AIX

Since AIX 7.2 TL4 and of course in AIX 7.3 IBM signed software packages are delivered in installp format.

This blog is intended to explain why this is important, but also explains that the job for signing all the packages is not completed yet.

But first why we should use it and try to use it as much as possible, for the filesets that are already signed?

According the IBM documentation:

Digitally signed software protects against corrupted artifacts, process breakdown that includes accidentally delivering the wrong item, and any malicious intent.

Let me try to explain this via a use case.

In most cases, essentially in secure environments, we tend to go to a zero trust environment.

A common job for admins is the following:

Before we deploy, upgrade an AIX resource such as a nim lpp_source or install additional AIX software we create golden images (read nim resources PowerVC templates, etc.)

One of the first steps is download the AIX software (web interface download director, summa or other tools).

Then we store those images that in most cases contain several filesets somewhere on an AIX server.

After this download step we should check the downloaded images with a sum check if it’s available.

After this we create the deploy image(s).

Last step is to upgrade or deploy service packs or install additional AIX software that is using the installp command underneath for example NIM.

Missing step in this process?

Problem with the case described here is that there was no (good) way to check if the downloaded software was indeed from IBM and that it is not tampered with during the download process.

Especially we as admins like to verify and check upfront before building a golden image or upgrade a lpar(s) if the lpp packages are not modified or tampered with.

This is why it is very important to check and verify your installp AIX software upfront using the chsignpolicy.

For checking your lpar afterwards, (after upgrading or installing) there is another great tool available I described one of my other blogs TE (Trusted Execution) trustchk -n all.

How does it work?

First of all there is now a new command available in AIX chsignpolicy, that I have to explain first.

During the installation of AIX there is a new setting you can set see screen below:

Security Models 

   Type the number of your choice and press Enter. 

  1. Trusted AIX................................................... No

  2. Digital Signature POlicy...................................... None

  3. Other Security Options (Trusted AIX and Standard)

        Security options vary based on choices.

        LAS, SbD, BAS/CCEVAL

>>> 0 Continue to more software options.

See option 2 Digital Signature Policy can be set to: none, low, medium, and high

And for the ones who using nim there is now in the bosinst.data under the stanza control_flow: an option SIGN_POLICY =

That can be set to the same options.

Pitfall:

Maybe a bit confusing, but during the installation of a lpar itself the sign policy is NOT used!

Only afterwards when the installation of AIX is completed the sign policy can be set or is set if it was defined during the installation or bos.inst.data.

If you already have a lpar running then you can use the command chsignpolicy

The chsignpolicy command is very simple:

chsignpolicy -P for viewing which policy is set

chsignpolicy -s {low|medium|high|none}  for setting the signing policy.

chsignpolicy -R to view what policy that can be used

During the installation or update of an Lpar with oslevel higher than AIX 7.2 TL04 or AIX 7.3 TL01. The digital signatures of the associated software package are 44  AIX Version 7.3: Security stored in a database called Digital Signature Catalog (DSC). These digital signatures are distributed by using the ODM entries of the new dsc_inventory class.

To get an impression of how those ODM databases look like, see the example below:

ODMDIR=/usr/lib/objrepos odmget -q "lpp_name like bos.rte" dsc_inventory

dsc_inventory:

        pkg_name = "bos"

        lpp_name = "bos.rte"

        ver = 7

        rel = 2

        mod = 4

        fix = 0

        ftype = "S"

        signature = "TN7kXmYiV8i3ynB9+SWjimwb123EbhRHG+fAKjgFtUF4lbbr/FrM7nnRvIgBPMEoRw+1ydR+7hHwYT4ju0TuAtO/av2v0V6BrbSNEhZ02N6J63jEYwap7K7X/24F4sWBB7KeqfFuhBzzlmUozbbioveYlorUoJZ+JhTb1r8DWHBJvhkR7I6LApvJ2E/LuInXRQMy/GJk39A4bXcBXzJ78XL2zAJY2xgyY0r/k+14DP3NFmtVfgzuQFYG4bTG1s1xUItx5MHYr50OYF7vtU7H5h53f5RPxaUXwRqcqAr/wD5fAgkSTD7DasJMqdkfW+SXd2mlm3MmuUc2WCQeIWwWw=="

        timestamp = "Mon_Aug_19_12-29-05_2019"

        key = "01"

dsc_inventory:

        pkg_name = "bos"

        lpp_name = "bos.rte"

        ver = 7

        rel = 2

        mod = 5

        fix = 0

        ftype = "S"

        signature = "cUukuHMjc226ZqiddAPS123/RHMAhQtJP9xwbVJ7T01pZQ5CbDUN8ONQrUvHwMNXGLPyIZ4FbU7VtIuD4DU2kkZ0oSeQlGWnvBAxU7+cr8eWQj2zt+tOqO4r1W3ZAo9E4Rr42l2Nj2YIEfxGsvX7wVdQk2JQBoN54N4HSpFPlbbqjVMAkUQ8yBo3bL8Q3SNQEHZAsSOK07jBgJx8hUAsiTqhkJnVFBs+GXVdx2nD6N5hA1uBLyH5lAAlC343mBUDkSGX7DKBl3MlmJGmUa3Yn6FFyfWsgzJUZVlszgGbbMdHliWm9Xjac/j34vdCLv0RgQCtV/2z5ggAQ8URPRE6qcQ=="

        timestamp = "Wed_Jul_15_09-29-37_2020"

        key = "01"

Setting the chsignpoly to activate it:

For actually using the chsignpoly you have to set the policy at least to value LOW.

