* [LTP] [PATCH v5 0/4] IMA: kexec cmdline measurement
@ 2020-07-27 22:30 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
Hi all,
sending hopefully the last version. In the end I did quite few changes,
thus sending patchset instead of merging without review.
Tested on various setup:
ima_kexec 1 TCONF: IMA policy does not specify '^measure.*func=KEXEC_CMDLINE'
---
ima_kexec 1 TPASS: kexec -s -l /boot/vmlinuz-5.3.13-1-default --append=foo passed as expected
ima_kexec 1 TPASS: kexec cmdline for --append=foo was measured correctly
ima_kexec 2 TPASS: kexec -s -l /boot/vmlinuz-5.3.13-1-default --command-line=bar passed as expected
ima_kexec 2 TPASS: kexec cmdline for --command-line=bar was measured correctly
---
ima_kexec 1 TBROK: kexec failed: kexec_file_load failed: Required key not available
---
ima_kexec 1 TWARN: policy not readable, it might not contain required measure func=KEXEC_CMDLINE
ima_kexec 1 TBROK: unable to find a correct entry for --reuse-cmdline
Kind regards,
Petr
Lachlan Sneff (1):
IMA: Add test for kexec cmdline measurement
Petr Vorel (3):
IMA: Rename helper to require_ima_policy_cmdline
IMA: Add policy related helpers
IMA/ima_keys.sh: Fix policy readability check
runtest/ima | 1 +
.../kernel/security/integrity/ima/README.md | 8 ++
.../integrity/ima/datafiles/kexec.policy | 1 +
.../integrity/ima/tests/evm_overlay.sh | 2 +-
.../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
.../security/integrity/ima/tests/ima_keys.sh | 10 +-
.../integrity/ima/tests/ima_measurements.sh | 2 +-
.../security/integrity/ima/tests/ima_setup.sh | 41 ++++++-
8 files changed, 164 insertions(+), 12 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
--
2.27.0
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline
2020-07-27 22:30 ` [LTP] " Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
balajib, linux-integrity
To be clear we check /proc/cmdline. There will be another helper
function require_ima_policy_content().
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v5.
testcases/kernel/security/integrity/ima/tests/evm_overlay.sh | 2 +-
.../kernel/security/integrity/ima/tests/ima_measurements.sh | 2 +-
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
index ac209e430..9d86778b6 100755
--- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -19,7 +19,7 @@ setup()
[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
- check_ima_policy "appraise_tcb"
+ require_ima_policy_cmdline "appraise_tcb"
lower="$TST_MNTPOINT/lower"
upper="$TST_MNTPOINT/upper"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 04d8e6353..9a7500c76 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -15,7 +15,7 @@ TST_NEEDS_DEVICE=1
setup()
{
- check_ima_policy "tcb"
+ require_ima_policy_cmdline "tcb"
TEST_FILE="$PWD/test.txt"
POLICY="$IMA_DIR/policy"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 8ae477c1c..975ce9cbb 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -54,7 +54,7 @@ compute_digest()
return 1
}
-check_ima_policy()
+require_ima_policy_cmdline()
{
local policy="$1"
local i
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline
@ 2020-07-27 22:30 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
To be clear we check /proc/cmdline. There will be another helper
function require_ima_policy_content().
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v5.
testcases/kernel/security/integrity/ima/tests/evm_overlay.sh | 2 +-
.../kernel/security/integrity/ima/tests/ima_measurements.sh | 2 +-
testcases/kernel/security/integrity/ima/tests/ima_setup.sh | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
index ac209e430..9d86778b6 100755
--- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -19,7 +19,7 @@ setup()
[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
- check_ima_policy "appraise_tcb"
+ require_ima_policy_cmdline "appraise_tcb"
lower="$TST_MNTPOINT/lower"
upper="$TST_MNTPOINT/upper"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 04d8e6353..9a7500c76 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -15,7 +15,7 @@ TST_NEEDS_DEVICE=1
setup()
{
- check_ima_policy "tcb"
+ require_ima_policy_cmdline "tcb"
TEST_FILE="$PWD/test.txt"
POLICY="$IMA_DIR/policy"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 8ae477c1c..975ce9cbb 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -54,7 +54,7 @@ compute_digest()
return 1
}
-check_ima_policy()
+require_ima_policy_cmdline()
{
local policy="$1"
local i
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v5 2/4] IMA: Add policy related helpers
2020-07-27 22:30 ` [LTP] " Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
balajib, linux-integrity
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v5.
