Enabling EVM with only X.509 key prevents boot

I have successfully enabled IMA (including the dracut module integrity and with an X.509 key for custom policies) and am trying to enable EVM with only X.509 keys (so no symmetric key for EVM HMAC). This process is broadly described here although it doesn’t explain enabling EVM with X.509 keys, and I believe the included documentation for EVM key creation is slightly inaccurate anyway (see the commands I used instead later).

If I try to do this setup without a symmetric key for EVM HMAC, my Fedora system won’t boot, but it will if I do add the symmetric key for EVM HMAC.

Of course I have been updating all the signatures as necessary, using sudo find / -fstype xfs -type f -uid 0 -exec evmctl sign --imasig '{}' -k keys/custom_ima.priv \;

The following screenshots demonstrate where the boot gets stuck at the bottom (although they have been taken on different days after testing different setups, so the context of the rest of the boot logs may not actually be consistent or relevant):

Screenshots

Screenshot_fedora-2_2025-06-30_16:53:241024×768 23.3 KB

Screenshot_fedora_2025-06-26_12:38:451024×768 17.8 KB

Screenshot_fedora_2025-06-26_12:38:371024×768 18 KB

Thus, I figured it was worth at least trying with a symmetric key for HMAC. To set up an HMAC key for EVM, I’ve done the following:

# (logged in as root user)
# Create a TPM SRK
tpm2_createprimary --key-algorithm=rsa2048 --key-context=key.ctxt
tpm2_evictcontrol -c key.ctxt 0x81000001
# Create a kernel masterkey
keyctl add trusted kmk-trusted "new 32 keyhandle=0x81000001" @u
keyctl pipe $(keyctl search @u trusted kmk-trusted) > /etc/keys/kmk-trusted.blob
# Create an EVM HMAC key
keyctl add encrypted evm-key "new trusted:kmk-trusted 64" @u
keyctl pipe $(keyctl search @u encrypted evm-key) > /etc/keys/evm-trusted.blob

Having an HMAC key set up as well as the X.509 key located in /etc/keys/evm/, the system can boot and appears to use both keys successfully.

According to the IMA/EVM documentation, I think it should be possible to run EVM with only the X.509 key, and in fact it is desirable for me in a development environment because this should allow resigning attributes during development testing, while having an HMAC key explicitly disallows this (see here).

Does anyone have any ideas for fixing this? I am happy to provide more details or assist in setting up IMA if necessary (the process is understandably quite brittle).

I managed to pull the full log from the boot console. Here is the log from after dracut mounts sysroot: boot log · GitHub

I could share the full file, but I doubt anything before this is helpful.

Interesting note, when I added a serial console to the machine, it became another device (dev-ttyS0) that got stuck like the screenshots before.

Disabling SwapOnZRAM via sudo touch /etc/systemd/zram-generator.conf fixed one of the three errors. The other two remain.

I believe the other two jobs that are getting stuck are for mounting /boot and /boot/efi. I remain uncertain how to resolve these.

I discovered that systemd automatically creates mount units from the contents of /etc/fstab on every boot. I tried converting them to permanent units, but this hasn’t fixed the problem.

However, while the core issue in this post remains unsolved, I have solved the original problem that prompted this sufficiently enough for my purposes: I discovered that EVM will automatically update HMACs on files when the xattrs are updated, even when it is not in evm=fix mode. This is documented, but what isn’t documented (other than in Linux kernel code comments as far as I found) is how this mechanism interacts with files that have EVM signatures. It turns out EVM will automatically replace signatures with HMACs when xattrs are updated, and this is why I wanted to remove the HMAC key entirely. However, EVM will NOT replace signatures with HMACs when the signature is generated with --portable, thus making the xattrs immutable when the system is not in fix mode. Although it would still be nice to disable the HMAC key to allow signatures to be updated without fix mode, I don’t care enough to continue working on this right now.