[PATCH ima-evm-utils v2 0/9] Support testing with UML kernel

[PATCH ima-evm-utils v2 0/9] Support testing with UML kernel

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

UML kernels differ from other kernels for the ability of being executed as
processes in the current environment, without requirements such as
virtualization. It is sufficient to execute the binary, like the other
binaries.

In addition, UML kernels have the ability to see the host filesystem and
thus they could for example run an executable from the host as init and
have a fully working system without creating an image, as it would happen
if a regular virtual machine is used.

These features make UML kernels very suitable for integration in existing
test suites designed to perform the tests in the current environment such
as ima-evm-utils. In the current environment, test suites cannot test new
functionality not yet integrated in the host kernel, or with custom kernel
configuration options not usually enabled in production. Also, test suites
might not be able to set/reset kernel settings for security reasons.

With the ability to do kernel testing more in depth, ima-evm-utils might
introduce specific tests for that, separated from the tests to verify the
ima-evm-utils user space functionality. At the moment, there is no such
distinction, existing tests verify both.

The goal of this patch set is to overcome the limitations by making the
test suite in ima-evm-utils able to run in an environment created by the
UML kernel, with minimal changes. At the same time, it will preserve the
ability of the test suite to run in the current environment.

First, fix error messages and a variable in evmctl. Then, add the
config-uml file with custom kernel configuration options for the tests, to
be merged with the default configuration. Add a new job in the Github
workflow to build the UML kernel from a repository and branch specified in
the LINUX_URL and LINUX_BRANCH variables. Per Github documentation, these
variables can be defined at organization, repository and environment level.

Introduce a new API for using UML kernels for existing and new test
scripts. Unless the environment variable UML_MODE is set to 1, calling the
API results in a nop, and tests are executed in the current environment.

Add the possibility to select individual tests to run in a test script,
with the TST_LIST variable, so that the UML kernel can be launched multiple
times with a subset of tests (useful if for example a test require kernel
settings different from the previous test).

Add tests for EVM portable signatures supporting UML kernels and port
fsverity.test to use UML kernels.

Finally, don't require making changes to the system to run fsverity.test
and install a software dependency after the appropriate repository has been
set up.

Mimi Zohar (1):
  ci: haveged requires EPEL on CentOS stream:8

Roberto Sassu (8):
  Fix error messages and mdlen init in calc_evm_hmac()
  Add config for UML kernel
  Compile the UML kernel and download it in Github Actions
  Add support for UML in functions.sh
  Introduce TST_LIST variable to select a test to execute
  Add tests for EVM portable signatures
  Adapt fsverity.test to work with UML kernel
  Use in-place built fsverity binary instead of installing it

 .github/workflows/ci.yml        |   96 ++-
 build.sh                        |    5 +
 ci/fedora.sh                    |   12 +-
 config-uml                      |  235 +++++++
 src/evmctl.c                    |    8 +-
 tests/Makefile.am               |    2 +-
 tests/fsverity.test             |   18 +-
 tests/functions.sh              |   91 ++-
 tests/install-fsverity.sh       |    2 +-
 tests/install-mount-idmapped.sh |    7 +
 tests/portable_signatures.test  | 1173 +++++++++++++++++++++++++++++++
 11 files changed, 1637 insertions(+), 12 deletions(-)
 create mode 100644 config-uml
 create mode 100755 tests/install-mount-idmapped.sh
 create mode 100755 tests/portable_signatures.test

-- 
2.25.1

[PATCH ima-evm-utils v2 1/9] Fix error messages and mdlen init in calc_evm_hmac()

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Make sure that the function name in the error message corresponds to the
actual function called. Also, initialize mdlen to the size of 'hash'
(MAX_DIGEST_SIZE), as this is expected by EVP_DigestSignFinal().

