红帽全球峰会24.4. Loading an IMA policy signed by your custom IMA key
To maintain your system integrity and meet the security requirements your organization, you can load an IMA policy that is signed with your own custom IMA key. This approach ensures that only trusted, authenticated policies are applied during system startup or runtime.
This procedure applies only to x86_64 and aarch64 systems with UEFI Secure Boot enabled, and to ppc64le systems running PowerVM Secure Boot.
Prerequisites
- You must have root privileges on your system.
-
UEFI Secure Boot is enabled for Red Hat Enterprise Linux or the kernel is booted with the
ima_policy=secure_bootparameter to ensure only signed IMA policy can be loaded. - The custom IMA CA key has been added to the MOK list. For more information, see Enrolling public key on target system by adding the public key to the MOK list.
- The kernel version is 5.14 or later.
- Good reference values have been generated for the IMA policy. For more information, see Generate good reference values for IMA appraisal.
Procedure
Add your custom IMA code signing key to the
.imakeyring:# keyctl padd asymmetric <KEY_SUBJECT> %:.ima < <PATH_TO_YOUR_CUSTOM_IMA_KEY>Prepare your IMA policy and sign it with your custom IMA code signing key:
# evmctl ima_sign <PATH_TO_YOUR_CUSTOM_IMA_POLICY> -k <PATH_TO_YOUR_CUSTOM_IMA_KEY>Load the signed IMA policy:
# echo <PATH_TO_YOUR_CUSTOM_SIGNED_IMA_POLICY> > /sys/kernel/security/ima/policy # echo $? 00indicates that the IMA policy was loaded successfully. If the command returns a nonzero value, the IMA policy was not loaded successfully.
警告Do not skip this step. If you do, your system might fail to boot and you need to recover your system.
If the IMA policy fails to load, repeat the steps 2 and 3 to fix the issue.
Copy the signed IMA policy to
/etc/ima/ima-policyto enable systemd load it automatically on boot:# cp --preserve=xattr <PATH_TO_YOUR_CUSTOM_IMA_POLICY> /etc/ima/ima-policyAutomatically add your custom IMA code signing key to
.imakeyring on boot by using thedracutintegrity module:# cp <PATH_TO_YOUR_CUSTOM_IMA_KEY> /etc/keys/ima/ # cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf # dracut -fAdditionally for
s390xsystems:# zipl
Verification
Verify that the IMA policy is loaded successfully:
# cat /sys/kernel/security/ima/policyThe output should include the rules from your custom IMA policy.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}