Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

Chapter 25. Extending, customizing, and troubleshooting kernel integrity subsystem

Extend, customize, and troubleshoot the kernel integrity subsystem to support diverse security requirements and operational environments.

25.1. Generate good reference values for IMA appraisal
링크 복사

Generate valid reference values stored in the security.ima extended attribute for all files governed by IMA-appraisal rules before deploying the policy to prevent boot failures or access denials. 

# ima-appraise-file </path/to/file>
Copy to Clipboard Toggle word wrap

25.1.1. Adding IMA signatures as good references for immutable files
링크 복사

Use IMA signatures as trusted reference values for immutable files to support integrity verification and ensure only files with valid signatures are accessed.

Prerequisites

  • You have created an IMA policy that includes IMA-appraisal rules.

Procedure

  1. Install the rpm-plugin-ima: 

    $ sudo dnf install rpm-plugin-ima -yq
    Copy to Clipboard Toggle word wrap

    This ensures that package files have IMA signature stored in security.xattr automatically during package installation, reinstallation, or upgradation.

  2. Reinstall all the packages: 

    $ sudo dnf reinstall "*" -y
    Copy to Clipboard Toggle word wrap

    This ensures that the security.xattr extended attribute is updated for all packages.

  3. Enable the dracut integrity module so the official IMA code-signing key in /etc/keys/ima loads automatically on boot: 

    $ sudo dracut -f
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that signature is correctly stored in security.ima extended attribute: 

    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/lib/systemd/systemd
    Copy to Clipboard Toggle word wrap 
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/usr/lib/systemd/systemd: verification is OK
    Copy to Clipboard Toggle word wrap 
    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /bin/bash
    Copy to Clipboard Toggle word wrap 
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/bin/bash: verification is OK
...
    Copy to Clipboard Toggle word wrap

25.1.2. Generating good reference values for mutable files
링크 복사

Generate and update reference values for mutable files to maintain integrity and ensure the system accurately verifies file authenticity.

Prerequisites

  • You have root privileges on the system.
  • You have created an IMA policy that includes IMA-appraisal rules.
  • You have generated good reference values for IMA appraisal.
  • Secure Boot is disabled.

Procedure

  1. Optional: Enable your chosen IMA-appraisal policy or skip this step if you only use your custom policy. Take built-in ima_policy=appraise_tcb as an example: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_policy=appraise_tcb"
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap

  2. Enable IMA-appraisal fix mode by adding the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_appraise=fix"
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap

  3. Reboot the system: 

    # reboot
    Copy to Clipboard Toggle word wrap

  4. Optional: Load your custom IMA policy: 

    # echo <path_to_your_custom_ima_policy> > /sys/kernel/security/ima/policy
    Copy to Clipboard Toggle word wrap

  5. Re-label the whole system: 

    # find / -fstype xfs -type f -uid 0 -exec head -c 0 '{}' \;
    Copy to Clipboard Toggle word wrap

  6. Turn off IMA-appraisal fix mode by removing the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --remove-args="ima_appraise=fix"
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap
  7. Enable the secure boot if it is disabled.

Additional resources

25.2. Writing custom IMA policy
링크 복사

Create custom IMA policy rules when built-in policies or sample policies do not meet your requirements. Systemd loads custom policies from /etc/ima/ima-policy, replacing the built-in IMA policy.

Warning

After you define your IMA policy, generate good reference values if the policy includes IMA-appraisal rules before you deploy it. If your policy does not include IMA-appraisal rules, you can verify the policy by running echo /PATH-TO-YOUR-DRAFT-IMA-POLICY > /sys/kernel/security/integrity/ima/policy. This approach helps prevent system boot failures.

See Generate good reference values for IMA appraisal.

An IMA policy rule uses the format action [condition …​] to specify an action that is triggered under certain conditions. For example, the sample policy in /usr/share/ima/policies/01-appraise-executable-and-lib-signatures includes the following rules: 

# Skip some unsupported filesystems
# For a list of these filesystems, see
# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
…
appraise func=BPRM_CHECK appraise_type=imasig
Copy to Clipboard Toggle word wrap

The first rule, dont_appraise fsmagic=0x9fa0, instructs IMA to skip appraising files in the PROC_SUPER_MAGIC filesystem. The last rule, appraise func=BPRM_CHECK appraise_type=imasig, enforces signature verification when a file is executed.

25.3. Creating custom IMA keys using OpenSSL
링크 복사

Generate a CSR with OpenSSL to create digital certificates for code security. The kernel validates IMA signatures using code signing keys in the .ima keyring. Before adding a key, ensure it is signed by an IMA CA key present in the trusted keyrings.

Prerequisites

  • The custom IMA CA key has the following extensions:

    • the basic constraints extension with the CA boolean asserted.
    • the KeyUsage extension with the keyCertSign bit asserted but without the digitalSignature asserted.

