[LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates

[LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates

[Lachlan Sneff]

The IMA subsystem is capable of importing and measuring certificates. This
set of patches adds tests for verifying that keys are imported and measured
correctly.

Changelog:

v3
- Document requirements for running the ima key tests and provide resources
  for generating keys.

v2
- Un-linebreak a few strings
- Enforce that some commands are available before running
- Move compute_digest function to ima_setup.sh
- Fix file permissions on ima_key.sh
- Move IMA_POLICY variable to ima_setup.sh
- Add keycheck.policy datafile

v1
- The following patchsets should be applied in that order.
- Add tests that verify measurement of keys and importing certificates.

Lachlan Sneff (2):
  IMA: Add a test to verify measurment of keys
  IMA: Add a test to verify importing a certificate into keyring

 runtest/ima                                   |   1 +
 .../kernel/security/integrity/ima/README.md   |  21 ++++
 .../integrity/ima/datafiles/keycheck.policy   |   1 +
 .../security/integrity/ima/tests/ima_keys.sh  | 110 ++++++++++++++++++
 .../integrity/ima/tests/ima_measurements.sh   |  36 +-----
 .../integrity/ima/tests/ima_policy.sh         |   1 -
 .../security/integrity/ima/tests/ima_setup.sh |  35 ++++++
 7 files changed, 169 insertions(+), 36 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh

-- 
2.25.1

[LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys

[Lachlan Sneff]

Add a testcase that verifies that the IMA subsystem has correctly
measured keys added to keyrings specified in the IMA policy file.

Additionally, add support for handling a new IMA template descriptor,
namely ima-buf[1], in the IMA measurement tests.

[1]: https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use

Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
 runtest/ima                                   |  1 +
 .../integrity/ima/datafiles/keycheck.policy   |  1 +
 .../security/integrity/ima/tests/ima_keys.sh  | 67 +++++++++++++++++++
 .../integrity/ima/tests/ima_measurements.sh   | 36 +---------
 .../integrity/ima/tests/ima_policy.sh         |  1 -
 .../security/integrity/ima/tests/ima_setup.sh | 35 ++++++++++
 6 files changed, 105 insertions(+), 36 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh

diff --git a/runtest/ima b/runtest/ima
index f3ea88cf0..309d47420 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,4 +3,5 @@ ima_measurements ima_measurements.sh
 ima_policy ima_policy.sh
 ima_tpm ima_tpm.sh
 ima_violations ima_violations.sh
+ima_keys ima_keys.sh
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
new file mode 100644
index 000000000..3f1934a3d
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
@@ -0,0 +1 @@
+measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
new file mode 100755
index 000000000..2b5324dbf
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that keys are measured correctly based on policy.
+
+TST_NEEDS_CMDS="grep mktemp cut sed tr"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+
+. ima_setup.sh
+
+# Based on https://lkml.org/lkml/2019/12/13/564.
+# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
+test1()
+{
+	local keyrings keycheck_line templates test_file=$(mktemp)
+
+	tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
+
+	[ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
+
+	[ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
+
+	keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY)
+	if [ -z "$keycheck_line" ]; then
+		tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
+	fi
+
+	if echo "$keycheck_line" | grep -q "*keyrings*"; then
+		tst_brk TCONF "ima policy does not specify a keyrings to check"
+	fi
+
+	keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
+		sed "s/\./\\\./g" | cut -d'=' -f2)
+	if [ -z "$keyrings" ]; then
+		tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
+	fi
+
+	templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
+		cut -d'=' -f2)
+
+	grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
+	do
+		local digest expected_digest algorithm
+
+		digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
+		algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+		keyring=$(echo "$line" | cut -d' ' -f5)
+
+		echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
+
+		expected_digest="$(compute_digest $algorithm $test_file)" || \
+			tst_brk TCONF "cannot compute digest for $algorithm"
+
+		if [ "$digest" != "$expected_digest" ]; then
+			tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
+		fi
+	done
+
+	rm $test_file
+
+	tst_res TPASS "specified keyrings were measured correctly"
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 54237d688..04d8e6353 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -28,7 +28,7 @@ setup()
 	# parse digest index
 	# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
 	case "$template" in
-	ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
+	ima|ima-ng|ima-sig|ima-buf) DIGEST_INDEX=4 ;;
 	*)
 		# using ima_template_fmt kernel parameter
 		local IFS="|"
@@ -46,40 +46,6 @@ setup()
 		"Cannot find digest index (template: '$template')"
 }
 
-# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
-compute_digest()
-{
-	local algorithm="$1"
-	local file="$2"
-	local digest
-
-	digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')"
-	if [ -n "$digest" ]; then
-		echo "$digest"
-		return 0
-	fi
-
-	digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')"
-	if [ -n "$digest" ]; then
-		echo "$digest"
-		return 0
-	fi
-
-	# uncommon ciphers
-	local arg="$algorithm"
-	case "$algorithm" in
-	tgr192) arg="tiger" ;;
-	wp512) arg="whirlpool" ;;
-	esac
-
-	digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')"
-	if [ -n "$digest" ]; then
-		echo "$digest"
-		return 0
-	fi
-	return 1
-}
-
 ima_check()
 {
 	local delimiter=':'
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 6286277b4..244cf081d 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -23,7 +23,6 @@ check_policy_writable()
 
 setup()
 {
-	IMA_POLICY="$IMA_DIR/policy"
 	check_policy_writable
 
 	VALID_POLICY="$TST_DATAROOT/measure.policy"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 58a12eda3..8ae477c1c 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -20,6 +20,40 @@ SYSFS="/sys"
 UMOUNT=
 TST_FS_TYPE="ext3"
 
+# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
+compute_digest()
+{
+	local algorithm="$1"
+	local file="$2"
+	local digest
+
+	digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')"
+	if [ -n "$digest" ]; then
+		echo "$digest"
+		return 0
+	fi
+
+	digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')"
+	if [ -n "$digest" ]; then
+		echo "$digest"
+		return 0
+	fi
+
+	# uncommon ciphers
+	local arg="$algorithm"
+	case "$algorithm" in
+	tgr192) arg="tiger" ;;
+	wp512) arg="whirlpool" ;;
+	esac
+
+	digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')"
+	if [ -n "$digest" ]; then
+		echo "$digest"
+		return 0
+	fi
+	return 1
+}
+
 check_ima_policy()
 {
 	local policy="$1"
@@ -85,6 +119,7 @@ ima_setup()
 	[ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel"
 	ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
 	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
+	IMA_POLICY="$IMA_DIR/policy"
 
 	print_ima_config
 
-- 
2.25.1

[LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring

[Lachlan Sneff]

Add an IMA measurement test that verifies that an x509 certificate
can be imported into the .ima keyring and measured correctly.

Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
 .../kernel/security/integrity/ima/README.md   | 21 +++++++++
 .../security/integrity/ima/tests/ima_keys.sh  | 47 ++++++++++++++++++-
 2 files changed, 66 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 16a1f48c3..e41f7b570 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y
 CONFIG_IMA=y
 ```
 
+IMA Key Import test
+-------------
+
+`ima_keys.sh` requires an x509 key to be generated and placed
+at `/etc/keys/x509_ima.der`.
+
+The x509 public key key must be signed by the private key you generate.
+Follow these instructions:
+https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys.
+
+The test cannot be set-up automatically because the kernel must be built
+with one of the keys you generate.
+
+As well as what's required for the IMA tests, the following are also required
+in the kernel configuration:
+```
+CONFIG_IMA_READ_POLICY=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
+```
+
 EVM tests
 ---------
 
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 2b5324dbf..1d9824aba 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -5,10 +5,12 @@
 #
 # Verify that keys are measured correctly based on policy.
 
-TST_NEEDS_CMDS="grep mktemp cut sed tr"
-TST_CNT=1
+TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp"
+TST_CNT=2
 TST_NEEDS_DEVICE=1
 
+CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}"
+
 . ima_setup.sh
 
 # Based on https://lkml.org/lkml/2019/12/13/564.
@@ -64,4 +66,45 @@ test1()
 	tst_res TPASS "specified keyrings were measured correctly"
 }
 
+
+# Test that a cert can be imported into the ".ima" keyring correctly.
+test2() {
+	local keyring_id key_id test_file=$(mktemp)
+
+	[ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE"
+
+	if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then
+		tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate"
+	fi
+
+	tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)"
+
+	keyring_id=$(keyctl show %:.ima | sed -n 2p | \
+		sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \
+		tst_btk TCONF "unable to retrieve .ima keyring id"
+
+	if ! tst_is_num	"$keyring_id"; then
+		tst_brk TCONF "unable to parse keyring id from keyring"
+	fi
+
+	evmctl import $CERT_FILE "$keyring_id" > /dev/null || \
+		tst_brk TCONF "unable to import a cert into the .ima keyring"
+
+	grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \
+		xxd -r -p > $test_file || \
+		tst_brk TCONF "cert not found in ascii_runtime_measurements log"
+
+	if ! openssl x509 -in $test_file -inform der > /dev/null; then
+		tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate"
+	fi
+
+	if cmp -s "$test_file" $CERT_FILE; then
+		tst_res TPASS "logged cert matches original cert"
+	else
+		tst_res TFAIL "logged cert does not match original cert"
+	fi
+
+	rm $test_file
+}
+
 tst_run
-- 
2.25.1

[LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring

[Petr Vorel]

Hi Lachlan,

LGTM, I'd just like to do some tests. That's what prevents me from merging (my
notes below are just nits, I'll fix them before merging).
@Mimi: would you have time to have look into these tests?

Reviewed-by: Petr Vorel <pvorel@suse.cz>

> Add an IMA measurement test that verifies that an x509 certificate
> can be imported into the .ima keyring and measured correctly.

> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> ---
>  .../kernel/security/integrity/ima/README.md   | 21 +++++++++
>  .../security/integrity/ima/tests/ima_keys.sh  | 47 ++++++++++++++++++-
>  2 files changed, 66 insertions(+), 2 deletions(-)

> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 16a1f48c3..e41f7b570 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y
>  CONFIG_IMA=y
>  ```
Thanks for a docs, I'll move it to the first commit.

> +IMA Key Import test
IMA Key Import tests
> +-------------
> +
> +`ima_keys.sh` requires an x509 key to be generated and placed
> +at `/etc/keys/x509_ima.der`.
`ima_keys.sh` requires an x509 public key to be generated and placed
> +at `/etc/keys/x509_ima.der`.

> +
> +The x509 public key key must be signed by the private key you generate.
> +Follow these instructions:
> +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys.
I was thinking to use non-distro link:
https://www.mankier.com/1/evmctl#Generate_Trusted_Keys
as Ubuntu docs is tied to certain evmctl version, but on the other hand it
document what you used when wrote tests. And Ubuntu URL is probably is probably
safer to use (mankier.com can vanish in the future). Thus keep this one.

> +
> +The test cannot be set-up automatically because the kernel must be built
> +with one of the keys you generate.
> +
> +As well as what's required for the IMA tests, the following are also required
> +in the kernel configuration:
> +```
> +CONFIG_IMA_READ_POLICY=y
> +CONFIG_SYSTEM_TRUSTED_KEYRING=y
> +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
> +```
> +
>  EVM tests