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 src/evmctl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 0ac7930da6f2..d4912d7ee891 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1186,7 +1186,7 @@ static int cmd_setxattr_ima(struct command *cmd)
 
 static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
 {
-	size_t mdlen;
+	size_t mdlen = MAX_DIGEST_SIZE;
 	EVP_MD_CTX *pctx;
 	EVP_PKEY *pkey = NULL;
 	struct stat st;
@@ -1260,7 +1260,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
 
 	pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, evmkey, sizeof(evmkey));
 	if (!pkey) {
-		log_err("HMAC_Init() failed\n");
+		log_err("EVP_PKEY_new_mac_key() failed\n");
 		goto out;
 	}
 
@@ -1326,12 +1326,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
 
 	err = EVP_DigestSignUpdate(pctx, &hmac_misc, hmac_size);
 	if (err != 1) {
-		log_err("HMAC_Update() failed\n");
+		log_err("EVP_DigestSignUpdate() failed\n");
 		goto out_ctx_cleanup;
 	}
 	err = EVP_DigestSignFinal(pctx, hash, &mdlen);
 	if (err != 1)
-		log_err("HMAC_Final() failed\n");
+		log_err("EVP_DigestSignFinal() failed\n");
 out_ctx_cleanup:
 	EVP_PKEY_free(pkey);
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-- 
2.25.1

[PATCH ima-evm-utils v2 2/9] Add config for UML kernel

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Add config-uml, with test-specific options that are not enabled in the
kernel configuration generated with 'make ARCH=um olddefconfig'. The new
options will be merged with the merge_config.sh script from the kernel
source code in a Github workflow step.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 config-uml | 235 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 235 insertions(+)
 create mode 100644 config-uml

