* [LTP] [PATCH v4 0/2] IMA: Verify measurement of certificates @ 2020-06-26 2:11 Lachlan Sneff 2020-06-26 2:11 ` [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff 2020-06-26 2:11 ` [LTP] [PATCH v4 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff 0 siblings, 2 replies; 7+ messages in thread From: Lachlan Sneff @ 2020-06-26 2:11 UTC (permalink / raw) To: ltp The IMA subsystem is capable of importing and measuring certificates. This set of patches adds tests for verifying that keys are imported and measured correctly. Apologies to Mimi Zohar for the late reply. Changelog: v4 - Clarify documentation about required certificate. - Fix case where multiple KEY_CHECK rules are present. v3 - Document requirements for running the ima key tests and provide resources for generating keys. v2 - Un-linebreak a few strings - Enforce that some commands are available before running - Move compute_digest function to ima_setup.sh - Fix file permissions on ima_key.sh - Move IMA_POLICY variable to ima_setup.sh - Add keycheck.policy datafile v1 - The following patchsets should be applied in that order. - Add tests that verify measurement of keys and importing certificates. *** BLURB HERE *** Lachlan Sneff (2): IMA: Add a test to verify measurment of keys IMA: Add a test to verify importing a certificate into keyring runtest/ima | 1 + .../kernel/security/integrity/ima/README.md | 22 ++++ .../integrity/ima/datafiles/keycheck.policy | 1 + .../security/integrity/ima/tests/ima_keys.sh | 112 ++++++++++++++++++ .../integrity/ima/tests/ima_measurements.sh | 36 +----- .../integrity/ima/tests/ima_policy.sh | 1 - .../security/integrity/ima/tests/ima_setup.sh | 35 ++++++ 7 files changed, 172 insertions(+), 36 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh -- 2.25.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys 2020-06-26 2:11 [LTP] [PATCH v4 0/2] IMA: Verify measurement of certificates Lachlan Sneff @ 2020-06-26 2:11 ` Lachlan Sneff 2020-07-14 7:55 ` Petr Vorel 2020-07-15 0:35 ` Mimi Zohar 2020-06-26 2:11 ` [LTP] [PATCH v4 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff 1 sibling, 2 replies; 7+ messages in thread From: Lachlan Sneff @ 2020-06-26 2:11 UTC (permalink / raw) To: ltp Add a testcase that verifies that the IMA subsystem has correctly measured keys added to keyrings specified in the IMA policy file. Additionally, add support for handling a new IMA template descriptor, namely ima-buf[1], in the IMA measurement tests. [1]: https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> --- runtest/ima | 1 + .../integrity/ima/datafiles/keycheck.policy | 1 + .../security/integrity/ima/tests/ima_keys.sh | 72 +++++++++++++++++++ .../integrity/ima/tests/ima_measurements.sh | 36 +--------- .../integrity/ima/tests/ima_policy.sh | 1 - .../security/integrity/ima/tests/ima_setup.sh | 35 +++++++++ 6 files changed, 110 insertions(+), 36 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh diff --git a/runtest/ima b/runtest/ima index f3ea88cf0..309d47420 100644 --- a/runtest/ima +++ b/runtest/ima @@ -3,4 +3,5 @@ ima_measurements ima_measurements.sh ima_policy ima_policy.sh ima_tpm ima_tpm.sh ima_violations ima_violations.sh +ima_keys ima_keys.sh evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy new file mode 100644 index 000000000..3f1934a3d --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy @@ -0,0 +1 @@ +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh new file mode 100755 index 000000000..94eb15e09 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lachlan Sneff <t-josne@linux.microsoft.com> +# +# Verify that keys are measured correctly based on policy. + +TST_NEEDS_CMDS="grep mktemp cut sed tr" +TST_CNT=1 +TST_NEEDS_DEVICE=1 + +. ima_setup.sh + +# Based on https://lkml.org/lkml/2019/12/13/564. +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") +test1() +{ + local keyrings keycheck_lines keycheck_line templates test_file="file.txt" + + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" + + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" + + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" + + keycheck_lines=$(grep "func=KEY_CHECK" $IMA_POLICY) + if [ -z "$keycheck_lines" ]; then + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" + fi + + keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1) + + if [ -z "$keycheck_line" ]; then + tst_brk TCONF "ima policy does not specify a keyrings to check" + fi + + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ + sed "s/\./\\\./g" | cut -d'=' -f2) + if [ -z "$keyrings" ]; then + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" + fi + + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ + cut -d'=' -f2) + + success=true + + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line + do + local digest expected_digest algorithm + + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + keyring=$(echo "$line" | cut -d' ' -f5) + + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file + + expected_digest="$(compute_digest $algorithm $test_file)" || \ + tst_brk TCONF "cannot compute digest for $algorithm" + + if [ "$digest" != "$expected_digest" ]; then + $success=false + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" + fi + done + + if $success; then + tst_res TPASS "specified keyrings were measured correctly" + fi +} + +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 54237d688..04d8e6353 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -28,7 +28,7 @@ setup() # parse digest index # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use case "$template" in - ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; + ima|ima-ng|ima-sig|ima-buf) DIGEST_INDEX=4 ;; *) # using ima_template_fmt kernel parameter local IFS="|" @@ -46,40 +46,6 @@ setup() "Cannot find digest index (template: '$template')" } -# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 -compute_digest() -{ - local algorithm="$1" - local file="$2" - local digest - - digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - # uncommon ciphers - local arg="$algorithm" - case "$algorithm" in - tgr192) arg="tiger" ;; - wp512) arg="whirlpool" ;; - esac - - digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - return 1 -} - ima_check() { local delimiter=':' diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 6286277b4..244cf081d 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -23,7 +23,6 @@ check_policy_writable() setup() { - IMA_POLICY="$IMA_DIR/policy" check_policy_writable VALID_POLICY="$TST_DATAROOT/measure.policy" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 58a12eda3..8ae477c1c 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -20,6 +20,40 @@ SYSFS="/sys" UMOUNT= TST_FS_TYPE="ext3" +# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 +compute_digest() +{ + local algorithm="$1" + local file="$2" + local digest + + digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + # uncommon ciphers + local arg="$algorithm" + case "$algorithm" in + tgr192) arg="tiger" ;; + wp512) arg="whirlpool" ;; + esac + + digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + return 1 +} + check_ima_policy() { local policy="$1" @@ -85,6 +119,7 @@ ima_setup() [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" + IMA_POLICY="$IMA_DIR/policy" print_ima_config -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys 2020-06-26 2:11 ` [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff @ 2020-07-14 7:55 ` Petr Vorel 2020-07-15 0:35 ` Mimi Zohar 1 sibling, 0 replies; 7+ messages in thread From: Petr Vorel @ 2020-07-14 7:55 UTC (permalink / raw) To: ltp Hi Lachlan, ... > +# Based on https://lkml.org/lkml/2019/12/13/564. > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") > +test1() > +{ > + local keyrings keycheck_lines keycheck_line templates test_file="file.txt" $keycheck_lines and $keycheck_line are a bit hard to distinguish, but we already use $line later on, thus let's keep it. > + > + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" > + > + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" > + > + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" > + > + keycheck_lines=$(grep "func=KEY_CHECK" $IMA_POLICY) > + if [ -z "$keycheck_lines" ]; then > + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" > + fi > + > + keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1) > + > + if [ -z "$keycheck_line" ]; then > + tst_brk TCONF "ima policy does not specify a keyrings to check" > + fi > + > + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ > + sed "s/\./\\\./g" | cut -d'=' -f2) > + if [ -z "$keyrings" ]; then > + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" > + fi > + > + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ > + cut -d'=' -f2) > + > + success=true > + > + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line > + do > + local digest expected_digest algorithm > + > + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) > + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) > + keyring=$(echo "$line" | cut -d' ' -f5) > + > + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file > + > + expected_digest="$(compute_digest $algorithm $test_file)" || \ > + tst_brk TCONF "cannot compute digest for $algorithm" > + > + if [ "$digest" != "$expected_digest" ]; then > + $success=false $success=false is wrong, success=false must be used. And it's not defined as local. And also although it's working this way, LTP shell code style is using 1/empty, not true/false. Can you use: fail=1 And also, does it make sense to continue evaluating on error? If not (not sure myself) return after tst_res TFAIL would be the best. > + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" > + fi > + done > + > + if $success; then and here: if [ "$fail" ]; then > + tst_res TPASS "specified keyrings were measured correctly" > + fi ... The rest looks ok to me (no need to