>  ---------
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> index 2b5324dbf..1d9824aba 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -5,10 +5,12 @@

>  # Verify that keys are measured correctly based on policy.

> -TST_NEEDS_CMDS="grep mktemp cut sed tr"
> -TST_CNT=1
> +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp"
> +TST_CNT=2
>  TST_NEEDS_DEVICE=1

> +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}"
> +
>  . ima_setup.sh

>  # Based on https://lkml.org/lkml/2019/12/13/564.
> @@ -64,4 +66,45 @@ test1()
>  	tst_res TPASS "specified keyrings were measured correctly"
>  }

> +
> +# Test that a cert can be imported into the ".ima" keyring correctly.
> +test2() {
> +	local keyring_id key_id test_file=$(mktemp)
> +
> +	[ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE"
> +
> +	if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then
> +		tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate"
> +	fi
> +
> +	tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)"
> +
> +	keyring_id=$(keyctl show %:.ima | sed -n 2p | \
> +		sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \
> +		tst_btk TCONF "unable to retrieve .ima keyring id"
> +
> +	if ! tst_is_num	"$keyring_id"; then
> +		tst_brk TCONF "unable to parse keyring id from keyring"
> +	fi
> +
> +	evmctl import $CERT_FILE "$keyring_id" > /dev/null || \
> +		tst_brk TCONF "unable to import a cert into the .ima keyring"
> +
> +	grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \
> +		xxd -r -p > $test_file || \
> +		tst_brk TCONF "cert not found in ascii_runtime_measurements log"
> +
> +	if ! openssl x509 -in $test_file -inform der > /dev/null; then
> +		tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate"
> +	fi
> +
> +	if cmp -s "$test_file" $CERT_FILE; then
> +		tst_res TPASS "logged cert matches original cert"
> +	else
> +		tst_res TFAIL "logged cert does not match original cert"
> +	fi
> +
> +	rm $test_file
I guess you can avoid deleting this file. There is automatic cleanup of the test
directory and even if the test is run with -i (number of iterations), it'll be
unique as it's using using mktemp.

> +}
> +
>  tst_run


Kind regards,
Petr

[LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys

[Petr Vorel]

Hi Lachlan,

Reviewed-by: Petr Vorel <pvorel@suse.cz>

> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -0,0 +1,67 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2020 Microsoft Corporation
> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
> +#
> +# Verify that keys are measured correctly based on policy.
> +
> +TST_NEEDS_CMDS="grep mktemp cut sed tr"
This is already a dependency for tst_test.sh, but it does not harm to have it
here (in case we remove the dependency from tst_test.sh).
> +TST_CNT=1
> +TST_NEEDS_DEVICE=1
> +
> +. ima_setup.sh
> +
> +# Based on https://lkml.org/lkml/2019/12/13/564.
> +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
> +test1()
> +{
> +	local keyrings keycheck_line templates test_file=$(mktemp)
Do we need mktemp? Can't it be just:
	local keyrings keycheck_line templates test_file="file.txt"

...
> +		echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
Because you later just overwrite the file (simplicity).

I also try to keep shell dependencies low so it's possible to run it with in
dracut initramfs with rapido [1] without too many dependencies (although mktemp
is already tst_test.sh dependency).

> +
> +		expected_digest="$(compute_digest $algorithm $test_file)" || \
> +			tst_brk TCONF "cannot compute digest for $algorithm"
> +
> +		if [ "$digest" != "$expected_digest" ]; then
> +			tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
> +		fi
> +	done
> +
> +	rm $test_file
Again, IMHO no need to delete the file.

[1] https://github.com/rapido-linux/rapido

> +
> +	tst_res TPASS "specified keyrings were measured correctly"
This TPASS will be called even if there is previous TFAIL "incorrect digest was
found for the ($keyring) keyring". We should either exit testing with return,
or have variable to detect failure and not call this (not sure what makes more
sense).

Kind regards,
Petr

[LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys

[Mimi Zohar]

Hi Lachian,

> +
> +# Based on https://lkml.org/lkml/2019/12/13/564.
> +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
> +test1()
> +{
> +	local keyrings keycheck_line templates test_file=$(mktemp)
> +
> +	tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
> +
> +	[ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
> +
> +	[ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
> +
> +	keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY)
> +	if [ -z "$keycheck_line" ]; then
> +		tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
> +	fi
> +
> +	if echo "$keycheck_line" | grep -q "*keyrings*"; then
> +		tst_brk TCONF "ima policy does not specify a keyrings to check"
> +	fi
> +
