From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>, linux-integrity@vger.kernel.org Subject: Re: [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring Date: Sun, 16 Aug 2020 22:13:20 -0700 [thread overview] Message-ID: <a537bbdb-1383-48f4-99a5-42ce6d082ddf@linux.microsoft.com> (raw) In-Reply-To: <25a78f42d15dcb3312a59de587cb9f4e31ccd5b5.camel@linux.ibm.com> On 8/16/20 8:21 PM, Mimi Zohar wrote: Hi Mimi, >> +# Create a new keyring, import a certificate into it, and verify >> +# that the certificate is measured correctly by IMA. >> +test2() >> +{ >> + tst_require_cmds evmctl keyctl openssl >> + >> + local cert_file="$TST_DATAROOT/x509_ima.der" >> + local keyring_name="key_import_test" >> + local temp_file="file.txt" >> + local keyring_id >> + >> + tst_res TINFO "verify measurement of certificate imported into a keyring" >> + >> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then >> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring" >> + fi >> + > > If the IMA policy contains multiple KEY_CHECK measurement policy rules > it complains about "grep: Unmatched ( or \(". > > Sample rules: > measure func=KEY_CHECK template=ima-buf > keyrings=.ima|.builtin_trusted_keys > measure func=KEY_CHECK template=ima-buf keyrings=key_import_test > I tried with the above policy entries, but am unable to reproduce the error you are seeing. ima_keys 1 TINFO: verifying key measurement for keyrings and templates specified in IMA policy file ima_keys 1 TPASS: specified keyrings were measured correctly ima_keys 2 TPASS: logged cert matches original cert >> + keyctl new_session > /dev/null >> + >> + keyring_id=$(keyctl newring $keyring_name @s) || \ >> + tst_brk TBROK "unable to create a new keyring" >> + >> + tst_is_num $keyring_id || \ >> + tst_brk TBROK "unable to parse the new keyring id" >> + >> + evmctl import $cert_file $keyring_id > /dev/null || \ >> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring" > > "cert_file" needs to be updated from > "ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d > er" to > "ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key > s/x509_ima.der". > The problem is actually due to missing "x509_ima.der" in "INSTALL_TARGETS" in datafiles/keys/Makefile Adding the following line in the Makefile fixes the problem INSTALL_TARGETS := x509_ima.der -lakshmi > On failure to open the file, > errno: No such file or directory (2) > ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring > ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results > ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root) > ima_keys 2 TINFO: install seinfo to find used SELinux profiles > ima_keys 2 TINFO: loaded SELinux profiles: none > > Mimi > >> + >> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \ >> + xxd -r -p > $temp_file >> + >> + if [ ! -s $temp_file ]; then >> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS" >> + return >> + fi >> + >> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then >> + tst_res TFAIL "logged certificate is not a valid x509 certificate" >> + return >> + fi >> + >> + if cmp -s $temp_file $cert_file; then >> + tst_res TPASS "logged certificate matches the original" >> + else >> + tst_res TFAIL "logged certificate does not match original" >> + fi >> +} >> + >> tst_run >
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: ltp@lists.linux.it Subject: [LTP] [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring Date: Sun, 16 Aug 2020 22:13:20 -0700 [thread overview] Message-ID: <a537bbdb-1383-48f4-99a5-42ce6d082ddf@linux.microsoft.com> (raw) In-Reply-To: <25a78f42d15dcb3312a59de587cb9f4e31ccd5b5.camel@linux.ibm.com> On 8/16/20 8:21 PM, Mimi Zohar wrote: Hi Mimi, >> +# Create a new keyring, import a certificate into it, and verify >> +# that the certificate is measured correctly by IMA. >> +test2() >> +{ >> + tst_require_cmds evmctl keyctl openssl >> + >> + local cert_file="$TST_DATAROOT/x509_ima.der" >> + local keyring_name="key_import_test" >> + local temp_file="file.txt" >> + local keyring_id >> + >> + tst_res TINFO "verify measurement of certificate imported into a