.../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 975ce9cbb..c46f273ab 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -54,6 +54,45 @@ compute_digest()
return 1
}
+check_policy_readable()
+{
+ if [ -f $IMA_POLICY ]; then
+ tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
+ return 1
+ fi
+ cat $IMA_POLICY > /dev/null 2>/dev/null
+}
+
+require_policy_readable()
+{
+ if [ -f $IMA_POLICY ]; then
+ tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
+ fi
+ if ! check_policy_readable; then
+ tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
+ fi
+}
+
+check_ima_policy_content()
+{
+ local pattern="$1"
+ local grep_params="${2--q}"
+
+ check_policy_readable || return 1
+ grep $grep_params "$pattern" $IMA_POLICY
+}
+
+require_ima_policy_content()
+{
+ local pattern="$1"
+ local grep_params="${2--q}"
+
+ require_policy_readable
+ if ! grep $grep_params "$pattern" $IMA_POLICY; then
+ tst_brk TCONF "IMA policy does not specify '$pattern'"
+ fi
+}
+
require_ima_policy_cmdline()
{
local policy="$1"
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v5 2/4] IMA: Add policy related helpers
@ 2020-07-27 22:30 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v5.
.../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 975ce9cbb..c46f273ab 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -54,6 +54,45 @@ compute_digest()
return 1
}
+check_policy_readable()
+{
+ if [ -f $IMA_POLICY ]; then
+ tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
+ return 1
+ fi
+ cat $IMA_POLICY > /dev/null 2>/dev/null
+}
+
+require_policy_readable()
+{
+ if [ -f $IMA_POLICY ]; then
+ tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
+ fi
+ if ! check_policy_readable; then
+ tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
+ fi
+}
+
+check_ima_policy_content()
+{
+ local pattern="$1"
+ local grep_params="${2--q}"
+
+ check_policy_readable || return 1
+ grep $grep_params "$pattern" $IMA_POLICY
+}
+
+require_ima_policy_content()
+{
+ local pattern="$1"
+ local grep_params="${2--q}"
+
+ require_policy_readable
+ if ! grep $grep_params "$pattern" $IMA_POLICY; then
+ tst_brk TCONF "IMA policy does not specify '$pattern'"
+ fi
+}
+
require_ima_policy_cmdline()
{
local policy="$1"
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH v5 2/4] IMA: Add policy related helpers
2020-07-27 22:30 ` [LTP] " Petr Vorel
@ 2020-07-30 19:50 ` Mimi Zohar
-1 siblings, 0 replies; 20+ messages in thread
From: Mimi Zohar @ 2020-07-30 19:50 UTC (permalink / raw)
To: Petr Vorel, ltp
Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
linux-integrity
On Tue, 2020-07-28 at 00:30 +0200, Petr Vorel wrote:
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Other than inverting the [ -f $IMA_POLICY ] tests.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> New in v5.