> +	keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
> +		sed "s/\./\\\./g" | cut -d'=' -f2)
> +	if [ -z "$keyrings" ]; then
> +		tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
> +	fi
> +
> +	templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
> +		cut -d'=' -f2)
> +
> +	grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line

Probably because I have multiple KEY_CHECK rules, this is failing:

grep: Unmatched ( or \(

And then it continues merrily alongs its way.

ima_keys 1 TPASS: specified keyrings were measured correctly
ima_keys 2 TCONF: missing /etc/keys/x509_ima.der

Mimi

> +	do
> +		local digest expected_digest algorithm
> +
> +		digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
> +		algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
> +		keyring=$(echo "$line" | cut -d' ' -f5)
> +
> +		echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
> +
> +		expected_digest="$(compute_digest $algorithm $test_file)" || \
> +			tst_brk TCONF "cannot compute digest for $algorithm"
> +
> +		if [ "$digest" != "$expected_digest" ]; then
> +			tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
> +		fi
> +	done
> +
> +	rm $test_file
> +
> +	tst_res TPASS "specified keyrings were measured correctly"
> +}

[LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys

[Mimi Zohar]

[Resending due to mailer issues]

On Wed, 2020-06-24 at 09:21 -0400, Mimi Zohar wrote:
> Hi Lachian,
> 
> > +
> > +# Based on https://lkml.org/lkml/2019/12/13/564.
> > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
> > +test1()
> > +{
> > +	local keyrings keycheck_line templates test_file=$(mktemp)
> > +
> > +	tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
> > +
> > +	[ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
> > +
> > +	[ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
> > +
> > +	keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY)
> > +	if [ -z "$keycheck_line" ]; then
> > +		tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
> > +	fi
> > +
> > +	if echo "$keycheck_line" | grep -q "*keyrings*"; then
> > +		tst_brk TCONF "ima policy does not specify a keyrings to check"
> > +	fi
> > +
> > +	keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
> > +		sed "s/\./\\\./g" | cut -d'=' -f2)
> > +	if [ -z "$keyrings" ]; then
> > +		tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
> > +	fi
> > +
> > +	templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
> > +		cut -d'=' -f2)
> > +
> > +	grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
> 
> Probably because I have multiple KEY_CHECK rules, this is failing:
> 
> grep: Unmatched ( or \(
> 
> And then it continues merrily alongs its way.
> 
> ima_keys 1 TPASS: specified keyrings were measured correctly
> ima_keys 2 TCONF: missing /etc/keys/x509_ima.der
> 
> Mimi
> 
> > +	do
> > +		local digest expected_digest algorithm
> > +
> > +		digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
> > +		algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
> > +		keyring=$(echo "$line" | cut -d' ' -f5)
> > +
> > +		echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
> > +
> > +		expected_digest="$(compute_digest $algorithm $test_file)" || \
> > +			tst_brk TCONF "cannot compute digest for $algorithm"
> > +
> > +		if [ "$digest" != "$expected_digest" ]; then
> > +			tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
> > +		fi
> > +	done
> > +
> > +	rm $test_file
> > +
> > +	tst_res TPASS "specified keyrings were measured correctly"
> > +}

[LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring

[Mimi Zohar]

Hi Lachlan,

On Wed, 2020-06-17 at 19:49 -0400, Lachlan Sneff wrote:
> Add an IMA measurement test that verifies that an x509 certificate
> can be imported into the .ima keyring and measured correctly.

Please expand this, explaining that the x509 certificate needs to be
signed by a key on one of the trusted keyrings.

Once there is a reliable way of adding a key to the IMA keyring, this
opens up a lot of other testing possibilities.

> 
> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> ---
>  .../kernel/security/integrity/ima/README.md   | 21 +++++++++
>  .../security/integrity/ima/tests/ima_keys.sh  | 47 ++++++++++++++++++-
>  2 files changed, 66 insertions(+), 2 deletions(-)
> 
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 16a1f48c3..e41f7b570 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y
>  CONFIG_IMA=y
>  ```
>  
> +IMA Key Import test
> +-------------
> +
> +`ima_keys.sh` requires an x509 key to be generated and placed
> +at `/etc/keys/x509_ima.der`.

The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on
CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the
running kernel's Kconfig?

> +
> +The x509 public key key must be signed by the private key you generate.
> +Follow these instructions:
> +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys.
> +