diff --git a/config-uml b/config-uml
new file mode 100644
index 000000000000..2d3bb8ba8edb
--- /dev/null
+++ b/config-uml
@@ -0,0 +1,235 @@
+CONFIG_LOCALVERSION="-dont-use"
+CONFIG_WATCH_QUEUE=y
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_HZ_PERIODIC=y
+CONFIG_LOG_BUF_SHIFT=17
+CONFIG_USER_NS=y
+CONFIG_PID_NS=y
+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
+CONFIG_KALLSYMS_ALL=y
+CONFIG_SYSTEM_DATA_VERIFICATION=y
+CONFIG_TRACEPOINTS=y
+CONFIG_CON_CHAN="xterm"
+CONFIG_SSL_CHAN="pty"
+CONFIG_MODULE_SIG_FORMAT=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_SHA1=y
+CONFIG_MODULE_SIG_HASH="sha1"
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLK_DEBUG_FS=y
+CONFIG_ASN1=y
+CONFIG_UNINLINE_SPIN_UNLOCK=y
+CONFIG_SLUB=y
+CONFIG_COMPACTION=y
+CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
+CONFIG_MIGRATION=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_LEGACY_PTY_COUNT=256
+CONFIG_NULL_TTY=y
+CONFIG_SERIAL_DEV_BUS=y
+CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
+CONFIG_VALIDATE_FS_PARSER=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_EXT4_DEBUG=y
+CONFIG_REISERFS_FS_XATTR=y
+CONFIG_REISERFS_FS_POSIX_ACL=y
+CONFIG_REISERFS_FS_SECURITY=y
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FS_VERITY=y
+CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_CONFIGFS_FS=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_PATH=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_NG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_BLACKLIST_KEYRING=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_ADD_XATTRS=y
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SKCIPHER=y
+CONFIG_CRYPTO_SKCIPHER2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_ACOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_ECC=y
+CONFIG_CRYPTO_ECDSA=y
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_SHA1=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_WP512=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_ZSTD=y
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_HASH_INFO=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+CONFIG_PKCS7_TEST_KEY=y
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
+CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+CONFIG_SYSTEM_REVOCATION_LIST=y
+CONFIG_SYSTEM_REVOCATION_KEYS=""
+CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE=y
+CONFIG_BINARY_PRINTF=y
+CONFIG_CRYPTO_LIB_AES=y
+CONFIG_CRYPTO_LIB_SHA256=y
+CONFIG_CRC_CCITT=y
+CONFIG_XXHASH=y
+CONFIG_AUDIT_GENERIC=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_ZSTD_COMMON=y
+CONFIG_ZSTD_COMPRESS=y
+CONFIG_ZSTD_DECOMPRESS=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_SGL_ALLOC=y
+CONFIG_GLOB=y
+CONFIG_CLZ_TAB=y
+CONFIG_MPILIB=y
+CONFIG_SIGNATURE=y
+CONFIG_OID_REGISTRY=y
+CONFIG_STACKDEPOT=y
+CONFIG_STACKDEPOT_ALWAYS_INIT=y
+CONFIG_PRINTK_TIME=y
+CONFIG_PRINTK_CALLER=y
+CONFIG_DYNAMIC_DEBUG=y
+CONFIG_DYNAMIC_DEBUG_CORE=y
+CONFIG_DEBUG_INFO_DWARF5=y
+CONFIG_GDB_SCRIPTS=y
+CONFIG_FRAME_WARN=2048
+CONFIG_READABLE_ASM=y
+CONFIG_DEBUG_SECTION_MISMATCH=y
+CONFIG_DEBUG_FS=y
+CONFIG_DEBUG_FS_ALLOW_ALL=y
+CONFIG_UBSAN=y
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+CONFIG_UBSAN_DIV_ZERO=y
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+CONFIG_UBSAN_ALIGNMENT=y
+CONFIG_PAGE_EXTENSION=y
+CONFIG_DEBUG_PAGEALLOC=y
+CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
+CONFIG_SLUB_DEBUG=y
+CONFIG_SLUB_DEBUG_ON=y
+CONFIG_PAGE_OWNER=y
+CONFIG_PAGE_POISONING=y
+CONFIG_DEBUG_OBJECTS=y
+CONFIG_DEBUG_OBJECTS_FREE=y
+CONFIG_DEBUG_OBJECTS_TIMERS=y
+CONFIG_DEBUG_OBJECTS_WORK=y
+CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
+CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
+CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
+CONFIG_DEBUG_KMEMLEAK=y
+CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE=16000
+CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y
+CONFIG_DEBUG_STACK_USAGE=y
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_SHIRQ=y
+CONFIG_PANIC_ON_OOPS=y
+CONFIG_PANIC_ON_OOPS_VALUE=1
+CONFIG_LOCKUP_DETECTOR=y
+CONFIG_SOFTLOCKUP_DETECTOR=y
+CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
+CONFIG_WQ_WATCHDOG=y
+CONFIG_DEBUG_TIMEKEEPING=y
+CONFIG_PROVE_LOCKING=y
+CONFIG_PROVE_RAW_LOCK_NESTING=y
+CONFIG_LOCK_STAT=y
+CONFIG_DEBUG_RT_MUTEXES=y
+CONFIG_DEBUG_SPINLOCK=y
+CONFIG_DEBUG_MUTEXES=y
+CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
+CONFIG_DEBUG_RWSEMS=y
+CONFIG_DEBUG_LOCK_ALLOC=y
+CONFIG_LOCKDEP=y
+CONFIG_LOCKDEP_BITS=15
+CONFIG_LOCKDEP_CHAINS_BITS=16
+CONFIG_LOCKDEP_STACK_TRACE_BITS=19
+CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS=14
+CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS=12
+CONFIG_WW_MUTEX_SELFTEST=y
+CONFIG_CSD_LOCK_WAIT_DEBUG=y
+CONFIG_TRACE_IRQFLAGS=y
+CONFIG_DEBUG_IRQFLAGS=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_PLIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_PROVE_RCU=y
+CONFIG_RCU_TRACE=y
+CONFIG_NOP_TRACER=y
+CONFIG_TRACE_CLOCK=y
+CONFIG_RING_BUFFER=y
+CONFIG_EVENT_TRACING=y
+CONFIG_CONTEXT_SWITCH_TRACER=y
+CONFIG_PREEMPTIRQ_TRACEPOINTS=y
+CONFIG_TRACING=y
-- 
2.25.1

[PATCH ima-evm-utils v2 3/9] Compile the UML kernel and download it in Github Actions

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Add a build job, prerequisite of the existing job, to compile the UML
kernel and upload it and the signing key to a cache. Github configuration
should have two variables: LINUX_URL, the full URL of the kernel
repository; LINUX_BRANCH, the branch to check out as fallback if the kernel
repository does not have the same branch name as the one being pushed for
ima-evm-utils. See:

https://docs.github.com/en/actions/learn-github-actions/variables

for directions on how to define those variables.

