Showing posts with label raspberry pi. Show all posts
Showing posts with label raspberry pi. Show all posts

Friday, May 17, 2024

Integrity Measurement Architecture (IMA) on Raspian

What is IMA?

Linux Integrity Measurement Architecture (IMA) is a subsystem in the Linux kernel that provides mechanisms for ensuring the integrity of files, directories, and critical system components. IMA is part of the Linux kernel's security infrastructure and is used to detect and prevent unauthorized changes to the system.

What is EVM?

Linux Extended Verification Module (EVM) is a security feature in the Linux kernel designed to enhance the integrity of the system by protecting extended attributes (xattrs) of files. These attributes often include security-related metadata, such as those used by the Integrity Measurement Architecture (IMA), Linux Security Modules (LSMs) like SELinux or Smack, and other extended attributes.

Exploring some use cases

Enable IMA, EVM and build kernel

$ diff defconfig ./arch/arm/configs/bcm2709_defconfig
672a673
> CONFIG_TCG_TPM=m
1499,1500d1499
< CONFIG_IMA=y
< CONFIG_EVM=y

Boot with the kernel and check that IMA, EVM are present

root@raspberrypi:~# find /sys/kernel/security/
/sys/kernel/security/
/sys/kernel/security/evm
/sys/kernel/security/ima
/sys/kernel/security/integrity
/sys/kernel/security/integrity/evm
/sys/kernel/security/integrity/evm/evm
/sys/kernel/security/integrity/ima
/sys/kernel/security/integrity/ima/policy
/sys/kernel/security/integrity/ima/violations
/sys/kernel/security/integrity/ima/runtime_measurements_count
/sys/kernel/security/integrity/ima/ascii_runtime_measurements
/sys/kernel/security/integrity/ima/binary_runtime_measurements
/sys/kernel/security/lsm

Test digital signature validation of immutable files

The package ima-evm-utils was not available for my version of Raspian

$ apt-cache search ima-evm-utils
$

Download, configure, build, install

$ git clone https://github.com/stefanberger/ima-evm-utils.git
$ cd ima-evm-utils/
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ sudo ldconfig

Generate a key pair

pi@raspberrypi:~ $ openssl genrsa -out rsa_private.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................+++++
.....................+++++
e is 65537 (0x010001)
pi@raspberrypi:~ $ openssl rsa -pubout -in rsa_private.pem -out rsa_public.pem
writing RSA key

Import public key into keyring

pi@raspberrypi:~ $ sudo evmctl import --rsa rsa_public.pem $(keyctl newring _ima @u)
Importing public key F0D70A9FC543B7FD from file rsa_public.pem into keyring 348838330
keyid: 975180608
975180608

Test on hello world executable

pi@raspberrypi:~ $ cat hello.c
#include <stdio.h>

int main()
{
        printf("Hello world\n");
        return 0;
}
pi@raspberrypi:~ $ gcc hello.c -o hello
pi@raspberrypi:~ $ sudo evmctl ima_sign --key rsa_private.pem hello
hash(sha1): c7a17949155c2e35f0065551f4cc04adaf466eb3
evm/ima signature: 264 bytes
0302029bd7cf87010025f8f15ce309bb25dc27409dce375f01545d7ed7c7096e382ffe7bc1c92faa86056f6d145895a4372bdbe9fd2167475b0be45562d7ffdb3e7d4197263b384087fbb4be62074bff604b8404144de692011ea18d0e8109526500bd07d9e47a9a3192f1c6ffde86d317fd8bebb0d67360785520490b6fa80b358762afce1d11398ddd32a0ae7385921342174110447ccecea0ad1eea663f4acc98fbcfb31db1e7d56fa476ef118021341437511753e1530acd33c0b04875598983aea04cf4c74f5a7cf94419dc3fba0ca60850b3df8fc731c2bf399b7efbf5ccea4bb4d5a6cda0828a688837a709678d41eeeca8d47a3b3808279aae36b489dd0582199b5393b5ce

pi@raspberrypi:~ $ getfattr -m . -d ./hello
# file: hello
security.ima=0sAwICm9fPhwEAJfjxXOMJuyXcJ0CdzjdfAVRdftfHCW44L/57wckvqoYFb20UWJWkNyvb6f0hZ0dbC+RVYtf/2z59QZcmOzhAh/u0vmIHS/9gS4QEFE3mkgEeoY0OgQlSZQC9B9nkepoxkvHG/96G0xf9i+uw1nNgeFUgSQtvqAs1h2Kvzh0ROY3dMqCuc4WSE0IXQRBEfM7OoK0e6mY/SsyY+8+zHbHn1W+kdu8RgCE0FDdRF1PhUwrNM8CwSHVZiYOuoEz0x09afPlEGdw/ugymCFCz34/HMcK/OZt++/XM6ku01abNoIKKaIg3pwlnjUHu7KjUejs4CCearja0id0FghmbU5O1zg==



Posted by at No comments:
Labels: , ,

Wednesday, April 1, 2020

TP-Link TL WN823N on Raspberry Pi 2B

Although this page  -
https://elinux.org/RPi_USB_Wi-Fi_Adapters
states -
TL-WN823N Works out of box on Raspian using powered USB Hub

For me, although it was identified on USB, wlan0 did not exist.

