[systemd-devel] [User question]Systemd cgroups freezes after activating EVM

Thu, 13 Aug 2020 04:16:04 -0700 

Hello,

I have some questions regarding system freezing at boot after activating EVM. I 
receive this error message:

      systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/system: No such file 
of device.
      [!!!!!] Failed to mount API filesystems, freezing.

I am using Linux kernel 4.19.78 and system v2.34. My aim is to activate IMA/EVM 
with EVM in mode 0x80000006, as per 
https://www.kernel.org/doc/Documentation/ABI/testing/evm. I have a script 
running from an initramFS, which does the IMA/EVM setup like the following:

       mount -n -t securityfs securityfs /sys/kernel/security

       (set -e; while read i; do echo $i >&2; echo $i; done) </etc/keys/policy 
>/sys/kernel/security/ima/policy

       ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $ima_id

       evm_id="`awk '/\.evm/ { printf "%d", "0x"$1; }' /proc/keys`"
       evmctl import /etc/keys/x509_ima_1.der $evm_id

       cat /etc/keys/kmk | keyctl padd user kmk @u
       keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u

       echo -2147483642 > /sys/kernel/security/evm

, where the policy is: 

     dont_appraise fsmagic=0x9fa0
     dont_appraise fsmagic=0x62656572
     dont_appraise fsmagic=0x64626720
     dont_appraise fsmagic=0x01021994
     dont_appraise fsmagic=0x858458f6
     dont_appraise fsmagic=0x1cd1       
     dont_appraise fsmagic=0x42494e4d
     dont_appraise fsmagic=0x73636673
     dont_appraise fsmagic=0xf97cff8c

This would be a dummy policy, with which I could still reproduce the issue.

Kernel command line parameters are:

          bootargs = "console=ttyS0,921600n1 \
                debugshell=1 printk.disable_uart=0 rootwait mem=1024m \
                loglevel=8 earlycon=uart8250,mmio32,0x11002000 rootfstype=ext4 
ima_appraise=log evm=fix cgroup_no_v1=all quiet ";

, where ima_appraise=log evm=fix should ensure that boot freeze does not occur 
cause of missing signatures and cgroup_no_v1=all is one of my attempts at 
solving the issue(not needed).

The problem occurs specifically only when running this instruction "echo 
-2147483642 > /sys/kernel/security/evm", of activating EVM. The same setup goes 
through boot fine when leaving that out. Moreover, when doing the instruction 
in user-space, that also works(though I get some EVM-related kernel messages 
which, at this point, I'm not sure whether are normal or not).

I would much appreciate any lead to what I could be doing wrong, as it is 
difficult for me to trace the problem both for my lack of expertise and the way 
the image is formed.

Thank you,
Vlad


_______________________________________________
systemd-devel mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to