>
> .../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++
> 1 file changed, 39 insertions(+)
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 975ce9cbb..c46f273ab 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -54,6 +54,45 @@ compute_digest()
> return 1
> }
>
> +check_policy_readable()
> +{
> + if [ -f $IMA_POLICY ]; then
> + tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
> + return 1
> + fi
> + cat $IMA_POLICY > /dev/null 2>/dev/null
> +}
> +
> +require_policy_readable()
> +{
> + if [ -f $IMA_POLICY ]; then
> + tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
> + fi
> + if ! check_policy_readable; then
> + tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
> + fi
> +}
> +
> +check_ima_policy_content()
> +{
> + local pattern="$1"
> + local grep_params="${2--q}"
> +
> + check_policy_readable || return 1
> + grep $grep_params "$pattern" $IMA_POLICY
> +}
> +
> +require_ima_policy_content()
> +{
> + local pattern="$1"
> + local grep_params="${2--q}"
> +
> + require_policy_readable
> + if ! grep $grep_params "$pattern" $IMA_POLICY; then
> + tst_brk TCONF "IMA policy does not specify '$pattern'"
> + fi
> +}
> +
> require_ima_policy_cmdline()
> {
> local policy="$1"
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v5 2/4] IMA: Add policy related helpers
@ 2020-07-30 19:50 ` Mimi Zohar
0 siblings, 0 replies; 20+ messages in thread
From: Mimi Zohar @ 2020-07-30 19:50 UTC (permalink / raw)
To: ltp
On Tue, 2020-07-28 at 00:30 +0200, Petr Vorel wrote:
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Other than inverting the [ -f $IMA_POLICY ] tests.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> New in v5.
>
> .../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++
> 1 file changed, 39 insertions(+)
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 975ce9cbb..c46f273ab 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -54,6 +54,45 @@ compute_digest()
> return 1
> }
>
> +check_policy_readable()
> +{
> + if [ -f $IMA_POLICY ]; then
> + tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
> + return 1
> + fi
> + cat $IMA_POLICY > /dev/null 2>/dev/null
> +}
> +
> +require_policy_readable()
> +{
> + if [ -f $IMA_POLICY ]; then
> + tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
> + fi
> + if ! check_policy_readable; then
> + tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
> + fi
> +}
> +
> +check_ima_policy_content()
> +{
> + local pattern="$1"
> + local grep_params="${2--q}"
> +
> + check_policy_readable || return 1
> + grep $grep_params "$pattern" $IMA_POLICY
> +}
> +
> +require_ima_policy_content()
> +{
> + local pattern="$1"
> + local grep_params="${2--q}"
> +
> + require_policy_readable
> + if ! grep $grep_params "$pattern" $IMA_POLICY; then
> + tst_brk TCONF "IMA policy does not specify '$pattern'"
> + fi
> +}
> +
> require_ima_policy_cmdline()
> {
> local policy="$1"
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v5 2/4] IMA: Add policy related helpers
2020-07-30 19:50 ` [LTP] " Mimi Zohar
@ 2020-07-31 5:26 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-31 5:26 UTC (permalink / raw)
To: Mimi Zohar
Cc: ltp, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
linux-integrity
Hi Mimi,
> Other than inverting the [ -f $IMA_POLICY ] tests.
Thanks for catching obvious error! Coding late night...
Kind regards,
Petr
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH v5 3/4] IMA/ima_keys.sh: Fix policy readability check
2020-07-27 22:30 ` [LTP] " Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
balajib, linux-integrity
Using a proper check with cat, because file attributes were fixed in
ffb122de9a60 ("ima: Reflect correct permissions for policy") in v4.18.
Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* use require_ima_policy_content
* moved helper function to previous commit
.../kernel/security/integrity/ima/tests/ima_keys.sh | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 2f6c2b027..5a77deec1 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -19,15 +19,7 @@ test1()
tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
- [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
-
- [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
-
- keycheck_lines=$(grep "func=KEY_CHECK" $IMA_POLICY)
- if [ -z "$keycheck_lines" ]; then
- tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
- fi
-
+ keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "")
keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
if [ -z "$keycheck_line" ]; then
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v5 3/4] IMA/ima_keys.sh: Fix policy readability check
@ 2020-07-27 22:30 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
Using a proper check with cat, because file attributes were fixed in
ffb122de9a60 ("ima: Reflect correct permissions for policy") in v4.18.
Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* use require_ima_policy_content
* moved helper function to previous commit
.../kernel/security/integrity/ima/tests/ima_keys.sh | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 2f6c2b027..5a77deec1 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -19,15 +19,7 @@ test1()
tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
- [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
-
- [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
-
- keycheck_lines=$(grep "func=KEY_CHECK" $IMA_POLICY)
- if [ -z "$keycheck_lines" ]; then
- tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
- fi
-
+ keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "")
keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
if [ -z "$keycheck_line" ]; then
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
2020-07-27 22:30 ` [LTP] " Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
linux-integrity, Petr Vorel, Mimi Zohar
From: Lachlan Sneff <t-josne@linux.microsoft.com>
IMA policy can be set to measure the command line passed in the kexec
system call. Add a testcase that verifies that the IMA subsystem
correctly measure the cmdline specified during a kexec.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: improved setup, various LTP API cleanup ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* added kexec.policy, please check it (for lazy people, I still plan
some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)
* rewritten checks in setup:
- simplify secure boot bootctl verification
- try dmesg when bootctl not available
- check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
- improve logic for func=KEXEC_CMDLINE check (instead of requiring
policy to be readable check only when readable, otherwise TWARN, ...)
- TWARN on failures in setup => TWARN is kind of error as it exit with
non-zero, but these cases are failures thus don't hide them)
* added cleanup commit (adding helpers)
* various LTP API cleanup:
- added setup into separate function
- reuse test code with kexec_test()
Kind regards,
Petr
runtest/ima | 1 +
.../kernel/security/integrity/ima/README.md | 8 ++
.../integrity/ima/datafiles/kexec.policy | 1 +
.../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
4 files changed, 121 insertions(+)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
diff --git a/runtest/ima b/runtest/ima
index 309d47420..5f4b4a7a1 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -4,4 +4,5 @@ ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
ima_keys ima_keys.sh
+ima_kexec ima_kexec.sh
evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 732cd912f..d4644ba39 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
+### IMA kexec test
+
+`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
+see example in `kexec.policy`.
+
+The test attempts to kexec the existing running kernel image.
+To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
+
## EVM tests
`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
new file mode 100644
index 000000000..58d66369e
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
@@ -0,0 +1 @@
+measure func=KEXEC_CMDLINE
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
new file mode 100755
index 000000000..fbad9b425
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that kexec cmdline is measured correctly.
+# Test attempts to kexec the existing running kernel image.
+# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
+
+TST_NEEDS_CMDS="grep kexec sed"
+TST_CNT=2
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
+
+measure()
+{
+ local cmdline="$1"
+ local algorithm digest expected_digest found
+
+ printf "$cmdline" > file1
+ grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
+
+ while read found
+ do
+ algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
+ digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
+
+ expected_digest=$(compute_digest $algorithm file1)
+
+ if [ "$digest" = "$expected_digest" ]; then
+ return 0
+ fi
+ done < file2
+
+ return 1
+}
+
+setup()
+{
+ local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
+ local res=TBROK
+ local sb_enabled
+
+ if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
+ tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
+ fi
+
+ if check_policy_readable; then
+ require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
+ res=TFAIL
+ fi
+
+ tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
+ if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ if [ "$res" = TBROK ]; then
+ tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
+ fi
+ tst_brk $res "unable to find a correct entry for --reuse-cmdline"
+ fi
+ return
+ fi
+
+ if tst_cmd_available bootctl; then
+ if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
+ sb_enabled=1
+ fi
+ elif tst_cmd_available dmesg; then
+ if dmesg | grep -qi 'Secure boot enabled'; then
+ sb_enabled=1
+ fi
+ fi
+ if [ "$sb_enabled" ]; then
+ tst_res TWARN "secure boot is enabled, kernel image may not be signed"
+ fi
+
+ if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
+ tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
+ fi
+
+ tst_brk TBROK "kexec failed: $(cat err)"
+}
+
+kexec_test()
+{
+ local cmdline="$1"
+ local param="$2"
+
+ EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
+ fi
+ tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
+}
+
+test()
+{
+ case $1 in
+ 1) kexec_test 'foo' '--append';;
+ 2) kexec_test 'bar' '--command-line';;
+ esac
+}
+
+tst_run
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [LTP] [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
@ 2020-07-27 22:30 ` Petr Vorel
0 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
To: ltp
From: Lachlan Sneff <t-josne@linux.microsoft.com>
IMA policy can be set to measure the command line passed in the kexec
system call. Add a testcase that verifies that the IMA subsystem
correctly measure the cmdline specified during a kexec.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: improved setup, various LTP API cleanup ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* added kexec.policy, please check it (for lazy people, I still plan
some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)
* rewritten checks in setup:
- simplify secure boot bootctl verification
- try dmesg when bootctl not available
- check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
- improve logic for func=KEXEC_CMDLINE check (instead of requiring
policy to be readable check only when readable, otherwise TWARN, ...)