If the two variables are not defined, the default values are:

LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
LINUX_BRANCH=next-integrity

If there is a cache hit (same kernel commit and same kernel configuration),
next time the UML kernel will not be rebuilt. To use the cache, it is
necessary to install zstd in the container. Add this dependency to
ci/fedora.sh.

The cache can be managed at the following URL:

https://github.com/<username>/ima-evm-utils/actions/caches

The page also offers the possibility to clean the cache, to force
rebuilding the kernel.

Add a new entry in the testing matrix, for the fedora-latest container
image, to run the tests with the UML kernel. The entry differs from the
others for the new environment variable UML_MODE, set to 1.

Add a new volume to the container, /dev/shm from the host, as it is
required for running the UML kernel.

Extend the existing job with steps to download the UML kernel and signing
key from the cache. The new steps are executed only if the matrix entry has
UML_MODE set to 1.

Finally, pass UML_MODE to the tests. A test should also propagate this
variable to the environment created with the UML kernel, by passing it to
the kernel command line.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 .github/workflows/ci.yml | 96 +++++++++++++++++++++++++++++++++++++++-
 ci/fedora.sh             |  3 +-
 2 files changed, 96 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d2afdfe15467..930e5e517196 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,7 +3,77 @@ name: "distros"
 on: [push, pull_request]
 
 jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
+    name: build
+    timeout-minutes: 100
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Determine last kernel commit
+        id: last-commit
+        shell: bash
+        run: |
+          mkdir linux-integrity
+          pushd linux-integrity
+          git init
+          LINUX_URL=${{ vars.LINUX_URL }}
+          if [ -z "$LINUX_URL" ]; then
+              LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
+          fi
+          LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
+          if [ -z "$LINUX_BRANCH" ]; then
+              LINUX_BRANCH=next-integrity
+          fi
+          git remote add origin $LINUX_URL
+          LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}')
+          [ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}')
+          echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
+          popd
+
+      - name: Cache UML kernel
+        id: cache-linux
+        uses: actions/cache@v3
+        with:
+          path: linux
+          key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
+      - name: Cache signing key
+        id: cache-key
+        uses: actions/cache@v3
+        with:
+          path: signing_key.pem
+          key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
+      - name: Compile UML kernel
+        if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true'
+        shell: bash
+        run: |
+          if [ "$DEVTOOLSET" = "yes" ]; then
+                  source /opt/rh/devtoolset-10/enable
+          fi
+          if [ "$ARCH" = "i386" ]; then
+                  CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
+          fi
+          pushd linux-integrity
+          git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
+          make ARCH=um olddefconfig
+          ./scripts/kconfig/merge_config.sh -m .config ../config-uml
+          # Update manually, to specify ARCH=um
+          make ARCH=um olddefconfig
+          make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
+          chmod +x linux
+          cp linux ..
+          cp certs/signing_key.pem ..
+          popd
+
   job:
+    needs: build
     runs-on: ubuntu-latest
 
     strategy:
@@ -75,6 +145,12 @@ jobs:
               CC: clang
               TSS: ibmtss
 
+          - container: "fedora:latest"
+            env:
+              CC: clang
+              TSS: ibmtss
+              UML_MODE: 1
+
           - container: "centos:7"
             env:
               CC: gcc
@@ -98,7 +174,7 @@ jobs:
     container:
       image: ${{ matrix.container }}
       env: ${{ matrix.env }}
-      options: --privileged --device /dev/loop-control
+      options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm
 
     steps:
     - name: Show OS
@@ -125,8 +201,24 @@ jobs:
             fi
         fi
 
+    - name: Retrieve UML kernel
+      if: ${{ matrix.env.UML_MODE && fromJSON(matrix.env.UML_MODE) == 1 }}
+      uses: actions/cache@v3
+      continue-on-error: false
+      with:
+        path: linux
+        key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
+    - name: Retrieve signing key
+      if: ${{ matrix.env.UML_MODE && fromJSON(matrix.env.UML_MODE) == 1 }}
+      continue-on-error: false
+      uses: actions/cache@v3
+      with:
+        path: signing_key.pem
+        key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
     - name: Compiler version
       run: $CC --version
 
