From: Petr Vorel <pvorel@suse.cz>
To: Lachlan Sneff <t-josne@linux.microsoft.com>
Cc: zohar@linux.ibm.com, ltp@lists.linux.it,
nramas@linux.microsoft.com, balajib@linux.microsoft.com,
linux-integrity@vger.kernel.org, tyhicks@linux.microsoft.com,
yaneurabeya@gmail.com, zhang.jia@linux.alibaba.com
Subject: Re: [PATCH 1/3] IMA: Update key test documentation
Date: Tue, 4 Aug 2020 06:35:04 +0200 [thread overview]
Message-ID: <20200804043504.GA76360@x230> (raw)
In-Reply-To: <20200803184726.2416-2-t-josne@linux.microsoft.com>
Hi Lachlan,
> The current documentation for the existing IMA key test was
> left in by accident by a previous merge. It does not apply
> to the test that is currently included in the LTP.
> Update the documentation for the IMA key test.
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Thanks for fixing this, I propose this changes:
Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys")
> ---
> .../kernel/security/integrity/ima/README.md | 22 +++++--------------
> 1 file changed, 5 insertions(+), 17 deletions(-)
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index d4644ba39..2956ac7fd 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -15,27 +15,15 @@ Although a custom policy, loaded via dracut, systemd or manually from user
> space, may contain equivalent measurement tcb rules, detecting them would
> require `IMA_READ_POLICY=y` therefore ignore this option.
> -### IMA key import test
> -`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der`
> -(defined in `CONFIG_IMA_X509_PATH` kernel config option).
> -The key must be signed by the private key you generate. Follow these instructions:
> -https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys
> -
> -The test cannot be set-up automatically because the x509 public key must be
> -built into the kernel and loaded onto a trusted keyring
> -(e.g. `.builtin_trusted_keys`, `.secondary_trusted_keyring`).
> -
> -As well as what's required for the IMA tests, the following are also required
> -in the kernel configuration:
> +### IMA key test
> +`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
> +with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
> +
> +Mandatory kernel configuration for IMA:
This "Mandatory kernel configuration for IMA:" would be in docs twice. The above
one (CONFIG_INTEGRITY=y, CONFIG_IMA=y) is required for all tests.
Take it that "### IMA key test" is header 3, but ## IMA tests
is header 2 (upper level).
> ```
> CONFIG_IMA_READ_POLICY=y
> -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> -CONFIG_SYSTEM_TRUSTED_KEYRING=y
> -CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
> ```
> -Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
> -
> ### IMA kexec test
> `ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
I also removed "IMA" from EVM tests header.
Kind regards,
Petr
diff --git testcases/kernel/security/integrity/ima/README.md testcases/kernel/security/integrity/ima/README.md
index 2956ac7fd..392e1e868 100644
--- testcases/kernel/security/integrity/ima/README.md
+++ testcases/kernel/security/integrity/ima/README.md
@@ -19,7 +19,8 @@ require `IMA_READ_POLICY=y` therefore ignore this option.
`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
-Mandatory kernel configuration for IMA:
+As well as what's required for the IMA tests, the following are also required
+-in the kernel configuration:
```
CONFIG_IMA_READ_POLICY=y
```
@@ -38,7 +39,7 @@ To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
Again, for simplicity ignore possibility to load requires rules via custom policy.
-Mandatory kernel configuration for IMA & EVM:
+Mandatory kernel configuration for EVM tests:
```
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
@@ -50,7 +51,7 @@ CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
```
-Example of installing IMA + EVM on openSUSE:
+Example of preparing environment on for EVM on openSUSE:
* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
(for IMA measurement, IMA appraisal and EVM protection)
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH 1/3] IMA: Update key test documentation
Date: Tue, 4 Aug 2020 06:35:04 +0200 [thread overview]
Message-ID: <20200804043504.GA76360@x230> (raw)
In-Reply-To: <20200803184726.2416-2-t-josne@linux.microsoft.com>
Hi Lachlan,
> The current documentation for the existing IMA key test was
> left in by accident by a previous merge. It does not apply
> to the test that is currently included in the LTP.
> Update the documentation for the IMA key test.
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Thanks for fixing this, I propose this changes:
Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys")
> ---
> .../kernel/security/integrity/ima/README.md | 22 +++++--------------
> 1 file changed, 5 insertions(+), 17 deletions(-)
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index d4644ba39..2956ac7fd 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -15,27 +15,15 @@ Although a custom policy, loaded via dracut, systemd or manually from user
> space, may contain equivalent measurement tcb rules, detecting them would
> require `IMA_READ_POLICY=y` therefore ignore this option.