- TWARN on failures in setup => TWARN is kind of error as it exit with
non-zero, but these cases are failures thus don't hide them)
* added cleanup commit (adding helpers)
* various LTP API cleanup:
- added setup into separate function
- reuse test code with kexec_test()
Kind regards,
Petr
runtest/ima | 1 +
.../kernel/security/integrity/ima/README.md | 8 ++
.../integrity/ima/datafiles/kexec.policy | 1 +
.../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
4 files changed, 121 insertions(+)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
diff --git a/runtest/ima b/runtest/ima
index 309d47420..5f4b4a7a1 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -4,4 +4,5 @@ ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
ima_keys ima_keys.sh
+ima_kexec ima_kexec.sh
evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 732cd912f..d4644ba39 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
+### IMA kexec test
+
+`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
+see example in `kexec.policy`.
+
+The test attempts to kexec the existing running kernel image.
+To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
+
## EVM tests
`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
new file mode 100644
index 000000000..58d66369e
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
@@ -0,0 +1 @@
+measure func=KEXEC_CMDLINE
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
new file mode 100755
index 000000000..fbad9b425
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that kexec cmdline is measured correctly.
+# Test attempts to kexec the existing running kernel image.
+# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
+
+TST_NEEDS_CMDS="grep kexec sed"
+TST_CNT=2
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
+
+measure()
+{
+ local cmdline="$1"
+ local algorithm digest expected_digest found
+
+ printf "$cmdline" > file1
+ grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
+
+ while read found
+ do
+ algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
+ digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
+
+ expected_digest=$(compute_digest $algorithm file1)
+
+ if [ "$digest" = "$expected_digest" ]; then
+ return 0
+ fi
+ done < file2
+
+ return 1
+}
+
+setup()
+{
+ local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
+ local res=TBROK
+ local sb_enabled
+
+ if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
+ tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
+ fi
+
+ if check_policy_readable; then
+ require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
+ res=TFAIL
+ fi
+
+ tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
+ if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ if [ "$res" = TBROK ]; then
+ tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
+ fi
+ tst_brk $res "unable to find a correct entry for --reuse-cmdline"
+ fi
+ return
+ fi
+
+ if tst_cmd_available bootctl; then
+ if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
+ sb_enabled=1
+ fi
+ elif tst_cmd_available dmesg; then
+ if dmesg | grep -qi 'Secure boot enabled'; then
+ sb_enabled=1
+ fi
+ fi
+ if [ "$sb_enabled" ]; then
+ tst_res TWARN "secure boot is enabled, kernel image may not be signed"
+ fi
+
+ if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
+ tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
+ fi
+
+ tst_brk TBROK "kexec failed: $(cat err)"
+}
+
+kexec_test()
+{
+ local cmdline="$1"
+ local param="$2"
+
+ EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
+ fi
+ tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
+}
+
+test()
+{
+ case $1 in
+ 1) kexec_test 'foo' '--append';;
+ 2) kexec_test 'bar' '--command-line';;
+ esac
+}
+
+tst_run
--
2.27.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
2020-07-27 22:30 ` [LTP] " Petr Vorel
@ 2020-07-27 22:42 ` Lachlan Sneff
-1 siblings, 0 replies; 20+ messages in thread
From: Lachlan Sneff @ 2020-07-27 22:42 UTC (permalink / raw)
To: Petr Vorel, ltp
Cc: Lakshmi Ramasubramanian, Mimi Zohar, balajib, linux-integrity,
Mimi Zohar
Hi Petr,
This patch removes the test of the `--reuse-cmdline` option of kexec.