> +The test cannot be set-up automatically because the kernel must be built
> +with one of the keys you generate.

Please reword this to convey that the public key must be built into
the kernel and loaded onto a trusted keyring (eg.
.builtin_trusted_keys, .secondary_trusted_keyring)

> +
> +As well as what's required for the IMA tests, the following are also required
> +in the kernel configuration:
> +```
> +CONFIG_IMA_READ_POLICY=y
> +CONFIG_SYSTEM_TRUSTED_KEYRING=y
> +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
> +```
> +
>  EVM tests
>  ---------
>  
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> index 2b5324dbf..1d9824aba 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -5,10 +5,12 @@
>  #
>  # Verify that keys are measured correctly based on policy.
>  
> -TST_NEEDS_CMDS="grep mktemp cut sed tr"
> -TST_CNT=1
> +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp"
> +TST_CNT=2
>  TST_NEEDS_DEVICE=1
>  
> +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}"
> +
>  . ima_setup.sh
>  
>  # Based on https://lkml.org/lkml/2019/12/13/564.
> @@ -64,4 +66,45 @@ test1()
>  	tst_res TPASS "specified keyrings were measured correctly"
>  }
>  
> +
> +# Test that a cert can be imported into the ".ima" keyring correctly.
> +test2() {
> +	local keyring_id key_id test_file=$(mktemp)
> +
> +	[ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE"
> +
> +	if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then
> +		tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate"
> +	fi
> +
> +	tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)"
> +
> +	keyring_id=$(keyctl show %:.ima | sed -n 2p | \
> +		sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \
> +		tst_btk TCONF "unable to retrieve .ima keyring id"

Using "keyctl describe" returns the keyring id as the first token,
making it simpler to parse.

Mimi

> +
> +	if ! tst_is_num	"$keyring_id"; then
> +		tst_brk TCONF "unable to parse keyring id from keyring"
> +	fi
> +
> +	evmctl import $CERT_FILE "$keyring_id" > /dev/null || \
> +		tst_brk TCONF "unable to import a cert into the .ima keyring"
> +
> +	grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \
> +		xxd -r -p > $test_file || \
> +		tst_brk TCONF "cert not found in ascii_runtime_measurements log"
> +
> +	if ! openssl x509 -in $test_file -inform der > /dev/null; then
> +		tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate"
> +	fi
> +
> +	if cmp -s "$test_file" $CERT_FILE; then
> +		tst_res TPASS "logged cert matches original cert"
> +	else
> +		tst_res TFAIL "logged cert does not match original cert"
> +	fi
> +
> +	rm $test_file
> +}
> +
>  tst_run

[LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring

[Lachlan Sneff]

Thank you for the review, Mimi!

On 6/24/20 12:41 PM, Mimi Zohar wrote:
> Hi Lachlan,
>
> On Wed, 2020-06-17 at 19:49 -0400, Lachlan Sneff wrote:
>> Add an IMA measurement test that verifies that an x509 certificate
>> can be imported into the .ima keyring and measured correctly.
> Please expand this, explaining that the x509 certificate needs to be
> signed by a key on one of the trusted keyrings.
>
> Once there is a reliable way of adding a key to the IMA keyring, this
> opens up a lot of other testing possibilities.
This is a great idea. I definitely wasn't clear enough here.
>> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
>> ---
>>   .../kernel/security/integrity/ima/README.md   | 21 +++++++++
>>   .../security/integrity/ima/tests/ima_keys.sh  | 47 ++++++++++++++++++-
>>   2 files changed, 66 insertions(+), 2 deletions(-)
>>
>> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
>> index 16a1f48c3..e41f7b570 100644
>> --- a/testcases/kernel/security/integrity/ima/README.md
>> +++ b/testcases/kernel/security/integrity/ima/README.md
>> @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y
>>   CONFIG_IMA=y
>>   ```
>>   
>> +IMA Key Import test
>> +-------------
>> +
>> +`ima_keys.sh` requires an x509 key to be generated and placed
>> +at `/etc/keys/x509_ima.der`.
> The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on
> CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the
> running kernel's Kconfig?
I didn't think pulling it from the kernel config. Will try this. I 
assume `grep "..." /boot/config-$(uname -r)` is the right way to grab a 
line from the config?
>> +
>> +The x509 public key key must be signed by the private key you generate.
>> +Follow these instructions:
>> +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys.
>> +
>> +The test cannot be set-up automatically because the kernel must be built
>> +with one of the keys you generate.
> Please reword this to convey that the public key must be built into
> the kernel and loaded onto a trusted keyring (eg.
> .builtin_trusted_keys, .secondary_trusted_keyring)
Sounds good.
>> +
>> +As well as what's required for the IMA tests, the following are also required
>> +in the kernel configuration:
>> +```
