Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 25. Extending, customizing, and troubleshooting kernel integrity subsystem

Extend, customize, and troubleshoot the kernel integrity subsystem to support diverse security requirements and operational environments.

25.1. Generate good reference values for IMA appraisal
Copier lien

Generate valid reference values stored in the security.ima extended attribute for all files governed by IMA-appraisal rules before deploying the policy to prevent boot failures or access denials. 

# ima-appraise-file </path/to/file>

Use IMA signatures as trusted reference values for immutable files to support integrity verification and ensure only files with valid signatures are accessed.

Prerequisites

  • You have created an IMA policy that includes IMA-appraisal rules.

Procedure

  1. Install the rpm-plugin-ima: 

    $ sudo dnf install rpm-plugin-ima -yq

    This ensures that package files have IMA signature stored in security.xattr automatically during package installation, reinstallation, or upgradation.

  2. Reinstall all the packages: 

    $ sudo dnf reinstall "*" -y

    This ensures that the security.xattr extended attribute is updated for all packages.

  3. Enable the dracut integrity module so the official IMA code-signing key in /etc/keys/ima loads automatically on boot: 

    $ sudo dracut -f

Verification

  • Verify that signature is correctly stored in security.ima extended attribute: 

    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/lib/systemd/systemd
     
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/usr/lib/systemd/systemd: verification is OK
     
    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /bin/bash
     
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/bin/bash: verification is OK
...

25.1.2. Generating good reference values for mutable files
Copier lien

Generate and update reference values for mutable files to maintain integrity and ensure the system accurately verifies file authenticity.

Prerequisites

  • You have root privileges on the system.
  • You have created an IMA policy that includes IMA-appraisal rules.
  • You have generated good reference values for IMA appraisal.
  • Secure Boot is disabled.

Procedure

  1. Optional: Enable your chosen IMA-appraisal policy or skip this step if you only use your custom policy. Take built-in ima_policy=appraise_tcb as an example: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_policy=appraise_tcb"

    • Additionally for s390x systems: 

      # zipl

  2. Enable IMA-appraisal fix mode by adding the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_appraise=fix"

    • Additionally for s390x systems: 

      # zipl

  3. Reboot the system: 

    # reboot

  4. Optional: Load your custom IMA policy: 

    # echo <path_to_your_custom_ima_policy> > /sys/kernel/security/ima/policy

  5. Re-label the whole system: 

    # find / -fstype xfs -type f -uid 0 -exec head -c 0 '{}' \;

  6. Turn off IMA-appraisal fix mode by removing the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --remove-args="ima_appraise=fix"

    • Additionally for s390x systems: 

      # zipl
  7. Enable the secure boot if it is disabled.

Additional resources

25.2. Writing custom IMA policy
Copier lien

Create custom IMA policy rules when built-in policies or sample policies do not meet your requirements. Systemd loads custom policies from /etc/ima/ima-policy, replacing the built-in IMA policy.

Warning

After you define your IMA policy, generate good reference values if the policy includes IMA-appraisal rules before you deploy it. If your policy does not include IMA-appraisal rules, you can verify the policy by running echo /PATH-TO-YOUR-DRAFT-IMA-POLICY > /sys/kernel/security/integrity/ima/policy. This approach helps prevent system boot failures.

See Generate good reference values for IMA appraisal.

An IMA policy rule uses the format action [condition …​] to specify an action that is triggered under certain conditions. For example, the sample policy in /usr/share/ima/policies/01-appraise-executable-and-lib-signatures includes the following rules: 

# Skip some unsupported filesystems
# For a list of these filesystems, see
# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
…
appraise func=BPRM_CHECK appraise_type=imasig

The first rule, dont_appraise fsmagic=0x9fa0, instructs IMA to skip appraising files in the PROC_SUPER_MAGIC filesystem. The last rule, appraise func=BPRM_CHECK appraise_type=imasig, enforces signature verification when a file is executed.

25.3. Creating custom IMA keys using OpenSSL
Copier lien

Generate a CSR with OpenSSL to create digital certificates for code security. The kernel validates IMA signatures using code signing keys in the .ima keyring. Before adding a key, ensure it is signed by an IMA CA key present in the trusted keyrings.