     - name: Compile
-      run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" ./build.sh
+      run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" UML_MODE="$UML_MODE" ./build.sh
diff --git a/ci/fedora.sh b/ci/fedora.sh
index 2272bbc57fae..e60de7981c60 100755
--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@@ -44,7 +44,8 @@ yum -y install \
 	util-linux \
 	vim-common \
 	wget \
-	which
+	which \
+	zstd
 
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
-- 
2.25.1

[PATCH ima-evm-utils v2 4/9] Add support for UML in functions.sh

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Add the new functions _run_user_mode(), _exit_user_mode(),
_init_user_mode() and _cleanup_user_mode() to run the tests inside a system
booted with the UML kernel.

A typical structure of a script with tests is:

trap cleanup SIGINT SIGTERM SIGSEGV EXIT

_cleanup() {
	<test cleanup>
}

cleanup() {
	_cleanup_user_mode _cleanup
	_report_exit_and_cleanup
}

<tests implementations>

_run_user_mode ../linux $PWD/$(basename $0) "env_var1=$env_var1 ..."

_exit_user_mode ../linux

_init_user_mode

<tests init>

<tests call>

If the UML_MODE environment variable is not set to 1, ignore the UML kernel
execution and initialization requests, and perform the cleanup in the
current environment. Ignore the same also if the script is already run in
the UML environment, to avoid loops. Instead, for cleanup, do it only in
the UML environment and skip it in the host environment.

Signal to the host environment failures of tests run in the UML environment
with an unclean shutdown of the UML kernel.

Add haveged and systemd as dependencies for the tests in ci/fedora.sh,
respectively for initializing the random number generator and for shutting
down the system in the environment created by the UML kernel.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 ci/fedora.sh       |  4 ++-
 tests/functions.sh | 79 +++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 81 insertions(+), 2 deletions(-)

diff --git a/ci/fedora.sh b/ci/fedora.sh
index e60de7981c60..198034a34e3c 100755
--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@@ -45,7 +45,9 @@ yum -y install \
 	vim-common \
 	wget \
 	which \
-	zstd
+	zstd \
+	haveged \
+	systemd
 
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
diff --git a/tests/functions.sh b/tests/functions.sh
index 8f6f02dfcd95..98829d94fae1 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh
@@ -267,6 +267,16 @@ _report_exit_and_cleanup() {
   [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
   echo " FAIL: $testsfail"
   echo "$NORM"
+  # Signal failure to UML caller with an unclean shutdown.
+  if [ -n "$UML_MODE" ] && [ "$UML_MODE" -eq 1 ] && [ $$ -eq 1 ]; then
+    if [ -z "$(which poweroff)" ]; then
+      echo "Warning: cannot properly shutdown system"
+    fi
+
+    if [ $testsfail -eq 0 ]; then
+      poweroff -f
+    fi
+  fi
   if [ $testsfail -gt 0 ]; then
     exit "$FAIL"
   elif [ $testspass -gt 0 ]; then
@@ -312,4 +322,71 @@ _softhsm_teardown() {
   rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
   unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
     EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
-}
\ No newline at end of file
+}
+
+# Syntax: _run_user_mode <UML binary> <init> <additional kernel parameters>
+_run_user_mode() {
+  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
+    return
+  fi
+
+  if [ $$ -eq 1 ]; then
+    return
+  fi
+
+  expect_pass $1 rootfstype=hostfs rw init=$2 quiet mem=256M $3
+}
+
+# Syntax: _exit_user_mode <UML binary>
+_exit_user_mode() {
+  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
+    return
+  fi
+
+  if [ $$ -eq 1 ]; then
+    return
+  fi
+
+  if [ -f "$1" ]; then
+    exit $OK
+  fi
+}
+
+# Syntax: _init_user_mode
+_init_user_mode() {
+  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
+    return
+  fi
+
+  if [ $$ -ne 1 ]; then
+    return
+  fi
+
+  mount -t proc proc /proc
+  mount -t sysfs sysfs /sys
+  mount -t securityfs securityfs /sys/kernel/security
+
+  if [ -n "$(which haveged 2> /dev/null)" ]; then
+    $(which haveged) -w 1024 &> /dev/null
+  fi
+
+  pushd $PWD > /dev/null
+}
+
+# Syntax: _cleanup_user_mode <cleanup function>
+_cleanup_user_mode() {
+  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
+    $1
+    return
+  fi
+
+  if [ $$ -ne 1 ]; then
+    return
+  fi
+
+  $1
+
+  umount /sys/kernel/security
+  umount /sys
+  umount /proc
+}
-- 
2.25.1