>> +CONFIG_IMA_READ_POLICY=y
>> +CONFIG_SYSTEM_TRUSTED_KEYRING=y
>> +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
>> +```
>> +
>>   EVM tests
>>   ---------
>>   
>> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>> index 2b5324dbf..1d9824aba 100755
>> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
>> @@ -5,10 +5,12 @@
>>   #
>>   # Verify that keys are measured correctly based on policy.
>>   
>> -TST_NEEDS_CMDS="grep mktemp cut sed tr"
>> -TST_CNT=1
>> +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp"
>> +TST_CNT=2
>>   TST_NEEDS_DEVICE=1
>>   
>> +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}"
>> +
>>   . ima_setup.sh
>>   
>>   # Based on https://lkml.org/lkml/2019/12/13/564.
>> @@ -64,4 +66,45 @@ test1()
>>   	tst_res TPASS "specified keyrings were measured correctly"
>>   }
>>   
>> +
>> +# Test that a cert can be imported into the ".ima" keyring correctly.
>> +test2() {
>> +	local keyring_id key_id test_file=$(mktemp)
>> +
>> +	[ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE"
>> +
>> +	if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then
>> +		tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate"
>> +	fi
>> +
>> +	tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)"
>> +
>> +	keyring_id=$(keyctl show %:.ima | sed -n 2p | \
>> +		sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \
>> +		tst_btk TCONF "unable to retrieve .ima keyring id"
> Using "keyctl describe" returns the keyring id as the first token,
> making it simpler to parse.
Didn't realize this, will simplify the code here.
>
> Mimi
Thanks again! Will get a patchset out with the changes asap.
>
>> +
>> +	if ! tst_is_num	"$keyring_id"; then
>> +		tst_brk TCONF "unable to parse keyring id from keyring"
>> +	fi
>> +
>> +	evmctl import $CERT_FILE "$keyring_id" > /dev/null || \
>> +		tst_brk TCONF "unable to import a cert into the .ima keyring"
>> +
>> +	grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \
>> +		xxd -r -p > $test_file || \
>> +		tst_brk TCONF "cert not found in ascii_runtime_measurements log"
>> +
>> +	if ! openssl x509 -in $test_file -inform der > /dev/null; then
>> +		tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate"
>> +	fi
>> +
>> +	if cmp -s "$test_file" $CERT_FILE; then
>> +		tst_res TPASS "logged cert matches original cert"
>> +	else
>> +		tst_res TFAIL "logged cert does not match original cert"
>> +	fi
>> +
>> +	rm $test_file
>> +}
>> +
>>   tst_run

[LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring

[Mimi Zohar]

On Wed, 2020-06-24 at 15:59 -0400, Lachlan Sneff wrote:
> 
> >> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> >> index 16a1f48c3..e41f7b570 100644
> >> --- a/testcases/kernel/security/integrity/ima/README.md
> >> +++ b/testcases/kernel/security/integrity/ima/README.md
> >> @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y
> >>   CONFIG_IMA=y
> >>   ```
> >>   
> >> +IMA Key Import test
> >> +-------------
> >> +
> >> +`ima_keys.sh` requires an x509 key to be generated and placed
> >> +at `/etc/keys/x509_ima.der`.
> > The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on
> > CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the
> > running kernel's Kconfig?
> I didn't think pulling it from the kernel config. Will try this. I 
> assume `grep "..." /boot/config-$(uname -r)` is the right way to grab a 
> line from the config?

Try using scripts/extract-ikconfig.

Mimi

[LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring

[Petr Vorel]

Hi Mimi, Lachlan,

> > >> +`ima_keys.sh` requires an x509 key to be generated and placed
> > >> +at `/etc/keys/x509_ima.der`.
> > > The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on
> > > CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the
> > > running kernel's Kconfig?
> > I didn't think pulling it from the kernel config. Will try this. I 
> > assume `grep "..." /boot/config-$(uname -r)` is the right way to grab a 
> > line from the config?

> Try using scripts/extract-ikconfig.
For now I'd just try to grep /boot/config-$(uname -r), but allow to run the test
with the default value if kconfig not presented / readable (when running without
root).

I'm not sure if extract-ikconfig as external dependency would be suitable for
LTP (understand it's great for kselftest as it's already presented).

BTW there is a ticket for adding kernel config related helpers into the LTP
shell API [1], I'll also note extract-ikconfig there.

LTP refused for long time working with kernel config, because it it's
requirement meant that SUT without it could not be tested. Always try to not
make kernel config as hard dependency (various embedded or old android will be
disabled; some linux distros require root for reading the config).
Design in [1] also suggest to have possibility to run the test even without config.

[1] https://github.com/linux-test-project/ltp/issues/700

> Mimi

Kind regards,
Petr