From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Lachlan Sneff <t-josne@linux.microsoft.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
balajib@linux.microsoft.com, linux-integrity@vger.kernel.org,
Petr Vorel <pvorel@suse.cz>, Mimi Zohar <zohar@linux.ibm.com>
Subject: [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
Date: Tue, 28 Jul 2020 00:30:41 +0200 [thread overview]
Message-ID: <20200727223041.13110-5-pvorel@suse.cz> (raw)
In-Reply-To: <20200727223041.13110-1-pvorel@suse.cz>
From: Lachlan Sneff <t-josne@linux.microsoft.com>
IMA policy can be set to measure the command line passed in the kexec
system call. Add a testcase that verifies that the IMA subsystem
correctly measure the cmdline specified during a kexec.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: improved setup, various LTP API cleanup ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* added kexec.policy, please check it (for lazy people, I still plan
some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)
* rewritten checks in setup:
- simplify secure boot bootctl verification
- try dmesg when bootctl not available
- check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
- improve logic for func=KEXEC_CMDLINE check (instead of requiring
policy to be readable check only when readable, otherwise TWARN, ...)
- TWARN on failures in setup => TWARN is kind of error as it exit with
non-zero, but these cases are failures thus don't hide them)
* added cleanup commit (adding helpers)
* various LTP API cleanup:
- added setup into separate function
- reuse test code with kexec_test()
Kind regards,
Petr
runtest/ima | 1 +
.../kernel/security/integrity/ima/README.md | 8 ++
.../integrity/ima/datafiles/kexec.policy | 1 +
.../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
4 files changed, 121 insertions(+)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
diff --git a/runtest/ima b/runtest/ima
index 309d47420..5f4b4a7a1 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -4,4 +4,5 @@ ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
ima_keys ima_keys.sh
+ima_kexec ima_kexec.sh
evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 732cd912f..d4644ba39 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
+### IMA kexec test
+
+`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
+see example in `kexec.policy`.
+
+The test attempts to kexec the existing running kernel image.
+To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
+
## EVM tests
`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
new file mode 100644
index 000000000..58d66369e
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
@@ -0,0 +1 @@
+measure func=KEXEC_CMDLINE
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
new file mode 100755
index 000000000..fbad9b425
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that kexec cmdline is measured correctly.
+# Test attempts to kexec the existing running kernel image.
+# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
+
+TST_NEEDS_CMDS="grep kexec sed"
+TST_CNT=2
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
+
+measure()
+{
+ local cmdline="$1"
+ local algorithm digest expected_digest found
+
+ printf "$cmdline" > file1
+ grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
+
+ while read found
+ do
+ algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
+ digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
+
+ expected_digest=$(compute_digest $algorithm file1)
+
+ if [ "$digest" = "$expected_digest" ]; then
+ return 0
+ fi
+ done < file2
+
+ return 1
+}
+
+setup()
+{
+ local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
+ local res=TBROK
+ local sb_enabled
+
+ if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
+ tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
+ fi
+
+ if check_policy_readable; then
+ require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
+ res=TFAIL
+ fi
+
+ tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
+ if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ if [ "$res" = TBROK ]; then
+ tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
+ fi
+ tst_brk $res "unable to find a correct entry for --reuse-cmdline"
+ fi
+ return
+ fi
+
+ if tst_cmd_available bootctl; then
+ if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
+ sb_enabled=1
+ fi
+ elif tst_cmd_available dmesg; then
+ if dmesg | grep -qi 'Secure boot enabled'; then
+ sb_enabled=1
+ fi
+ fi
+ if [ "$sb_enabled" ]; then
+ tst_res TWARN "secure boot is enabled, kernel image may not be signed"
+ fi
+
+ if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
+ tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
+ fi
+
+ tst_brk TBROK "kexec failed: $(cat err)"
+}
+
+kexec_test()
+{
+ local cmdline="$1"
+ local param="$2"
+
+ EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
+ fi
+ tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
+}
+
+test()
+{
+ case $1 in
+ 1) kexec_test 'foo' '--append';;
+ 2) kexec_test 'bar' '--command-line';;
+ esac
+}
+
+tst_run
--
2.27.0
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
Date: Tue, 28 Jul 2020 00:30:41 +0200 [thread overview]
Message-ID: <20200727223041.13110-5-pvorel@suse.cz> (raw)
In-Reply-To: <20200727223041.13110-1-pvorel@suse.cz>
From: Lachlan Sneff <t-josne@linux.microsoft.com>
IMA policy can be set to measure the command line passed in the kexec
system call. Add a testcase that verifies that the IMA subsystem
correctly measure the cmdline specified during a kexec.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: improved setup, various LTP API cleanup ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* added kexec.policy, please check it (for lazy people, I still plan
some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)
* rewritten checks in setup:
- simplify secure boot bootctl verification
- try dmesg when bootctl not available
- check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
- improve logic for func=KEXEC_CMDLINE check (instead of requiring
policy to be readable check only when readable, otherwise TWARN, ...)