[PATCH ima-evm-utils v2 5/9] Introduce TST_LIST variable to select a test to execute

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

It might be desirable, due to restrictions in the testing environment, to
execute tests individually. Introduce the TST_LIST variable, which can be
set with the name of the test to execute. If the variable is set,
expect_pass and expect_fail automatically skip the tests when the first
argument of those functions does not match the value of TST_LIST.

TST_LIST can be also used in conjunction with the UML kernel. It is
sufficient to add it to the kernel command line.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 tests/functions.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/functions.sh b/tests/functions.sh
index 98829d94fae1..298c30393ce6 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh
@@ -72,6 +72,12 @@ declare -i TNESTED=0 # just for sanity checking
 expect_pass() {
   local -i ret
 
+  if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = $TST_LIST ]; then
+    [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
+    testsskip+=1
+    return $SKIP
+  fi
+
   if [ $TNESTED -gt 0 ]; then
     echo $RED"expect_pass should not be run nested"$NORM
     testsfail+=1
@@ -98,6 +104,12 @@ expect_pass() {
 expect_fail() {
   local ret
 
+  if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = $TST_LIST ]; then
+    [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
+    testsskip+=1
+    return $SKIP
+  fi
+
   if [ $TNESTED -gt 0 ]; then
     echo $RED"expect_fail should not be run nested"$NORM
     testsfail+=1
-- 
2.25.1

[PATCH ima-evm-utils v2 6/9] Add tests for EVM portable signatures

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Verify that operations on files with EVM portable signatures succeed and
that the new kernel patch set does not break the existing kernel integrity
expectations. Build and install mount-idmapped for ci/fedora.sh, to
additionally test idmapped mounts.

To run the tests, pass the path of the kernel private key with the
TST_KEY_PATH environment variable. If not provided, the script searches the
key in /lib/modules/$(uname -r)/source/certs/signing_key.pem and in the
current directory. Root privileges are required to mount the image,
configure IMA/EVM and set xattrs.

Set UML_MODE to 1, to relaunch the script in a new environment after
booting an UML kernel. The UML kernel must be named 'linux' and placed in
the ima-evm-utils directory.

Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the
current EVM mode, if a test needs a different one. Otherwise, execute only
the tests compatible with the current EVM mode.

Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before
launching the script, to run the check_evm_revalidate() test. Execute:

echo 4 > /sys/kernel/security/evm

The last two environment variables above affect which tests will run the
next time the script is executed. Without setting UML_MODE to 1, changes to
the current EVM mode will be irreversibly done in the host. Next time,
unless the host is rebooted, only tests compatible with the last EVM mode
set will run. The others will be skipped.

With the UML kernel, this problem does not arise as, every time the UML
kernel is executed, it will create a clean environment with no flags set in
the EVM mode.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 build.sh                        |    5 +
 ci/fedora.sh                    |    7 +-
 tests/Makefile.am               |    2 +-
 tests/install-mount-idmapped.sh |    7 +
 tests/portable_signatures.test  | 1173 +++++++++++++++++++++++++++++++
 5 files changed, 1192 insertions(+), 2 deletions(-)
 create mode 100755 tests/install-mount-idmapped.sh
 create mode 100755 tests/portable_signatures.test

