From: Mimi Zohar <zohar@linux.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: linux-integrity@vger.kernel.org, linux-kselftest@vger.kernel.org,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Petr Vorel <pvorel@suse.cz>, Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test
Date: Tue, 12 Mar 2019 12:51:14 -0400 [thread overview]
Message-ID: <1552409474.24794.63.camel@linux.ibm.com> (raw)
In-Reply-To: <20190312121001.GA18510@dhcp-128-65.nay.redhat.com>
On Tue, 2019-03-12 at 20:10 +0800, Dave Young wrote:
> Hi Mimi,
> On 03/11/19 at 07:41am, Mimi Zohar wrote:
> > The kernel can be configured to verify PE signed kernel images, IMA
> > kernel image signatures, both types of signatures, or none. This test
> > verifies only properly signed kernel images are loaded into memory,
> > based on the kernel configuration and runtime policies.
>
> I understand this is for IMA testing only, but I still wonder if this
> can be expanded to common kexec tests, like
> tools/testing/selftests/kexec/kexec_load.sh
> tools/testing/selftests/kexec/kexec_file_load.sh
>
> Is it possible for ima/test_kexec_load.sh to call the
> ../kexec/kexec_load.sh, probably add extra argument eg "ima"?
These kexec tests are meant to coordinate between the different
methods of verifying the kexec kernel image signatures. Nothing about
them is IMA specific. Moving these tests to
tools/testing/selftests/kexec makes sense.
>
> Frankly I did not read and followup much about the testing code changes,
> not sure if it is doable or not. The code sharing under testing folder
> seems not very good. For example the basic check_root is needed by
> different parts, but all have its own implementation. Anyway this is
> not the duty of this patch set.
> Also the selftests/lib/ is not a folder for sharing code for different
> tests, it looks a standalone test instead.
Shuah suggested upstreaming these tests first and defer introducing a
common set of functions to later.
> So if split kexec tests to another folder is not doable please just
> ignore the comment.
Left in the selftests/ima is a similar test for kernel modules, which
uses the "common" functions. So either we wait to move the kexec
tests or allow them to reach into the ima directory and use the
ima_common_lib functions.
>
> BTW, does CONFIG_KEXEC* is checked? in case a kernel without KEXEC or
> KEXEC_FILE compiled in then the tests can just return directly.
Good point. Now that there is a common function for reading the
Kconfig, I'll add that check to both the test_kexec_load.sh and
test_kexec_file_load.sh tests respectively.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar at linux.ibm.com (Mimi Zohar)
Subject: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test
Date: Tue, 12 Mar 2019 12:51:14 -0400 [thread overview]
Message-ID: <1552409474.24794.63.camel@linux.ibm.com> (raw)
In-Reply-To: <20190312121001.GA18510@dhcp-128-65.nay.redhat.com>
On Tue, 2019-03-12 at 20:10 +0800, Dave Young wrote:
> Hi Mimi,
> On 03/11/19 at 07:41am, Mimi Zohar wrote:
> > The kernel can be configured to verify PE signed kernel images, IMA
> > kernel image signatures, both types of signatures, or none. This test
> > verifies only properly signed kernel images are loaded into memory,
> > based on the kernel configuration and runtime policies.
>
> I understand this is for IMA testing only, but I still wonder if this
> can be expanded to common kexec tests, like
> tools/testing/selftests/kexec/kexec_load.sh
> tools/testing/selftests/kexec/kexec_file_load.sh
>
> Is it possible for ima/test_kexec_load.sh to call the
> ../kexec/kexec_load.sh, probably add extra argument eg "ima"?
These kexec tests are meant to coordinate between the different
methods of verifying the kexec kernel image signatures. Nothing about
them is IMA specific. Moving these tests to
tools/testing/selftests/kexec makes sense.