> -### IMA key import test
> -`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der`
> -(defined in `CONFIG_IMA_X509_PATH` kernel config option).
> -The key must be signed by the private key you generate. Follow these instructions:
> -https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys
> -
> -The test cannot be set-up automatically because the x509 public key must be
> -built into the kernel and loaded onto a trusted keyring
> -(e.g. `.builtin_trusted_keys`, `.secondary_trusted_keyring`).
> -
> -As well as what's required for the IMA tests, the following are also required
> -in the kernel configuration:
> +### IMA key test
> +`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
> +with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
> +
> +Mandatory kernel configuration for IMA:
This "Mandatory kernel configuration for IMA:" would be in docs twice. The above
one (CONFIG_INTEGRITY=y, CONFIG_IMA=y) is required for all tests.
Take it that "### IMA key test" is header 3, but ## IMA tests
is header 2 (upper level).
> ```
> CONFIG_IMA_READ_POLICY=y
> -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> -CONFIG_SYSTEM_TRUSTED_KEYRING=y
> -CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
> ```
> -Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
> -
> ### IMA kexec test
> `ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
I also removed "IMA" from EVM tests header.
Kind regards,
Petr
diff --git testcases/kernel/security/integrity/ima/README.md testcases/kernel/security/integrity/ima/README.md
index 2956ac7fd..392e1e868 100644
--- testcases/kernel/security/integrity/ima/README.md
+++ testcases/kernel/security/integrity/ima/README.md
@@ -19,7 +19,8 @@ require `IMA_READ_POLICY=y` therefore ignore this option.
`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
-Mandatory kernel configuration for IMA:
+As well as what's required for the IMA tests, the following are also required
+-in the kernel configuration:
```
CONFIG_IMA_READ_POLICY=y
```
@@ -38,7 +39,7 @@ To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
Again, for simplicity ignore possibility to load requires rules via custom policy.
-Mandatory kernel configuration for IMA & EVM:
+Mandatory kernel configuration for EVM tests:
```
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
@@ -50,7 +51,7 @@ CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
```
-Example of installing IMA + EVM on openSUSE:
+Example of preparing environment on for EVM on openSUSE:
* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
(for IMA measurement, IMA appraisal and EVM protection)
next prev parent reply other threads:[~2020-08-04 4:35 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 18:47 [PATCH v1 0/3] Verify measurement of certificate imported into a keyring Lachlan Sneff
2020-08-03 18:47 ` [LTP] " Lachlan Sneff
2020-08-03 18:47 ` [PATCH 1/3] IMA: Update key test documentation Lachlan Sneff
2020-08-03 18:47 ` [LTP] " Lachlan Sneff
2020-08-04 4:35 ` Petr Vorel [this message]
2020-08-04 4:35 ` Petr Vorel
2020-08-04 16:42 ` Lachlan Sneff
2020-08-04 16:42 ` [LTP] " Lachlan Sneff
2020-08-05 8:36 ` Petr Vorel
2020-08-05 8:36 ` [LTP] " Petr Vorel
2020-08-05 8:44 ` Petr Vorel
2020-08-05 8:44 ` [LTP] " Petr Vorel
2020-08-03 18:47 ` [PATCH 2/3] IMA: Refactor datafiles directory Lachlan Sneff
2020-08-03 18:47 ` [LTP] " Lachlan Sneff
2020-08-07 7:17 ` Petr Vorel
2020-08-07 7:17 ` [LTP] " Petr Vorel
2020-08-07 9:01 ` Petr Vorel
2020-08-07 9:01 ` [LTP] " Petr Vorel
2020-08-07 12:27 ` Petr Vorel
2020-08-07 12:27 ` [LTP] " Petr Vorel
2020-08-03 18:47 ` [PATCH 3/3] IMA: Add a test to verify measurement of certificate imported into a keyring Lachlan Sneff
2020-08-03 18:47 ` [LTP] " Lachlan Sneff
-- strict thread matches above, loose matches on Subject: below --
2020-08-03 17:59 [PATCH v1 0/3] Verify " Lachlan Sneff
2020-08-03 17:59 ` [PATCH 1/3] IMA: Update key test documentation Lachlan Sneff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200804043504.GA76360@x230 \
--to=pvorel@suse.cz \
--cc=balajib@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=t-josne@linux.microsoft.com \
--cc=tyhicks@linux.microsoft.com \
--cc=yaneurabeya@gmail.com \
--cc=zhang.jia@linux.alibaba.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.