diff --git a/build.sh b/build.sh
index 4e2f1bb7353b..0920599b2780 100755
--- a/build.sh
+++ b/build.sh
@@ -114,6 +114,11 @@ if [ $ret -eq 0 ]; then
 		grep "skipped" tests/fsverity.log  && \
 		   grep "skipped" tests/fsverity.log | wc -l
 	fi
+	if [ -f tests/portable_signatures.log ]; then
+		[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
+		grep "skipped" tests/portable_signatures.log  && \
+		   grep "skipped" tests/portable_signatures.log | wc -l
+	fi
 	exit 0
 fi
 
diff --git a/ci/fedora.sh b/ci/fedora.sh
index 198034a34e3c..3f75d2e1ddbd 100755
--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@@ -47,7 +47,11 @@ yum -y install \
 	which \
 	zstd \
 	haveged \
-	systemd
+	systemd \
+	keyutils \
+	e2fsprogs \
+	acl \
+	libcap
 
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
@@ -59,3 +63,4 @@ fi
 yum -y install softhsm || true
 
 ./tests/install-fsverity.sh
+./tests/install-mount-idmapped.sh
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 305082483f36..421fac577b55 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -2,7 +2,7 @@ check_SCRIPTS =
 TESTS = $(check_SCRIPTS)
 
 check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
-		 fsverity.test
+		 fsverity.test portable_signatures.test
 