Prerequisites

  • The custom IMA CA key has the following extensions:

    • the basic constraints extension with the CA boolean asserted.
    • the KeyUsage extension with the keyCertSign bit asserted but without the digitalSignature asserted.

  • The custom IMA code signing key falls under the following criteria:

    • The IMA CA key signed this custom IMA code signing key.
    • The custom key includes the subjectKeyIdentifier extension.
  • UEFI Secure Boot on x86_64 or aarch64 systems or PowerVM Secure Boot on ppc64le systems is enabled.

Procedure

  1. To generate a custom IMA CA key pair, run: 

    # openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config ima_ca.conf -outform DER -out custom_ima_ca.der -keyout custom_ima_ca.priv

  2. Optional: To check the content of the ima_ca.conf file, run: 

    # cat ima_ca.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = ca

[ req_distinguished_name ]
O = YOUR_ORG
CN =  YOUR_COMMON_NAME IMA CA
emailAddress = YOUR_EMAIL

[ ca ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage=critical,keyCertSign,cRLSign

  3. To generate a private key and a certificate signing request (CSR) for the IMA code signing key, run: 

    # openssl req -new -utf8 -sha256 -days 365 -batch -config ima.conf -out custom_ima.csr -keyout custom_ima.priv

  4. Optional: To check the content of the ima.conf file, run: 

    # cat ima.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = code_signing

[ req_distinguished_name ]
O = YOUR_ORG
CN = YOUR_COMMON_NAME IMA signing key
emailAddress = YOUR_EMAIL

[ code_signing ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

  5. Use the IMA CA private key to sign the CSR to create the IMA code signing certificate: 

    # openssl x509 -req -in custom_ima.csr -days 365 -extfile ima.conf -extensions code_signing -CA custom_ima_ca.der -CAkey custom_ima_ca.priv -CAcreateserial -outform DER -out ima.der

25.4. Loading an IMA policy signed by your custom IMA key
Copier lien

Load an IMA policy signed with your custom IMA key to maintain system integrity and ensure only trusted, authenticated policies are applied during system startup or runtime.

Note

This procedure applies only to x86_64 and aarch64 systems with UEFI Secure Boot enabled, and to ppc64le systems running PowerVM Secure Boot.

Prerequisites

Procedure

  1. Add your custom IMA code signing key to the .ima keyring: 

    # keyctl padd asymmetric <KEY_SUBJECT> %:.ima < <PATH_TO_YOUR_CUSTOM_IMA_KEY>

  2. Prepare your IMA policy and sign it with your custom IMA code signing key: 

    # evmctl ima_sign <PATH_TO_YOUR_CUSTOM_IMA_POLICY> -k <PATH_TO_YOUR_CUSTOM_IMA_KEY>

  3. Load the signed IMA policy: 

    # echo <PATH_TO_YOUR_CUSTOM_SIGNED_IMA_POLICY> > /sys/kernel/security/ima/policy

  4. Check the exit status of the previous command: 

    # echo $?
     
    0
    0

    indicates that the IMA policy was loaded successfully. If the command returns a nonzero value, the IMA policy was not loaded successfully.

    Warning

    Do not skip this step. If you do, your system might fail to boot and you need to recover your system.

    If the IMA policy fails to load, repeat the steps 2, 3, and 4 to fix the issue.

  5. Copy the signed IMA policy to /etc/ima/ima-policy to enable systemd load it automatically on boot: 

    # cp --preserve=xattr <PATH_TO_YOUR_CUSTOM_IMA_POLICY> /etc/ima/ima-policy

  6. Copy your custom IMA code signing key to /etc/keys/ima/: 

    # cp <PATH_TO_YOUR_CUSTOM_IMA_KEY> /etc/keys/ima/

  7. Copy the dracut integrity module configuration file: 

    # cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf

  8. Regenerate the initial RAM disk: 

    # dracut -f

    • Additionally for s390x systems: 

      # zipl

Verification

  • Verify that the IMA policy is loaded successfully: 

    # cat /sys/kernel/security/ima/policy

    The output should include the rules from your custom IMA policy.

25.5. Troubleshooting systemd failure to load the IMA policy
Copier lien

If systemd fails to load the /etc/ima/ima-policy file, the system may hang and display a Freezing execution error. You can troubleshoot and recover the system from this state by using the methods described in this procedure. 

