From: Lachlan Sneff <t-josne@linux.microsoft.com>
To: pvorel@suse.cz, zohar@linux.ibm.com, ltp@lists.linux.it
Cc: nramas@linux.microsoft.com, balajib@linux.microsoft.com,
linux-integrity@vger.kernel.org, tyhicks@linux.microsoft.com,
yaneurabeya@gmail.com, zhang.jia@linux.alibaba.com
Subject: [PATCH 1/3] IMA: Update key test documentation
Date: Mon, 3 Aug 2020 14:47:24 -0400 [thread overview]
Message-ID: <20200803184726.2416-2-t-josne@linux.microsoft.com> (raw)
In-Reply-To: <20200803184726.2416-1-t-josne@linux.microsoft.com>
The current documentation for the existing IMA key test was
left in by accident by a previous merge. It does not apply
to the test that is currently included in the LTP.
Update the documentation for the IMA key test.
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
.../kernel/security/integrity/ima/README.md | 22 +++++--------------
1 file changed, 5 insertions(+), 17 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index d4644ba39..2956ac7fd 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -15,27 +15,15 @@ Although a custom policy, loaded via dracut, systemd or manually from user
space, may contain equivalent measurement tcb rules, detecting them would
require `IMA_READ_POLICY=y` therefore ignore this option.
-### IMA key import test
-`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der`
-(defined in `CONFIG_IMA_X509_PATH` kernel config option).
-The key must be signed by the private key you generate. Follow these instructions:
-https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys
-
-The test cannot be set-up automatically because the x509 public key must be
-built into the kernel and loaded onto a trusted keyring
-(e.g. `.builtin_trusted_keys`, `.secondary_trusted_keyring`).
-
-As well as what's required for the IMA tests, the following are also required
-in the kernel configuration:
+### IMA key test
+`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
+with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
+
+Mandatory kernel configuration for IMA:
```
CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
```
-Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
-
### IMA kexec test
`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Lachlan Sneff <t-josne@linux.microsoft.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH 1/3] IMA: Update key test documentation
Date: Mon, 3 Aug 2020 14:47:24 -0400 [thread overview]
Message-ID: <20200803184726.2416-2-t-josne@linux.microsoft.com> (raw)
In-Reply-To: <20200803184726.2416-1-t-josne@linux.microsoft.com>
The current documentation for the existing IMA key test was
left in by accident by a previous merge. It does not apply
to the test that is currently included in the LTP.
Update the documentation for the IMA key test.
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
.../kernel/security/integrity/ima/README.md | 22 +++++--------------
1 file changed, 5 insertions(+), 17 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index d4644ba39..2956ac7fd 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -15,27 +15,15 @@ Although a custom policy, loaded via dracut, systemd or manually from user
space, may contain equivalent measurement tcb rules, detecting them would
require `IMA_READ_POLICY=y` therefore ignore this option.
-### IMA key import test
-`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der`
-(defined in `CONFIG_IMA_X509_PATH` kernel config option).
-The key must be signed by the private key you generate. Follow these instructions:
-https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys
-
-The test cannot be set-up automatically because the x509 public key must be
-built into the kernel and loaded onto a trusted keyring
-(e.g. `.builtin_trusted_keys`, `.secondary_trusted_keyring`).
-
-As well as what's required for the IMA tests, the following are also required
-in the kernel configuration:
+### IMA key test
+`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
+with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
+
+Mandatory kernel configuration for IMA:
```
CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
```
-Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
-
### IMA kexec test
`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
--
2.25.1
next prev parent reply other threads:[~2020-08-03 18:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 18:47 [PATCH v1 0/3] Verify measurement of certificate imported into a keyring Lachlan Sneff
2020-08-03 18:47 ` [LTP] " Lachlan Sneff
2020-08-03 18:47 ` Lachlan Sneff [this message]
2020-08-03 18:47 ` [LTP] [PATCH 1/3] IMA: Update key test documentation Lachlan Sneff
2020-08-04 4:35 ` Petr Vorel
2020-08-04 4:35 ` [LTP] " Petr Vorel
2020-08-04 16:42 ` Lachlan Sneff
2020-08-04 16:42 ` [LTP] " Lachlan Sneff
2020-08-05 8:36 ` Petr Vorel
2020-08-05 8:36 ` [LTP] " Petr Vorel
2020-08-05 8:44 ` Petr Vorel
2020-08-05 8:44 ` [LTP] " Petr Vorel
2020-08-03 18:47 ` [PATCH 2/3] IMA: Refactor datafiles directory Lachlan Sneff
2020-08-03 18:47 ` [LTP] " Lachlan Sneff
2020-08-07 7:17 ` Petr Vorel
2020-08-07 7:17 ` [LTP] " Petr Vorel
2020-08-07 9:01 ` Petr Vorel
2020-08-07 9:01 ` [LTP] " Petr Vorel
2020-08-07 12:27 ` Petr Vorel
2020-08-07 12:27 ` [LTP] " Petr Vorel
2020-08-03 18:47 ` [PATCH 3/3] IMA: Add a test to verify measurement of certificate imported into a keyring Lachlan Sneff
2020-08-03 18:47 ` [LTP] " Lachlan Sneff
-- strict thread matches above, loose matches on Subject: below --
2020-08-03 17:59 [PATCH v1 0/3] Verify " Lachlan Sneff
2020-08-03 17:59 ` [PATCH 1/3] IMA: Update key test documentation Lachlan Sneff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200803184726.2416-2-t-josne@linux.microsoft.com \
--to=t-josne@linux.microsoft.com \
--cc=balajib@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=pvorel@suse.cz \
--cc=tyhicks@linux.microsoft.com \
--cc=yaneurabeya@gmail.com \
--cc=zhang.jia@linux.alibaba.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.