- TWARN on failures in setup => TWARN is kind of error as it exit with
non-zero, but these cases are failures thus don't hide them)
* added cleanup commit (adding helpers)
* various LTP API cleanup:
- added setup into separate function
- reuse test code with kexec_test()
Kind regards,
Petr
runtest/ima | 1 +
.../kernel/security/integrity/ima/README.md | 8 ++
.../integrity/ima/datafiles/kexec.policy | 1 +
.../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
4 files changed, 121 insertions(+)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
diff --git a/runtest/ima b/runtest/ima
index 309d47420..5f4b4a7a1 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -4,4 +4,5 @@ ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
ima_keys ima_keys.sh
+ima_kexec ima_kexec.sh
evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 732cd912f..d4644ba39 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
+### IMA kexec test
+
+`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
+see example in `kexec.policy`.
+
+The test attempts to kexec the existing running kernel image.
+To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
+
## EVM tests
`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
new file mode 100644
index 000000000..58d66369e
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
@@ -0,0 +1 @@
+measure func=KEXEC_CMDLINE
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
new file mode 100755
index 000000000..fbad9b425
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that kexec cmdline is measured correctly.
+# Test attempts to kexec the existing running kernel image.
+# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
+
+TST_NEEDS_CMDS="grep kexec sed"
+TST_CNT=2
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
+
+measure()
+{
+ local cmdline="$1"
+ local algorithm digest expected_digest found
+
+ printf "$cmdline" > file1
+ grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
+
+ while read found
+ do
+ algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
+ digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
+
+ expected_digest=$(compute_digest $algorithm file1)
+
+ if [ "$digest" = "$expected_digest" ]; then
+ return 0
+ fi
+ done < file2
+
+ return 1
+}
+
+setup()
+{
+ local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
+ local res=TBROK
+ local sb_enabled
+
+ if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
+ tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
+ fi
+
+ if check_policy_readable; then
+ require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
+ res=TFAIL
+ fi
+
+ tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
+ if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ if [ "$res" = TBROK ]; then
+ tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
+ fi
+ tst_brk $res "unable to find a correct entry for --reuse-cmdline"
+ fi
+ return
+ fi
+
+ if tst_cmd_available bootctl; then
+ if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
+ sb_enabled=1
+ fi
+ elif tst_cmd_available dmesg; then
+ if dmesg | grep -qi 'Secure boot enabled'; then
+ sb_enabled=1
+ fi
+ fi
+ if [ "$sb_enabled" ]; then
+ tst_res TWARN "secure boot is enabled, kernel image may not be signed"
+ fi
+
+ if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
+ tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
+ fi
+
+ tst_brk TBROK "kexec failed: $(cat err)"
+}
+
+kexec_test()
+{
+ local cmdline="$1"
+ local param="$2"
+
+ EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
+ ROD kexec -su
+ if ! measure "$cmdline"; then
+ tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
+ fi
+ tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
+}
+
+test()
+{
+ case $1 in
+ 1) kexec_test 'foo' '--append';;
+ 2) kexec_test 'bar' '--command-line';;
+ esac
+}
+
+tst_run
--
2.27.0
next prev parent reply other threads:[~2020-07-27 22:30 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 22:30 [PATCH v5 0/4] IMA: kexec cmdline measurement Petr Vorel
2020-07-27 22:30 ` [LTP] " Petr Vorel
2020-07-27 22:30 ` [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline Petr Vorel
2020-07-27 22:30 ` [LTP] " Petr Vorel
2020-07-27 22:30 ` [PATCH v5 2/4] IMA: Add policy related helpers Petr Vorel
2020-07-27 22:30 ` [LTP] " Petr Vorel
2020-07-30 19:50 ` Mimi Zohar
2020-07-30 19:50 ` [LTP] " Mimi Zohar
2020-07-31 5:26 ` Petr Vorel
2020-07-31 5:26 ` [LTP] " Petr Vorel
2020-07-27 22:30 ` [PATCH v5 3/4] IMA/ima_keys.sh: Fix policy readability check Petr Vorel
2020-07-27 22:30 ` [LTP] " Petr Vorel
2020-07-27 22:30 ` Petr Vorel [this message]
2020-07-27 22:30 ` [LTP] [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement Petr Vorel
2020-07-27 22:42 ` Lachlan Sneff
2020-07-27 22:42 ` [LTP] " Lachlan Sneff
2020-07-27 23:13 ` Petr Vorel
2020-07-27 23:13 ` [LTP] " Petr Vorel
2020-07-30 20:03 ` [PATCH v5 0/4] IMA: " Mimi Zohar
2020-07-30 20:03 ` [LTP] " Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200727223041.13110-5-pvorel@suse.cz \
--to=pvorel@suse.cz \
--cc=balajib@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=t-josne@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.