repost new version just for this). Kind regards, Petr ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys 2020-06-26 2:11 ` [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff 2020-07-14 7:55 ` Petr Vorel @ 2020-07-15 0:35 ` Mimi Zohar 2020-07-15 19:34 ` Lachlan Sneff 1 sibling, 1 reply; 7+ messages in thread From: Mimi Zohar @ 2020-07-15 0:35 UTC (permalink / raw) To: ltp On Thu, 2020-06-25 at 22:11 -0400, Lachlan Sneff wrote: > Add a testcase that verifies that the IMA subsystem has correctly > measured keys added to keyrings specified in the IMA policy file. > > Additionally, add support for handling a new IMA template descriptor, > namely ima-buf[1], in the IMA measurement tests. > > [1]: https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use > > Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> An additional test might be to verify that only the keys in the measurement list are actually on the specified keyring and nothing else. Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys 2020-07-15 0:35 ` Mimi Zohar @ 2020-07-15 19:34 ` Lachlan Sneff 0 siblings, 0 replies; 7+ messages in thread From: Lachlan Sneff @ 2020-07-15 19:34 UTC (permalink / raw) To: ltp On 7/14/20 8:35 PM, Mimi Zohar wrote: > An additional test might be to verify that only the keys in the > measurement list are actually on the specified keyring and nothing > else. That seems like a good idea. I may not have time to implement it however. > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> - Lachlan ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v4 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-26 2:11 [LTP] [PATCH v4 0/2] IMA: Verify measurement of certificates Lachlan Sneff 2020-06-26 2:11 ` [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff @ 2020-06-26 2:11 ` Lachlan Sneff 2020-07-15 0:41 ` Mimi Zohar 1 sibling, 1 reply; 7+ messages in thread From: Lachlan Sneff @ 2020-06-26 2:11 UTC (permalink / raw) To: ltp Add an IMA measurement test that verifies that an x509 certificate can be imported into the .ima keyring and measured correctly. Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> --- .../kernel/security/integrity/ima/README.md | 22 ++++++++++ .../security/integrity/ima/tests/ima_keys.sh | 44 ++++++++++++++++++- 2 files changed, 64 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 16a1f48c3..9e6790306 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -16,6 +16,28 @@ CONFIG_INTEGRITY=y CONFIG_IMA=y ``` +IMA Key Import test +------------- +`ima_keys.sh` requires an x509 certificate to be signed by a key on one +of the trusted keyrings. The x509 certificate must be placed at +`/etc/keys/x509_ima.der` for this test or the path must be passed in +the CERT_FILE env var. + +The x509 public key key must be signed by the private key you generate. +Follow these instructions: +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys. + +The test cannot be set-up automatically because the x509 public key must be +built into the kernel and loaded onto a trusted keyring. + +As well as what's required for the IMA tests, the following are also required +in the kernel configuration: +``` +CONFIG_IMA_READ_POLICY=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" +``` + EVM tests --------- diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 94eb15e09..499881251 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -5,10 +5,12 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="grep mktemp cut sed tr" -TST_CNT=1 +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp" +TST_CNT=2 TST_NEEDS_DEVICE=1 +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" + . ima_setup.sh # Based on https://lkml.org/lkml/2019/12/13/564. @@ -69,4 +71,42 @@ test1() fi } + +# Test that a cert can be imported into the ".ima" keyring correctly. +test2() { + local keyring_id key_id test_file="file.txt" + + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" + + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" + fi + + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" + + keyring_id=$(keyctl describe %:.ima | cut -d' ' -f2 | tr -d ':') || \ + tst_btk TCONF "unable to retrieve .ima keyring id" + + if ! tst_is_num "$keyring_id"; then + tst_brk TCONF "unable to parse keyring id from keyring" + fi + + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ + tst_brk TCONF "unable to import a cert into the .ima keyring" + + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ + xxd -r -p > $test_file || \ + tst_brk TCONF "cert not found in ascii_runtime_measurements log" + + if ! openssl x509 -in $test_file -inform der > /dev/null; then + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" + fi + + if cmp -s "$test_file" $CERT_FILE; then + tst_res TPASS "logged cert matches original cert" + else + tst_res TFAIL "logged cert does not match original cert" + fi +} + tst_run -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [LTP] [PATCH v4 