Currently, I can run Linux kernel's IMA/EVM with busybox, and need some settings to enable this kernel feature. The key point is the evmctl (user space program) will get the UUID by the command "blkid -s UUID -o value /dev/block/3:0" when user want to sign a file (ex: evmctl sign --imasig ./test.sh /root/rsa_private.pem) In order to let the evmctl could get UUID's related string, we need to create the path : /dev/block/3:0 1. in etc/init.d/rcS: mkdir -p /dev/pts mkdir -p /dev/block <= Must create this folder mount -t proc none /proc mount -t sysfs none /sys mount -t securityfs none /sys/kernel/security # Enable IMA/EVM's securityfs echo /sbin/mdev> /proc/sys/kernel/hotplug mdev -s ... do some other mount actions 2. in /etc/mdev.confg we need to add a symbol link something like /dev/block/3:0 hd[a-z]* 0:6 660 *ln -sf /dev/$MDEV /dev/block/$(ls -l /dev/$MDEV|awk '{print $5}'|tr -d ','):$(ls -l /dev/$MDEV|awk '{print $6}') sd[a-z]* 0:6 660 *ln -sf /dev/$MDEV /dev/block/$(ls -l /dev/$MDEV|awk '{print $5}'|tr -d ','):$(ls -l /dev/$MDEV|awk '{print $6}') if $MDEV is hda then will do the following things hda's Major=`ls -l /dev/hda | awk '{print $5} | tr -d ',''` hda's Minor=`ls -l /dev/$MDEV|awk '{print $6}'` create links: ln -sf /dev/hda /dev/block/$MAJOR:$MINOR Could we add this setting which is an commented example in busybox-1.29.3/examples/mdev.conf ?
Created attachment 7826 [details] Add comments to give an example to running with linux kernel's IMA/EVM Add comments to give an example to running with linux kernel's IMA/EVM
Thanks Bernhard Reutner-Fischer's suggestions in maillist. the rule will be updated in the following: [hs]d[a-z]* 0:6 660 *ln -sf /dev/$MDEV /dev/block/$(printf "%d:%d" $(stat -c "0x%t 0x%T" /dev/$MDEV))
Created attachment 7831 [details] Update mdev.conf setting rules for using linux kernel's IMA/EVM Thanks Bernhard Reutner-Fischer provide a better setting example. 1. reduce two rule to one rule 2. use stat command to get Major and Minor number and reduce the commands using