HEX
Server: LiteSpeed
System: Linux atali.colombiahosting.com.co 5.14.0-570.12.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 13 06:11:55 EDT 2025 x86_64
User: coopserp (1713)
PHP: 8.2.29
Disabled: dl,exec,passthru,proc_open,proc_close,shell_exec,memory_limit,system,popen,curl_multi_exec,show_source,symlink,link,leak,listen,diskfreespace,tmpfile,ignore_user_abord,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setid,posix_times,posix_ttyname,posix_uname,proc_get_status,proc_nice,proc_terminate
$ pwd: /lib/dracut/modules.d/98integrity/
Upload Files
File: //lib/dracut/modules.d/98integrity/README
# Directions for creating the encrypted key that will be used to initialize
# the EVM software.

# Create the EVM key (encrypted key type)
#
# The encrypted key is a random number encrypted/decrypted using the
# kernel master key.  The encrypted key is only exposed to userspace
# as an encrypted datablob.
$ keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
782117972

# Save the encrypted key
$ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` > /etc/keys/evm-trusted.blob'

# The EVM key path name can be set in one of the following ways (specified in
# the order in which the variable is overwritten):

1) use the default value:
--------------------------------------------------------------------------
EVMKEY="/etc/keys/evm-trusted.blob"
--------------------------------------------------------------------------

2) create the configuration file '/etc/sysconfig/evm' and set the EVMKEY variable;

3) specify the EVM key path name in the 'evmkey=' parameter of the kernel command
line.


# Directions for loading a custom IMA policy.

# Write the policy following the instructions provided in the file
# 'Documentation/ABI/testing/ima_policy' of the kernel documentation.

# Save the policy in a file.

# Create the configuration file '/etc/sysconfig/ima' to override the path name of
# the IMA custom policy.
------------- '/etc/sysconfig/ima' (with the default value) -------------
IMAPOLICY="/etc/sysconfig/ima-policy"
-------------------------------------------------------------------------


# Information on loading distro, third party or local keys on the trusted IMA keyring

# Loading distro, third party or local keys on the trusted IMA keyring requires
# creating a local certificate authority(local-CA), installing the local-CA's
# public key on the system-keyring and signing the certificates with the local-CA
# key.
#
# Many directions for creating a mini certificate authority exist on the web
# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is
# really important, especially in the case of the local-CA's private key.) The
# local-CA's public key can be loaded onto the system keyring either by building
# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As
# of writing, the patches for loading the UEFI/Mok keys on the system-keyring
# have not been upstreamed.)
#
# To view the system keyring: keyctl show %keyring:.system_keyring
#
# Most on-line directions for signing certificates requires creating a Certificate
# Signing Request (CSR).  Creating such a request requires access to the private
# key, which would not be available when signing distro or 3rd party certificates.
# Openssl provides the "-ss_cert" option for directly signing certificates.

# 98integrity/ima-keys-load.sh script loads the signed certificates stored 
# in the $IMAKEYSDIR onto the trusted IMA keyring.  The default $IMAKEYSDIR
# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima
# policy.
@ Telegram