kernel command line).
So, apart from hiding this ls error, I think we don't need to do anything else here.
I am not sure what changed, but seems that is not a minimal error anymore? In my system this "ls /etc/keys/ima/*" produces errno, killing the dracut load process. It is a different error when doing "ls /etc/keys/ima/" # ls /etc/keys/ima/*; echo $? ls: cannot access '/etc/keys/ima/*': No such file or directory 2 # ls /etc/keys/ima/; echo $? 0 If this happens in the first boot in MicroOS, will make the system unusable (missing services later will not setup properly the device) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c20 --- Comment #20 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Antonio Feijoo from comment #18)
This minor ls error is fixed upstream (https://github.com/dracutdevs/dracut/commit/f63f411) and will be backported.
IIUC this will produce also a weird message (but in this case without errno) It will generate this info message: "integrity: IMA x509 cert file not found: /sysroot/etc/keys/ima/*" Note that if the directory is empty or not present, the variable will have the value "/sysroot/etc/keys/ima/*", and the later check will consider it as an invalid key. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c21 Antonio Feijoo <antonio.feijoo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo? | --- Comment #21 from Antonio Feijoo <antonio.feijoo@suse.com> --- (In reply to Alberto Planas Dominguez from comment #20)
(In reply to Antonio Feijoo from comment #18)
This minor ls error is fixed upstream (https://github.com/dracutdevs/dracut/commit/f63f411) and will be backported.
IIUC this will produce also a weird message (but in this case without errno)
It will generate this info message: "integrity: IMA x509 cert file not found: /sysroot/etc/keys/ima/*"
Note that if the directory is empty or not present, the variable will have the value "/sysroot/etc/keys/ima/*", and the later check will consider it as an invalid key.
No, with this fix if there is not any cert file in /sysroot/etc/keys/ima, no message is shown. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c22 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? --- Comment #22 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Antonio Feijoo from comment #21)
No, with this fix if there is not any cert file in /sysroot/etc/keys/ima, no message is shown.
Uhm, I mean if RD_DEBUG was "yes" it will show "integrity: IMA x509 cert file not found: /sysroot/etc/keys/ima/*" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c23 Antonio Feijoo <antonio.feijoo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo? | --- Comment #23 from Antonio Feijoo <antonio.feijoo@suse.com> --- (In reply to Alberto Planas Dominguez from comment #22)
(In reply to Antonio Feijoo from comment #21)
No, with this fix if there is not any cert file in /sysroot/etc/keys/ima, no message is shown.
Uhm, I mean if RD_DEBUG was "yes" it will show "integrity: IMA x509 cert file not found: /sysroot/etc/keys/ima/*"
That part of the code is inside the loop content and is never reached if there is no file. The same structure is used in evm-enable.sh, and you don't see any "integrity: EVM x509 cert file not found" messages. Try it yourself.
for PUBKEY in "${NEWROOT}${IMAKEYSDIR}"/*; do # check for public key's existence if [ ! -f "${PUBKEY}" ]; then if [ "${RD_DEBUG}" = "yes" ]; then info "integrity: IMA x509 cert file not found: ${PUBKEY}" fi continue fi ... done
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c24 --- Comment #24 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Antonio Feijoo from comment #23)
(In reply to Alberto Planas Dominguez from comment #22)
(In reply to Antonio Feijoo from comment #21)
No, with this fix if there is not any cert file in /sysroot/etc/keys/ima, no message is shown.
Uhm, I mean if RD_DEBUG was "yes" it will show "integrity: IMA x509 cert file not found: /sysroot/etc/keys/ima/*"
That part of the code is inside the loop content and is never reached if there is no file.
But that is the issue, isn't? As I commented before, if there is not file the PUBKEY variable will not be empty, it will have a value, and this value is the string "/sysroot/etc/keys/ima/*" Check this here, for example: for PUBKEY in "/non/existent/"*; do echo "Inside loop: ${PUBKEY}" done This produce this output: Inside loop: /non/existent/* Are we using different shells? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1187654 http://bugzilla.opensuse.org/show_bug.cgi?id=1187654#c25 --- Comment #25 from Antonio Feijoo <antonio.feijoo@suse.com> --- (In reply to Alberto Planas Dominguez from comment #24)
(In reply to Antonio Feijoo from comment #23)
(In reply to Alberto Planas Dominguez from comment #22)
(In reply to Antonio Feijoo from comment #21)
No, with this fix if there is not any cert file in /sysroot/etc/keys/ima, no message is shown.
Uhm, I mean if RD_DEBUG was "yes" it will show "integrity: IMA x509 cert file not found: /sysroot/etc/keys/ima/*"
That part of the code is inside the loop content and is never reached if there is no file.
But that is the issue, isn't? As I commented before, if there is not file the PUBKEY variable will not be empty, it will have a value, and this value is the string "/sysroot/etc/keys/ima/*"
Check this here, for example:
for PUBKEY in "/non/existent/"*; do echo "Inside loop: ${PUBKEY}" done
This produce this output:
Inside loop: /non/existent/*
Are we using different shells?
Yes, you're right, you're not seeing anything because rd.debug is not set on the kernel command line. Sorry for my mistake, I'm multitasking right now... -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com