Go ahead and merge this, and then I'll post a patch that adds
`--reuse-cmdline` back.
Thank you,
Lachlan
On 7/27/20 6:30 PM, Petr Vorel wrote:
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
>
> IMA policy can be set to measure the command line passed in the kexec
> system call. Add a testcase that verifies that the IMA subsystem
> correctly measure the cmdline specified during a kexec.
>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> [ pvorel: improved setup, various LTP API cleanup ]
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Changes v4->v5:
>
> * added kexec.policy, please check it (for lazy people, I still plan
> some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)
>
> * rewritten checks in setup:
> - simplify secure boot bootctl verification
> - try dmesg when bootctl not available
> - check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
> - improve logic for func=KEXEC_CMDLINE check (instead of requiring
> policy to be readable check only when readable, otherwise TWARN, ...)
> - TWARN on failures in setup => TWARN is kind of error as it exit with
> non-zero, but these cases are failures thus don't hide them)
>
> * added cleanup commit (adding helpers)
>
> * various LTP API cleanup:
> - added setup into separate function
> - reuse test code with kexec_test()
>
> Kind regards,
> Petr
>
> runtest/ima | 1 +
> .../kernel/security/integrity/ima/README.md | 8 ++
> .../integrity/ima/datafiles/kexec.policy | 1 +
> .../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
> 4 files changed, 121 insertions(+)
> create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
>
> diff --git a/runtest/ima b/runtest/ima
> index 309d47420..5f4b4a7a1 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -4,4 +4,5 @@ ima_policy ima_policy.sh
> ima_tpm ima_tpm.sh
> ima_violations ima_violations.sh
> ima_keys ima_keys.sh
> +ima_kexec ima_kexec.sh
> evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 732cd912f..d4644ba39 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
>
> Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
>
> +### IMA kexec test
> +
> +`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
> +see example in `kexec.policy`.
> +
> +The test attempts to kexec the existing running kernel image.
> +To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
> +
> ## EVM tests
>
> `evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> new file mode 100644
> index 000000000..58d66369e
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> @@ -0,0 +1 @@
> +measure func=KEXEC_CMDLINE
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> new file mode 100755
> index 000000000..fbad9b425
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> @@ -0,0 +1,111 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2020 Microsoft Corporation
> +# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
> +#
> +# Verify that kexec cmdline is measured correctly.
> +# Test attempts to kexec the existing running kernel image.