The behavior of each setting is different, see below.

At this moment of writing, there are a lot of packages that are NOT signed yet by IBM.

I logged a case for this, and logical first answer was:

“mostly filesets that were not updated for a while (before DCS was made available)  

Good news is that they will be updated in the near future.

Settings behavior:

low

Indicates that the AIX operating system checks the signatures of the software packages that are being installed or updated. If the signature verification fails, the installation process displays a warning message, but the installation continues.

A warning message similar to the following displays:

INFO: Package <full path to package name> failed signature verification.

medium

Indicates that the AIX operating system checks the signatures of the software packages that are being installed or updated. If the signature verification fails, the installation process prompts you whether you want to continue the installation. You must confirm for each file set that fails signature verification. Otherwise, the software package is not installed successfully.

A warning message similar to the following displays:

WARNING: Package <full path to package name> failed signature verification. Continue? (y/n)

high

Indicates that the AIX operating system checks the signatures of the software packages that are being installed or updated. If the signature verification fails, the installation of the software fails.

The failure message is similar to the following example:

FAILURE: Package <full path to package name> failed signature verification.

For now let me explain what happens if you set the chsignpolicy to LOW.

And we first liked to what parts of our downloaded software is signed or not.

There are several two ways to check this, the supported and official way is to use of course installp.

See they following case, where we downloaded the software, and created a nim lpp_source.

You can use the same for a simple download directory were you stored your download.

Make sure that your create a new .toc file with the command inutoc.

Verify that you set the signing policy to low:

chsignpolicy -s low

sys0 changed

verify with:

chsignpolicy -p

#signpolicy

Low

Or:

lsattr -EHl sys0 |grep signpolicy

signpolicy      low                                  Digital Signature Policy                            True

After this you can run the installp preview command such as:

installp  -agpd /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc -X ALL

*******************************************************************************

installp PREVIEW:  installation will not actually occur.

*******************************************************************************

……

<snip>

…….

3711  Selected to be installed, of which:

     3289  Passed pre-installation verification

       18  FAILED pre-installation verification

        1  Replaced by superseding updates

      403  Already installed (directly or via superseding filesets)

  ----

3289  Total to be installed

Verifying known package signatures of install source: /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc

Please wait...

INFO: Package /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/xlfrte.17.1.1.4.I failed signature verification.

INFO: Package /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/printers.msg.ru_RU.7.2.0.0.I failed signature verification.

INFO: Package /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/printers.msg.pl_PL.7.2.0.0.I failed signature verification.

An other way, this is not official supported by IBM and this tool was meant for internal use only is the tool:

/usr/sbin/pkgverify

Notice:

Installp is calling verify_packages that uses pkgverify for a block signature verify.

The signed filesets now have the signature information at the end of the fileset file itself.

But still the fileset bos.dsc should be at minimal the same level or higher than the lpp_source you want to check.

At this moment of writing this tool (pkgverify) has a imperfection that it cannot handle a long input list, but with a little script it’s very useful to test packages that are signed or not:

cat /tmp/check_lpps

for files in `find /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc -type f | grep -v ".toc"`

do

/usr/sbin/pkgverify $files

if [[ $? -ne 0 ]]

then

print $files >> /tmp/bad.$$

fi

done

nim@/tmp> sh -x /tmp/check_lpps

+ find /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc -type f

+ grep -v .toc

+ /usr/sbin/pkgverify /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I

+ [[ 6 -ne 0 ]]

+ print /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I

+ 1>> /tmp/bad.13107622

+ /usr/sbin/pkgverify /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.1

+ [[ 6 -ne 0 ]]

+ print /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.1

+ 1>> /tmp/bad.13107622

+ /usr/sbin/pkgverify /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.2

+ [[ 6 -ne 0 ]]

+ print /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.2

+ 1>> /tmp/bad.13107622

+ /usr/sbin/pkgverify /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.3

+ [[ 6 -ne 0 ]]

+ print /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.3

+ 1>> /tmp/bad.13107622

+ /usr/sbin/pkgverify /install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/ICU4C.adt.7.3.2.0.I

Verified OK

<snip>

nim@/tmp> cat /tmp/bad*

/install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I

/install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.1

/install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.2

/install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/GSKit8.8.0.55.26.I.3

/install/nim/lpp_source/73000201_2346_lpp_source/installp/ppc/Java7_64.msg.Ja_JP.7.0.0.0.I

Enhancements in the near future:

IBM Dev support will update the filesets that are now not signed, and will implement this in next builds of AIX.

Also I learned due to logging a case, that in the future an new installp switch will be implemented to only verify signatures.

This is great news this will allow us verify resources such as lpp_sources without using additional script as I showed in my examples.

I hope that you use this rather new feature of AIX.

I will update this blog as soon if the new install switch is available and will show some more examples.

#ibmchampion
#ibmaix