[    5.829882] ima: policy update failed
[    5.830094] ima: signed policy file (specified as an absolute pathname) required
[!!!!!!] Failed to load IMA policy.
…
[    5.859994] systemd[1]: Freezing execution.

There are three methods that you can use to recover your system.

25.5.1. Turn off Secure Boot
Copier lien

If system startup fails because an unsigned IMA policy cannot load, temporarily disable Secure Boot. With disabled Secure Boot, you can resolve the error before re-enabling security features. 

[    5.661906] ima: policy update failed
[    5.662290] ima: signed policy file (specified as an absolute pathname) required
[    5.662496] systemd[1]: Failed to load the IMA custom policy file /etc/ima/ima-policy1: Permission denied
[    5.662663] ima: policy update failed
[    5.662856] audit: type=1800 audit(1744968172.925:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=appraise_data cause=IMA-signature-required comm="systemd" name="/etc/ima/ima-policy" dev="vda3" ino=25679834 res=0 errno=0
[    5.663205] audit: type=1802 audit(1744968172.925:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=policy_update cause=failed comm="systemd" res=0 errno=0
[!!!!!!] Failed to load IMA policy.

As a workaround, you can turn off Secure Boot temporarily and follow Deploying a custom signed IMA policy for UEFI systems to fix the issue.

Boot the system with the init=/bin/bash kernel parameter to access a shell for system recovery or troubleshooting.

  1. Modify the bootloader entry and add the init=/bin/bash kernel parameter.

  2. After you access the shell, remount the system with write permissions: 

    # mount -o remount,rw /

  3. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak

  4. Enable the SysRq key: 

    # echo 1 > /proc/sys/kernel/sysrq

  5. Reboot the system: 

    # printf "s\nb" > /proc/sysrq-trigger

  6. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy

  7. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy

Boot the system with the initcall_blacklist=init_ima kernel parameter to disable the IMA policy when the system hangs with systemd[1]: Freezing execution.

  1. Modify the boot loader entry and add the initcall_blacklist=init_ima kernel parameter.

  2. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak

  3. Reboot the system: 

    # systemctl reboot

  4. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy

  5. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy

25.6. Signing custom built packages
Copier lien

Sign custom built packages before deployment using the rpm-sign tool and IMA code signing key to maintain system integrity.

Prerequisites

  • You have root privileges on your system.
  • You have a custom built package that you want to sign.
  • You have the IMA code signing key.
  • You have the rpm-sign tool installed.
  • Custom IMA keys are created. See Creating custom IMA keys using OpenSSL.

Procedure

  1. Use rpmsign –signfiles to sign package files: 

    # rpmsign --define "gpg_name _<GPG_KEY_NAME>" --addsign --signfiles --fskpass --fskpath=<PATH_TO_YOUR_PRIVATE_IMA_CODE_SIGNING_KEY> <PATH_TO_YOUR_RPM>
    --define "gpg_name _<GPG_KEY_NAME>"
    The GPG key signs the package, and the IMA code signing key signs each file in the package.
    --addsign
    Adds the signature to the package.
    --signfiles
    Signs each file in the package.
    --fskpass
    Avoids repeatedly entering the password for the IMA code signing key.
    --fskpath
    Specifies the path to the IMA code signing key.

Verification

  • To verify that the package is signed, you can use the following command: 

    # rpm -q --queryformat "[%{FILENAMES} %{FILESIGNATURES}\n] <PATH_TO_YOUR_RPM>"
     
    /usr/bin/YOUR_BIN 030204...
/usr/lib/YOUR_LIB.so 030204...
...

25.7. Comparison of IMA and fapolicyd
Copier lien

Compare IMA and fapolicyd tools for enforcing file integrity. IMA verifies file integrity at boot time, while fapolicyd verifies at runtime.

The following list can help you determine which tool meets your requirements:

  • IMA verifies digital signatures to ensure integrity, while fapolicyd currently supports only hash-based verification.
  • IMA operates in kernel space, while fapolicyd operates in user space.
  • fapolicyd supports basic integrity verification by checking file size and can also verify reference hash values stored in security.ima.
  • IMA and fapolicyd use different policy syntax. For example, fapolicyd supports path-based policies, but IMA does not.
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début