The procedure from -
https://www.raspberrypi.org/forums/viewtopic.php?p=462982#p462982

resolved it, such that
pi@raspberrypi:~ $ dmesg |grep -E "8192eu|wlan"
[    6.130806] 8192eu: loading out-of-tree module taints kernel.
[    6.282145] RTL871X: rtl8192eu v4.4.1_17696.20160509_BTCOEX20160412-0042
[    6.282164] RTL871X: rtl8192eu BT-Coex version = BTCOEX20160412-0042
[    6.417300] RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=50:3e:aa:86:9d:85
[    6.419838] usbcore: registered new interface driver rtl8192eu
[   11.433648] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   20.945234] RTL871X: rtw_set_802_11_connect(wlan0)  fw_state=0x00000008
[   22.527221] RTL871X: rtw_cfg80211_indicate_connect(wlan0) BSS not found !!
[   23.053309] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready

pi@raspberrypi:~ $ lsusb
Bus 001 Device 004: ID 2357:0109 TP-Link TL WN823N RTL8192EU

pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.19.113-v7+ #1300 SMP Thu Mar 26 16:53:09 GMT 2020 armv7l GNU/Linux
pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

Posted by at No comments:
Labels: ,

Friday, October 2, 2015

TP-Link TL-WN821N v2 on Raspbian Jessie

Problem -

[  176.283254] usb 1-1.2: new high-speed USB device number 5 using dwc_otg
[  176.431063] usb 1-1.2: New USB device found, idVendor=0cf3, idProduct=1002
[  176.431089] usb 1-1.2: New USB device strings: Mfr=16, Product=32, SerialNumber=48
[  176.431107] usb 1-1.2: Product: USB2.0 WLAN
[  176.431123] usb 1-1.2: Manufacturer: ATHER
[  176.431139] usb 1-1.2: SerialNumber: 12345
[  176.633242] usb 1-1.2: reset high-speed USB device number 5 using dwc_otg
[  176.769865] usbcore: registered new interface driver carl9170
[  176.770955] usb 1-1.2: Direct firmware load for carl9170-1.fw failed with error -2
[  176.770980] usb 1-1.2: firmware not found.

pi@raspberrypi ~/Downloads $ lsusb
...
Bus 001 Device 009: ID 0cf3:1002 Atheros Communications, Inc. TP-Link TL-WN821N v2 802.11n [Atheros AR9170]
...

Solution

pi@raspberrypi ~/Downloads $ sudo aptitude install firmware-linux-free
The following NEW packages will be installed:
  firmware-linux-free
0 packages upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 19.1 kB of archives. After unpacking 90.1 kB will be used.
Get: 1 http://mirrordirector.raspbian.org/raspbian/ jessie/main firmware-linux-free all 3.3 [19.1 kB]
Fetched 19.1 kB in 0s (44.0 kB/s)            
Selecting previously unselected package firmware-linux-free.
(Reading database ... 116795 files and directories currently installed.)
Preparing to unpack .../firmware-linux-free_3.3_all.deb ...
Unpacking firmware-linux-free (3.3) ...
Setting up firmware-linux-free (3.3) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for initramfs-tools (0.120) ...
                                       
Result

[14402.310944] usb 1-1.2: new high-speed USB device number 9 using dwc_otg
[14402.459068] usb 1-1.2: New USB device found, idVendor=0cf3, idProduct=1002
[14402.459096] usb 1-1.2: New USB device strings: Mfr=16, Product=32, SerialNumber=48
[14402.459114] usb 1-1.2: Product: USB2.0 WLAN
[14402.459129] usb 1-1.2: Manufacturer: ATHER
[14402.459145] usb 1-1.2: SerialNumber: 12345
[14402.560962] usb 1-1.2: reset high-speed USB device number 9 using dwc_otg
[14402.698503] usb 1-1.2: driver   API: 1.9.7 2012-12-15 [1-1]
[14402.698543] usb 1-1.2: firmware API: 1.9.6 2012-07-07
[14403.050326] ath: EEPROM regdomain: 0x809c
[14403.050351] ath: EEPROM indicates we should expect a country code
[14403.050365] ath: doing EEPROM country->regdmn map search
[14403.050377] ath: country maps to regdmn code: 0x52
[14403.050390] ath: Country alpha2 being used: CN
[14403.050401] ath: Regpair used: 0x52
[14403.080221] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[14403.084478] cfg80211: Calling CRDA to update world regulatory domain
[14403.099237] input: phy1 WPS Button as /devices/platform/soc/3f980000.usb/usb1/1-1/1-1.2/1-1.2:1.0/ieee80211/phy1/input2
[14403.099912] usb 1-1.2: Atheros AR9170 is registered as 'phy1'
[14403.559455] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready

If necessary
Manually update wpa_supplicant as at the link below -
https://www.raspberrypi.org/documentation/configuration/wireless/wireless-cli.md

Oct  2 20:39:21 raspberrypi kernel: [  395.645848] wlan0: authenticate with 00:22:07:37:dd:a7
Oct  2 20:39:21 raspberrypi kernel: [  395.780519] wlan0: send auth to 00:22:07:37:dd:a7 (try 1/3)
Oct  2 20:39:21 raspberrypi kernel: [  395.780780] cfg80211: Calling CRDA to update world regulatory domain
Oct  2 20:39:21 raspberrypi kernel: [  395.782417] wlan0: authenticated
Oct  2 20:39:21 raspberrypi kernel: [  395.786584] wlan0: associate with 00:22:07:37:dd:a7 (try 1/3)
Oct  2 20:39:21 raspberrypi kernel: [  395.790141] wlan0: RX AssocResp from 00:22:07:37:dd:a7 (capab=0x411 status=0 aid=7)
Oct  2 20:39:21 raspberrypi kernel: [  395.799474] wlan0: associated
Oct  2 20:39:21 raspberrypi kernel: [  395.799637] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready


Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)