>
> Frankly I did not read and followup much about the testing code changes,
> not sure if it is doable or not. The code sharing under testing folder
> seems not very good. For example the basic check_root is needed by
> different parts, but all have its own implementation. Anyway this is
> not the duty of this patch set.
> Also the selftests/lib/ is not a folder for sharing code for different
> tests, it looks a standalone test instead.
Shuah suggested upstreaming these tests first and defer introducing a
common set of functions to later.
> So if split kexec tests to another folder is not doable please just
> ignore the comment.
Left in the selftests/ima is a similar test for kernel modules, which
uses the "common" functions. So either we wait to move the kexec
tests or allow them to reach into the ima directory and use the
ima_common_lib functions.
>
> BTW, does CONFIG_KEXEC* is checked? in case a kernel without KEXEC or
> KEXEC_FILE compiled in then the tests can just return directly.
Good point. Now that there is a common function for reading the
Kconfig, I'll add that check to both the test_kexec_load.sh and
test_kexec_file_load.sh tests respectively.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.ibm.com (Mimi Zohar)
Subject: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test
Date: Tue, 12 Mar 2019 12:51:14 -0400 [thread overview]
Message-ID: <1552409474.24794.63.camel@linux.ibm.com> (raw)
Message-ID: <20190312165114.ETgt5hHIHsI6MZyhzymVd9FIRz_YXHXilptryvo3X-8@z> (raw)
In-Reply-To: <20190312121001.GA18510@dhcp-128-65.nay.redhat.com>
On Tue, 2019-03-12@20:10 +0800, Dave Young wrote:
> Hi Mimi,
> On 03/11/19@07:41am, Mimi Zohar wrote:
> > The kernel can be configured to verify PE signed kernel images, IMA
> > kernel image signatures, both types of signatures, or none. This test
> > verifies only properly signed kernel images are loaded into memory,
> > based on the kernel configuration and runtime policies.
>
> I understand this is for IMA testing only, but I still wonder if this
> can be expanded to common kexec tests, like
> tools/testing/selftests/kexec/kexec_load.sh
> tools/testing/selftests/kexec/kexec_file_load.sh
>
> Is it possible for ima/test_kexec_load.sh to call the
> ../kexec/kexec_load.sh, probably add extra argument eg "ima"?
These kexec tests are meant to coordinate between the different
methods of verifying the kexec kernel image signatures. Nothing about
them is IMA specific. Moving these tests to
tools/testing/selftests/kexec makes sense.
>
> Frankly I did not read and followup much about the testing code changes,
> not sure if it is doable or not. The code sharing under testing folder
> seems not very good. For example the basic check_root is needed by
> different parts, but all have its own implementation. Anyway this is
> not the duty of this patch set.
> Also the selftests/lib/ is not a folder for sharing code for different
> tests, it looks a standalone test instead.
Shuah suggested upstreaming these tests first and defer introducing a
common set of functions to later.
> So if split kexec tests to another folder is not doable please just
> ignore the comment.
Left in the selftests/ima is a similar test for kernel modules, which
uses the "common" functions. So either we wait to move the kexec
tests or allow them to reach into the ima directory and use the
ima_common_lib functions.
>
> BTW, does CONFIG_KEXEC* is checked? in case a kernel without KEXEC or
> KEXEC_FILE compiled in then the tests can just return directly.
Good point. Now that there is a common function for reading the
Kconfig, I'll add that check to both the test_kexec_load.sh and
test_kexec_file_load.sh tests respectively.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Matthew Garrett <mjg59@google.com>, Petr Vorel <pvorel@suse.cz>,
linux-kselftest@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test
Date: Tue, 12 Mar 2019 12:51:14 -0400 [thread overview]
Message-ID: <1552409474.24794.63.camel@linux.ibm.com> (raw)
In-Reply-To: <20190312121001.GA18510@dhcp-128-65.nay.redhat.com>
On Tue, 2019-03-12 at 20:10 +0800, Dave Young wrote:
> Hi Mimi,
> On 03/11/19 at 07:41am, Mimi Zohar wrote:
> > The kernel can be configured to verify PE signed kernel images, IMA
> > kernel image signatures, both types of signatures, or none. This test
> > verifies only properly signed kernel images are loaded into memory,
> > based on the kernel configuration and runtime policies.