> +# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
> +
> +TST_NEEDS_CMDS="grep kexec sed"
> +TST_CNT=2
> +TST_NEEDS_DEVICE=1
> +TST_SETUP="setup"
> +
> +. ima_setup.sh
> +
> +IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
> +
> +measure()
> +{
> + local cmdline="$1"
> + local algorithm digest expected_digest found
> +
> + printf "$cmdline" > file1
> + grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
> +
> + while read found
> + do
> + algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
> + digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
> +
> + expected_digest=$(compute_digest $algorithm file1)
> +
> + if [ "$digest" = "$expected_digest" ]; then
> + return 0
> + fi
> + done < file2
> +
> + return 1
> +}
> +
> +setup()
> +{
> + local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
> + local res=TBROK
> + local sb_enabled
> +
> + if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
> + tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
> + fi
> +
> + if check_policy_readable; then
> + require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
> + res=TFAIL
> + fi
> +
> + tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
> + if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
> + ROD kexec -su
> + if ! measure "$cmdline"; then
> + if [ "$res" = TBROK ]; then
> + tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
> + fi
> + tst_brk $res "unable to find a correct entry for --reuse-cmdline"
> + fi
> + return
> + fi
> +
> + if tst_cmd_available bootctl; then
> + if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
> + sb_enabled=1
> + fi
> + elif tst_cmd_available dmesg; then
> + if dmesg | grep -qi 'Secure boot enabled'; then
> + sb_enabled=1
> + fi
> + fi
> + if [ "$sb_enabled" ]; then
> + tst_res TWARN "secure boot is enabled, kernel image may not be signed"
> + fi
> +
> + if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
> + tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
> + fi
> +
> + tst_brk TBROK "kexec failed: $(cat err)"
> +}
> +
> +kexec_test()
> +{
> + local cmdline="$1"
> + local param="$2"
> +
> + EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
> + ROD kexec -su
> + if ! measure "$cmdline"; then
> + tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
> + fi
> + tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
> +}
> +
> +test()
> +{
> + case $1 in
> + 1) kexec_test 'foo' '--append';;
> + 2) kexec_test 'bar' '--command-line';;
> + esac
> +}
> +
> +tst_run
^ permalink raw reply [flat|nested] 20+ messages in thread
* [LTP] [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
@ 2020-07-27 22:42 ` Lachlan Sneff
0 siblings, 0 replies; 20+ messages in thread
From: Lachlan Sneff @ 2020-07-27 22:42 UTC (permalink / raw)
To: ltp
Hi Petr,
This patch removes the test of the `--reuse-cmdline` option of kexec.
Go ahead and merge this, and then I'll post a patch that adds
`--reuse-cmdline` back.
Thank you,
Lachlan
On 7/27/20 6:30 PM, Petr Vorel wrote:
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
>
> IMA policy can be set to measure the command line passed in the kexec
> system call. Add a testcase that verifies that the IMA subsystem
> correctly measure the cmdline specified during a kexec.
>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> [ pvorel: improved setup, various LTP API cleanup ]
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Changes v4->v5:
>
> * added kexec.policy, please check it (for lazy people, I still plan
> some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)
>
> * rewritten checks in setup:
> - simplify secure boot bootctl verification
> - try dmesg when bootctl not available
> - check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
> - improve logic for func=KEXEC_CMDLINE check (instead of requiring
> policy to be readable check only when readable, otherwise TWARN, ...)
> - TWARN on failures in setup => TWARN is kind of error as it exit with
> non-zero, but these cases are failures thus don't hide them)
>
> * added cleanup commit (adding helpers)
>
> * various LTP API cleanup:
> - added setup into separate function
> - reuse test code with kexec_test()
>
> Kind regards,
> Petr
>
> runtest/ima | 1 +
> .../kernel/security/integrity/ima/README.md | 8 ++
> .../integrity/ima/datafiles/kexec.policy | 1 +
> .../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
> 4 files changed, 121 insertions(+)
> create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
>
> diff --git a/runtest/ima b/runtest/ima
> index 309d47420..5f4b4a7a1 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -4,4 +4,5 @@ ima_policy ima_policy.sh
> ima_tpm ima_tpm.sh
> ima_violations ima_violations.sh
> ima_keys ima_keys.sh
> +ima_kexec ima_kexec.sh
> evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 732cd912f..d4644ba39 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
>
> Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
>
> +### IMA kexec test
> +
> +`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
> +see example in `kexec.policy`.
> +
> +The test attempts to kexec the existing running kernel image.