keyring" >> + >> + if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then >> + tst_brk TCONF "IMA policy does not contain $keyring_name keyring" >> + fi >> + > > If the IMA policy contains multiple KEY_CHECK measurement policy rules > it complains about "grep: Unmatched ( or \(". > > Sample rules: > measure func=KEY_CHECK template=ima-buf > keyrings=.ima|.builtin_trusted_keys > measure func=KEY_CHECK template=ima-buf keyrings=key_import_test > I tried with the above policy entries, but am unable to reproduce the error you are seeing. ima_keys 1 TINFO: verifying key measurement for keyrings and templates specified in IMA policy file ima_keys 1 TPASS: specified keyrings were measured correctly ima_keys 2 TPASS: logged cert matches original cert >> + keyctl new_session > /dev/null >> + >> + keyring_id=$(keyctl newring $keyring_name @s) || \ >> + tst_brk TBROK "unable to create a new keyring" >> + >> + tst_is_num $keyring_id || \ >> + tst_brk TBROK "unable to parse the new keyring id" >> + >> + evmctl import $cert_file $keyring_id > /dev/null || \ >> + tst_brk TBROK "unable to import a certificate into $keyring_name keyring" > > "cert_file" needs to be updated from > "ltp/testcases/kernel/security/integrity/ima/tests/datafiles/x509_ima.d > er" to > "ltp/testcases/kernel/security/integrity/ima/tests/../datafiles/ima_key > s/x509_ima.der". > The problem is actually due to missing "x509_ima.der" in "INSTALL_TARGETS" in datafiles/keys/Makefile Adding the following line in the Makefile fixes the problem INSTALL_TARGETS := x509_ima.der -lakshmi > On failure to open the file, > errno: No such file or directory (2) > ima_keys 2 TBROK: unable to import a certificate into key_import_test keyring > ima_keys 2 TINFO: SELinux enabled in enforcing mode, this may affect test results > ima_keys 2 TINFO: it can be disabled with TST_DISABLE_SELINUX=1 (requires super/root) > ima_keys 2 TINFO: install seinfo to find used SELinux profiles > ima_keys 2 TINFO: loaded SELinux profiles: none > > Mimi > >> + >> + grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \ >> + xxd -r -p > $temp_file >> + >> + if [ ! -s $temp_file ]; then >> + tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS" >> + return >> + fi >> + >> + if ! openssl x509 -in $temp_file -inform der > /dev/null; then >> + tst_res TFAIL "logged certificate is not a valid x509 certificate" >> + return >> + fi >> + >> + if cmp -s $temp_file $cert_file; then >> + tst_res TPASS "logged certificate matches the original" >> + else >> + tst_res TFAIL "logged certificate does not match original" >> + fi >> +} >> + >> tst_run >
next prev parent reply other threads:[~2020-08-17 5:13 UTC|newest] Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-08-07 20:46 [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring Petr Vorel 2020-08-07 20:46 ` [LTP] " Petr Vorel 2020-08-07 20:46 ` [PATCH v2 1/4] IMA/ima_keys.sh Fix policy content check usage Petr Vorel 2020-08-07 20:46 ` [LTP] " Petr Vorel 2020-08-07 20:46 ` [PATCH v2 2/4] IMA: Refactor datafiles directory Petr Vorel 2020-08-07 20:46 ` [LTP] " Petr Vorel 2020-08-07 20:46 ` [PATCH v2 3/4] IMA: Add a test to verify measurement of certificate imported into a keyring Petr Vorel 2020-08-07 20:46 ` [LTP] " Petr Vorel 2020-08-07 21:12 ` Lakshmi Ramasubramanian 2020-08-07 21:12 ` [LTP] " Lakshmi Ramasubramanian 2020-08-17 3:21 ` Mimi Zohar 2020-08-17 3:21 ` [LTP] " Mimi Zohar 2020-08-17 5:13 ` Lakshmi Ramasubramanian [this message] 2020-08-17 5:13 ` Lakshmi Ramasubramanian 2020-08-17 11:09 ` Petr Vorel 2020-08-17 11:09 ` [LTP] " Petr Vorel 2020-08-07 20:46 ` [PATCH v2 4/4] IMA/ima_keys.sh: Enhance policy checks Petr Vorel 2020-08-07 20:46 ` [LTP] " Petr Vorel 2020-08-12 13:35 ` [PATCH v2 0/4] IMA: verify measurement of certificate imported into a keyring Petr Vorel 2020-08-12 13:35 ` [LTP] " Petr Vorel
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=a537bbdb-1383-48f4-99a5-42ce6d082ddf@linux.microsoft.com \ --to=nramas@linux.microsoft.com \ --cc=linux-integrity@vger.kernel.org \ --cc=ltp@lists.linux.it \ --cc=pvorel@suse.cz \ --cc=zohar@linux.ibm.com \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.