>
> I understand this is for IMA testing only, but I still wonder if this
> can be expanded to common kexec tests, like
> tools/testing/selftests/kexec/kexec_load.sh
> tools/testing/selftests/kexec/kexec_file_load.sh
>
> Is it possible for ima/test_kexec_load.sh to call the
> ../kexec/kexec_load.sh, probably add extra argument eg "ima"?
These kexec tests are meant to coordinate between the different
methods of verifying the kexec kernel image signatures. Nothing about
them is IMA specific. Moving these tests to
tools/testing/selftests/kexec makes sense.
>
> Frankly I did not read and followup much about the testing code changes,
> not sure if it is doable or not. The code sharing under testing folder
> seems not very good. For example the basic check_root is needed by
> different parts, but all have its own implementation. Anyway this is
> not the duty of this patch set.
> Also the selftests/lib/ is not a folder for sharing code for different
> tests, it looks a standalone test instead.
Shuah suggested upstreaming these tests first and defer introducing a
common set of functions to later.
> So if split kexec tests to another folder is not doable please just
> ignore the comment.
Left in the selftests/ima is a similar test for kernel modules, which
uses the "common" functions. So either we wait to move the kexec
tests or allow them to reach into the ima directory and use the
ima_common_lib functions.
>
> BTW, does CONFIG_KEXEC* is checked? in case a kernel without KEXEC or
> KEXEC_FILE compiled in then the tests can just return directly.
Good point. Now that there is a common function for reading the
Kconfig, I'll add that check to both the test_kexec_load.sh and
test_kexec_file_load.sh tests respectively.
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2019-03-12 16:51 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 11:41 [PATCH v3 0/7] selftests/ima: add kexec and kernel module tests Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-11 11:41 ` [PATCH v3 1/7] selftests/ima: cleanup the kexec selftest Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-11 11:41 ` [PATCH v3 2/7] selftests/ima: define a set of common functions Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-11 21:39 ` Petr Vorel
2019-03-11 21:39 ` Petr Vorel
2019-03-11 21:39 ` Petr Vorel
2019-03-11 21:39 ` pvorel
2019-03-11 11:41 ` [PATCH v3 3/7] selftests/ima: define common logging functions Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-11 11:41 ` [PATCH v3 4/7] kselftest/ima: define "require_root_privileges" Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-11 11:41 ` [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-12 12:10 ` Dave Young
2019-03-12 12:10 ` Dave Young
2019-03-12 12:10 ` Dave Young
2019-03-12 12:10 ` dyoung
2019-03-12 16:51 ` Mimi Zohar [this message]
2019-03-12 16:51 ` Mimi Zohar
2019-03-12 16:51 ` Mimi Zohar
2019-03-12 16:51 ` zohar
2019-03-13 10:14 ` Petr Vorel
2019-03-13 10:14 ` Petr Vorel
2019-03-13 10:14 ` pvorel
2019-03-14 18:38 ` Mimi Zohar
2019-03-14 18:38 ` Mimi Zohar
2019-03-14 18:38 ` zohar
2019-03-11 11:41 ` [PATCH v3 6/7] selftests/ima: loading kernel modules Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-11 11:41 ` [PATCH v3 7/7] selftests/ima: Add missing '=y' to config options Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` Mimi Zohar
2019-03-11 11:41 ` zohar
2019-03-11 21:51 ` [PATCH v3 0/7] selftests/ima: add kexec and kernel module tests Petr Vorel
2019-03-11 21:51 ` Petr Vorel
2019-03-11 21:51 ` Petr Vorel
2019-03-11 21:51 ` pvorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1552409474.24794.63.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dyoung@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mjg59@google.com \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.