  • The custom IMA code signing key falls under the following criteria:

    • The IMA CA key signed this custom IMA code signing key.
    • The custom key includes the subjectKeyIdentifier extension.
  • UEFI Secure Boot on x86_64 or aarch64 systems or PowerVM Secure Boot on ppc64le systems is enabled.

Procedure

  1. To generate a custom IMA CA key pair, run: 

    # openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config ima_ca.conf -outform DER -out custom_ima_ca.der -keyout custom_ima_ca.priv
    Copy to Clipboard Toggle word wrap

  2. Optional: To check the content of the ima_ca.conf file, run: 

    # cat ima_ca.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = ca

[ req_distinguished_name ]
O = YOUR_ORG
CN =  YOUR_COMMON_NAME IMA CA
emailAddress = YOUR_EMAIL

[ ca ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage=critical,keyCertSign,cRLSign
    Copy to Clipboard Toggle word wrap

  3. To generate a private key and a certificate signing request (CSR) for the IMA code signing key, run: 

    # openssl req -new -utf8 -sha256 -days 365 -batch -config ima.conf -out custom_ima.csr -keyout custom_ima.priv
    Copy to Clipboard Toggle word wrap

  4. Optional: To check the content of the ima.conf file, run: 

    # cat ima.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = code_signing

[ req_distinguished_name ]
O = YOUR_ORG
CN = YOUR_COMMON_NAME IMA signing key
emailAddress = YOUR_EMAIL

[ code_signing ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
    Copy to Clipboard Toggle word wrap

  5. Use the IMA CA private key to sign the CSR to create the IMA code signing certificate: 

    # openssl x509 -req -in custom_ima.csr -days 365 -extfile ima.conf -extensions code_signing -CA custom_ima_ca.der -CAkey custom_ima_ca.priv -CAcreateserial -outform DER -out ima.der
    Copy to Clipboard Toggle word wrap

25.4. Loading an IMA policy signed by your custom IMA key
링크 복사

Load an IMA policy signed with your custom IMA key to maintain system integrity and ensure only trusted, authenticated policies are applied during system startup or runtime.

Note

This procedure applies only to x86_64 and aarch64 systems with UEFI Secure Boot enabled, and to ppc64le systems running PowerVM Secure Boot.

Prerequisites

Procedure

  1. Add your custom IMA code signing key to the .ima keyring: 

    # keyctl padd asymmetric <KEY_SUBJECT> %:.ima < <PATH_TO_YOUR_CUSTOM_IMA_KEY>
    Copy to Clipboard Toggle word wrap

  2. Prepare your IMA policy and sign it with your custom IMA code signing key: 

    # evmctl ima_sign <PATH_TO_YOUR_CUSTOM_IMA_POLICY> -k <PATH_TO_YOUR_CUSTOM_IMA_KEY>
    Copy to Clipboard Toggle word wrap

  3. Load the signed IMA policy: 

    # echo <PATH_TO_YOUR_CUSTOM_SIGNED_IMA_POLICY> > /sys/kernel/security/ima/policy
    Copy to Clipboard Toggle word wrap

  4. Check the exit status of the previous command: 

    # echo $?
    Copy to Clipboard Toggle word wrap 
    0
    Copy to Clipboard Toggle word wrap
    0

    indicates that the IMA policy was loaded successfully. If the command returns a nonzero value, the IMA policy was not loaded successfully.

    Warning

    Do not skip this step. If you do, your system might fail to boot and you need to recover your system.

    If the IMA policy fails to load, repeat the steps 2, 3, and 4 to fix the issue.

  5. Copy the signed IMA policy to /etc/ima/ima-policy to enable systemd load it automatically on boot: 

    # cp --preserve=xattr <PATH_TO_YOUR_CUSTOM_IMA_POLICY> /etc/ima/ima-policy
    Copy to Clipboard Toggle word wrap

  6. Copy your custom IMA code signing key to /etc/keys/ima/: 

    # cp <PATH_TO_YOUR_CUSTOM_IMA_KEY> /etc/keys/ima/
    Copy to Clipboard Toggle word wrap

  7. Copy the dracut integrity module configuration file: 

    # cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
    Copy to Clipboard Toggle word wrap

  8. Regenerate the initial RAM disk: 

    # dracut -f
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap

Verification

  • Verify that the IMA policy is loaded successfully: 

    # cat /sys/kernel/security/ima/policy
    Copy to Clipboard Toggle word wrap

    The output should include the rules from your custom IMA policy.

25.5. Troubleshooting systemd failure to load the IMA policy
링크 복사

If systemd fails to load the /etc/ima/ima-policy file, the system may hang and display a Freezing execution error. You can troubleshoot and recover the system from this state by using the methods described in this procedure. 

[    5.829882] ima: policy update failed
[    5.830094] ima: signed policy file (specified as an absolute pathname) required
[!!!!!!] Failed to load IMA policy.
…
[    5.859994] systemd[1]: Freezing execution.
Copy to Clipboard Toggle word wrap

There are three methods that you can use to recover your system.