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-26 2:11 ` [LTP] [PATCH v4 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff @ 2020-07-15 0:41 ` Mimi Zohar 0 siblings, 0 replies; 7+ messages in thread From: Mimi Zohar @ 2020-07-15 0:41 UTC (permalink / raw) To: ltp On Thu, 2020-06-25 at 22:11 -0400, Lachlan Sneff wrote: > Add an IMA measurement test that verifies that an x509 certificate > can be imported into the .ima keyring and measured correctly. > > Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> > --- > .../kernel/security/integrity/ima/README.md | 22 ++++++++++ > .../security/integrity/ima/tests/ima_keys.sh | 44 ++++++++++++++++++- > 2 files changed, 64 insertions(+), 2 deletions(-) > > diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md > index 16a1f48c3..9e6790306 100644 > --- a/testcases/kernel/security/integrity/ima/README.md > +++ b/testcases/kernel/security/integrity/ima/README.md > @@ -16,6 +16,28 @@ CONFIG_INTEGRITY=y > CONFIG_IMA=y > ``` > > +IMA Key Import test > +------------- > +`ima_keys.sh` requires an x509 certificate to be signed by a key on one > +of the trusted keyrings. The x509 certificate must be placed at > +`/etc/keys/x509_ima.der` for this test or the path must be passed in > +the CERT_FILE env var. > + > +The x509 public key key must be signed by the private key you generate. > +Follow these instructions: > +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys. > + > +The test cannot be set-up automatically because the x509 public key must be > +built into the kernel and loaded onto a trusted keyring. > + > +As well as what's required for the IMA tests, the following are also required > +in the kernel configuration: > +``` > +CONFIG_IMA_READ_POLICY=y > +CONFIG_SYSTEM_TRUSTED_KEYRING=y > +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" > +``` > + > EVM tests > --------- > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > index 94eb15e09..499881251 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > @@ -5,10 +5,12 @@ > # > # Verify that keys are measured correctly based on policy. > > -TST_NEEDS_CMDS="grep mktemp cut sed tr" > -TST_CNT=1 > +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp" > +TST_CNT=2 > TST_NEEDS_DEVICE=1 > > +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" > + > . ima_setup.sh > > # Based on https://lkml.org/lkml/2019/12/13/564. > @@ -69,4 +71,42 @@ test1() > fi > } > > + > +# Test that a cert can be imported into the ".ima" keyring correctly. > +test2() { > + local keyring_id key_id test_file="file.txt" > + > + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" > + > + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then > + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" > + fi > + > + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" Above this line there is some extraneous whitespace. > + > + keyring_id=$(keyctl describe %:.ima | cut -d' ' -f2 | tr -d ':') || \ > + tst_btk TCONF "unable to retrieve .ima keyring id" It seems "keyctl describe" is returning different things depending on the version. ?You must be seeing 2 spaces before the keyring id. ?On Ubuntu 20.0, I'm seeing the keyring id indented with 3 spaces.??On an older Fedora, there are no spaces.??Try reversing the cut and tr delimiters. > + > + if ! tst_is_num "$keyring_id"; then > + tst_brk TCONF "unable to parse keyring id from keyring" > + fi > + > + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ > + tst_brk TCONF "unable to import a cert into the .ima keyring" > + > + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ > + xxd -r -p > $test_file || \ > + tst_brk TCONF "cert not found in ascii_runtime_measurements log" The original CERT_FILE should have been measured on boot. ?In fact, it should have been the first key on the .ima keyring to be measured. ?Unless the CERT_FILE changed, importing it again shouldn't cause another record to be added to the measurement list. ?Exporting the last imported key onto the .ima keyring won't work. > + > + if ! openssl x509 -in $test_file -inform der > /dev/null; then > + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" > + fi > + > + if cmp -s "$test_file" $CERT_FILE; then > + tst_res TPASS "logged cert matches original cert" > + else > + tst_res TFAIL "logged cert does not match original cert" This is failing due to the above reason. Mimi > + fi > +} > + > tst_run ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-07-15 19:34 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-26 2:11 [LTP] [PATCH v4 0/2] IMA: Verify measurement of certificates Lachlan Sneff 2020-06-26 2:11 ` [LTP] [PATCH v4 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff 2020-07-14 7:55 ` Petr Vorel 2020-07-15 0:35 ` Mimi Zohar 2020-07-15 19:34 ` Lachlan Sneff 2020-06-26 2:11 ` [LTP] [PATCH v4 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff 2020-07-15 0:41 ` Mimi Zohar
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.