> +To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
> +
> ## EVM tests
>
> `evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> new file mode 100644
> index 000000000..58d66369e
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> @@ -0,0 +1 @@
> +measure func=KEXEC_CMDLINE
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> new file mode 100755
> index 000000000..fbad9b425
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> @@ -0,0 +1,111 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2020 Microsoft Corporation
> +# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
> +#
> +# Verify that kexec cmdline is measured correctly.
> +# Test attempts to kexec the existing running kernel image.
> +# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
> +
> +TST_NEEDS_CMDS="grep kexec sed"
> +TST_CNT=2
> +TST_NEEDS_DEVICE=1
> +TST_SETUP="setup"
> +
> +. ima_setup.sh
> +
> +IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
> +
> +measure()
> +{
> + local cmdline="$1"
> + local algorithm digest expected_digest found
> +
> + printf "$cmdline" > file1
> + grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
> +
> + while read found
> + do
> + algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
> + digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
> +
> + expected_digest=$(compute_digest $algorithm file1)
> +
> + if [ "$digest" = "$expected_digest" ]; then
> + return 0
> + fi
> + done < file2
> +
> + return 1
> +}
> +
> +setup()
> +{
> + local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
> + local res=TBROK
> + local sb_enabled
> +
> + if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
> + tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
> + fi
> +
> + if check_policy_readable; then
> + require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
> + res=TFAIL
> + fi
> +
> + tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
> + if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
> + ROD kexec -su
> + if ! measure "$cmdline"; then
> + if [ "$res" = TBROK ]; then
> + tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
> + fi
> + tst_brk $res "unable to find a correct entry for --reuse-cmdline"
> + fi
> + return
> + fi
> +
> + if tst_cmd_available bootctl; then
> + if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
> + sb_enabled=1
> + fi
> + elif tst_cmd_available dmesg; then
> + if dmesg | grep -qi 'Secure boot enabled'; then
> + sb_enabled=1
> + fi
> + fi
> + if [ "$sb_enabled" ]; then
> + tst_res TWARN "secure boot is enabled, kernel image may not be signed"
> + fi
> +
> + if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
> + tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
> + fi
> +
> + tst_brk TBROK "kexec failed: $(cat err)"
> +}
> +
> +kexec_test()
> +{
> + local cmdline="$1"
> + local param="$2"
> +
> + EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
> + ROD kexec -su
> + if ! measure "$cmdline"; then
> + tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
> + fi
> + tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
> +}
> +
> +test()
> +{
> + case $1 in
> + 1) kexec_test 'foo' '--append';;
> + 2) kexec_test 'bar' '--command-line';;
> + esac
> +}
> +
> +tst_run
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
2020-07-27 22:42 ` [LTP] " Lachlan Sneff
@ 2020-07-27 23:13 ` Petr Vorel
-1 siblings, 0 replies; 20+ messages in thread
From: Petr Vorel @ 2020-07-27 23:13 UTC (permalink / raw)
To: Lachlan Sneff
Cc: ltp, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
linux-integrity, Mimi Zohar
Hi Lachlan,
> This patch removes the test of the `--reuse-cmdline` option of kexec.
> Go ahead and merge this, and then I'll post a patch that adds
> `--reuse-cmdline` back.
Thanks for the report, I'll send v6.
Kind regards,
Petr
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v5 0/4] IMA: kexec cmdline measurement
2020-07-27 22:30 ` [LTP] " Petr Vorel
@ 2020-07-30 20:03 ` Mimi Zohar
-1 siblings, 0 replies; 20+ messages in thread
From: Mimi Zohar @ 2020-07-30 20:03 UTC (permalink / raw)
To: Petr Vorel, ltp
Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
linux-integrity
On Tue, 2020-07-28 at 00:30 +0200, Petr Vorel wrote:
> Hi all,
>
> sending hopefully the last version. In the end I did quite few changes,
> thus sending patchset instead of merging without review.
Nice! Thank you.
Mimi
^ permalink raw reply [flat|nested] 20+ messages in thread