25.5.1. Turn off Secure Boot
링크 복사

If system startup fails because an unsigned IMA policy cannot load, temporarily disable Secure Boot. With disabled Secure Boot, you can resolve the error before re-enabling security features. 

[    5.661906] ima: policy update failed
[    5.662290] ima: signed policy file (specified as an absolute pathname) required
[    5.662496] systemd[1]: Failed to load the IMA custom policy file /etc/ima/ima-policy1: Permission denied
[    5.662663] ima: policy update failed
[    5.662856] audit: type=1800 audit(1744968172.925:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=appraise_data cause=IMA-signature-required comm="systemd" name="/etc/ima/ima-policy" dev="vda3" ino=25679834 res=0 errno=0
[    5.663205] audit: type=1802 audit(1744968172.925:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=policy_update cause=failed comm="systemd" res=0 errno=0
[!!!!!!] Failed to load IMA policy.
Copy to Clipboard Toggle word wrap

As a workaround, you can turn off Secure Boot temporarily and follow Deploying a custom signed IMA policy for UEFI systems to fix the issue.

25.5.2. Booting the system with the init=/bin/bash kernel parameter
링크 복사

Boot the system with the init=/bin/bash kernel parameter to access a shell for system recovery or troubleshooting.

  1. Modify the bootloader entry and add the init=/bin/bash kernel parameter.

  2. After you access the shell, remount the system with write permissions: 

    # mount -o remount,rw /
    Copy to Clipboard Toggle word wrap

  3. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak
    Copy to Clipboard Toggle word wrap

  4. Enable the SysRq key: 

    # echo 1 > /proc/sys/kernel/sysrq
    Copy to Clipboard Toggle word wrap

  5. Reboot the system: 

    # printf "s\nb" > /proc/sysrq-trigger
    Copy to Clipboard Toggle word wrap

  6. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy
    Copy to Clipboard Toggle word wrap

  7. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy
    Copy to Clipboard Toggle word wrap

25.5.3. Booting the system with the initcall_blacklist=init_ima kernel parameter
링크 복사

Boot the system with the initcall_blacklist=init_ima kernel parameter to disable the IMA policy when the system hangs with systemd[1]: Freezing execution.

  1. Modify the boot loader entry and add the initcall_blacklist=init_ima kernel parameter.

  2. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak
    Copy to Clipboard Toggle word wrap

  3. Reboot the system: 

    # systemctl reboot
    Copy to Clipboard Toggle word wrap

  4. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy
    Copy to Clipboard Toggle word wrap

  5. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy
    Copy to Clipboard Toggle word wrap

25.6. Signing custom built packages
링크 복사

Sign custom built packages before deployment using the rpm-sign tool and IMA code signing key to maintain system integrity.

Prerequisites

  • You have root privileges on your system.
  • You have a custom built package that you want to sign.
  • You have the IMA code signing key.
  • You have the rpm-sign tool installed.
  • Custom IMA keys are created. See Creating custom IMA keys using OpenSSL.

Procedure

  1. Use rpmsign –signfiles to sign package files: 

    # rpmsign --define "gpg_name _<GPG_KEY_NAME>" --addsign --signfiles --fskpass --fskpath=<PATH_TO_YOUR_PRIVATE_IMA_CODE_SIGNING_KEY> <PATH_TO_YOUR_RPM>
    Copy to Clipboard Toggle word wrap
    --define "gpg_name _<GPG_KEY_NAME>"
    The GPG key signs the package, and the IMA code signing key signs each file in the package.
    --addsign
    Adds the signature to the package.
    --signfiles
    Signs each file in the package.
    --fskpass
    Avoids repeatedly entering the password for the IMA code signing key.
    --fskpath
    Specifies the path to the IMA code signing key.

Verification

  • To verify that the package is signed, you can use the following command: 

    # rpm -q --queryformat "[%{FILENAMES} %{FILESIGNATURES}\n] <PATH_TO_YOUR_RPM>"
    Copy to Clipboard Toggle word wrap 
    /usr/bin/YOUR_BIN 030204...
/usr/lib/YOUR_LIB.so 030204...
...
    Copy to Clipboard Toggle word wrap

25.7. Comparison of IMA and fapolicyd
링크 복사

Compare IMA and fapolicyd tools for enforcing file integrity. IMA verifies file integrity at boot time, while fapolicyd verifies at runtime.

The following list can help you determine which tool meets your requirements:

  • IMA verifies digital signatures to ensure integrity, while fapolicyd currently supports only hash-based verification.
  • IMA operates in kernel space, while fapolicyd operates in user space.
  • fapolicyd supports basic integrity verification by checking file size and can also verify reference hash values stored in security.ima.
  • IMA and fapolicyd use different policy syntax. For example, fapolicyd supports path-based policies, but IMA does not.
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat맨 위로 이동