 clean-local:
 	-rm -f *.txt *.out *.sig *.sig2
diff --git a/tests/install-mount-idmapped.sh b/tests/install-mount-idmapped.sh
new file mode 100755
index 000000000000..e9768e2fbf7a
--- /dev/null
+++ b/tests/install-mount-idmapped.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+git clone https://github.com/brauner/mount-idmapped.git
+cd mount-idmapped
+gcc -o mount-idmapped mount-idmapped.c
+cd ..
+rm -rf mount-idmapped
diff --git a/tests/portable_signatures.test b/tests/portable_signatures.test
new file mode 100755
index 000000000000..a6d79c929281
--- /dev/null
+++ b/tests/portable_signatures.test
@@ -0,0 +1,1173 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2022-2023 Roberto Sassu <roberto.sassu@huawei.com>
+#
+# Check if operations on files with EVM portable signatures succeed.
+
+trap cleanup SIGINT SIGTERM SIGSEGV EXIT
+
+# Base VERBOSE on the environment variable, if set.
+VERBOSE="${VERBOSE:-0}"
+TST_EVM_CHANGE_MODE="${TST_EVM_CHANGE_MODE:-0}"
+UML_MODE="${UML_MODE:-0}"
+
+# From security/integrity/evm/evm.h in kernel source directory.
+let "EVM_INIT_HMAC=0x0001"
+let "EVM_INIT_X509=0x0002"
+let "EVM_ALLOW_METADATA_WRITES=0x0004"
+let "EVM_SETUP_COMPLETE=0x80000000"
+
+cd "$(dirname "$0")"
+export PATH=$PWD/../src:$PWD/../mount-idmapped:$PATH
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+. ./functions.sh
+_require evmctl
+
+_cleanup() {
+	if [ "$loop_mounted" = "1" ]; then
+		popd > /dev/null
+
+		if [ -n "$mountpoint_idmapped" ]; then
+			umount $mountpoint_idmapped
+		fi
+
+		umount $mountpoint
+	fi
+
+	if [ -n "$dev" ]; then
+		losetup -d $dev
+	fi
+
+	if [ -n "$image" ]; then
+		rm -f $image
+	fi
+
+	if [ -n "$key_path_der" ]; then
+		rm -f $key_path_der
+	fi
+
+	if [ -n "$mountpoint" ]; then
+		rm -Rf $mountpoint
+	fi
+
+	if [ -n "$mountpoint_idmapped" ]; then
+		rm -Rf $mountpoint_idmapped
+	fi
+}
+
+cleanup() {
+	_cleanup_user_mode _cleanup
+	_report_exit_and_cleanup
+}
+
+get_xattr() {
+	format="hex"
+
+	if [ "$1" = "security.selinux" ]; then
+		format="text"
+	fi
+
+	getfattr -n $1 -e $format -d $2 2> /dev/null | awk -F "=" '$1 == "'$1'" {if ("'$format'" == "hex") v=substr($2, 3); else { split($2, temp, "\""); v=temp[2] }; print v}'
+}
+
+# Use the fsuuid= IMA policy keyword to select only files created/used by the
+# tests below. Also use fowner= to differentiate between files created/used by
+# individual tests.
+IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26d"
+APPRAISE_DIGSIG_FOWNER=2000
+APPRAISE_DIGSIG_RULE="appraise fsuuid=$IMA_UUID fowner=$APPRAISE_DIGSIG_FOWNER appraise_type=imasig"
+MEASURE_FOWNER=2001
+MEASURE_RULE="measure fsuuid=$IMA_UUID fowner=$MEASURE_FOWNER template=ima-sig"
+APPRAISE_FOWNER=2002
+APPRAISE_RULE="appraise fsuuid=$IMA_UUID fowner=$APPRAISE_FOWNER"
+METADATA_CHANGE_FOWNER=3001
+METADATA_CHANGE_FOWNER_2=3002
+
+check_load_ima_rule() {
+	rule_loaded=$(cat /sys/kernel/security/ima/policy | grep "$1")
+	if [ -z "$rule_loaded" ]; then
+		new_policy=$(mktemp -p $mountpoint)
+		echo $1 > $new_policy
+		evmctl sign -o -a sha256 --imasig --key $key_path $new_policy &> /dev/null
+		echo $new_policy > /sys/kernel/security/ima/policy
+		result=$?
+		rm -f $new_policy
+
+		if [ $result -ne 0 ]; then
+			echo "${RED}Failed to set IMA policy${NORM}"
+			return $FAIL
+		fi
+	fi
+
+	return $OK
+}
+
+# The purpose of this test is to verify that the patch 'ima: Allow imasig
+# requirement to be satisfied by EVM portable signatures' didn't break the
+# current behavior (IMA signatures still satisfy the imasig requirement).
+check_ima_sig_appraisal() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	if [ $((evm_value & (EVM_INIT_X509 | EVM_INIT_HMAC))) -ne 0 ]; then
+		echo "${CYAN}EVM mode 0 required${NORM}"
+		return $SKIP
+	fi
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	evmctl ima_sign -a sha256 --key $key_path test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	chown $APPRAISE_DIGSIG_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change owner of test-file${NORM}"
+		return $FAIL
+	fi
+
+	check_load_ima_rule "$APPRAISE_DIGSIG_RULE"
+	result=$?
+	if [ $result -ne $OK ]; then
+		return $result
+	fi
+
+	# Check if appraisal works.
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file${NORM}"
+		return $FAIL
+	fi
+
+	# Ensure that files with IMA signature cannot be updated (immutable).
+	echo "test" 2> /dev/null >> test-file
+	if [ $? -eq 0 ]; then
+		echo "${RED}Write to test-file should not succeed (immutable file)${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_ima_sig_appraisal() {
+	rm -f test-file
+}
+
+# Requires:
+# - ima: Don't remove security.ima if file must not be appraised
+#
+# The purpose of this test is to verify that the patch 'ima: Introduce template
+# field evmsig and write to field sig as fallback' still allows IMA signatures
+# to be displayed in the measurement list.
+check_ima_sig_ima_measurement_list() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	evmctl ima_sign -a sha256 --imasig --key $key_path test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	chown $MEASURE_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change owner of test-file${NORM}"
+		return $FAIL
+	fi
+
+	check_load_ima_rule "$MEASURE_RULE"
+	result=$?
+	if [ $result -ne $OK ]; then
+		return $result
+	fi
+
+	# Read the file to add it to the measurement list.
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file${NORM}"
+		return $FAIL
+	fi
+
+	ima_sig_fs=$(get_xattr security.ima test-file)
+	if [ -z "$ima_sig_fs" ]; then
+		echo "${RED}security.ima not found${NORM}"
+		return $FAIL
+	fi
+
+	# Search security.ima in the measurement list.
+	ima_sig_list=$(cat /sys/kernel/security/ima/ascii_runtime_measurements | awk '$6 == "'$ima_sig_fs'"')
+	if [ -z "$ima_sig_list" ]; then
+		echo "${RED}security.ima mismatch (xattr != measurement list)${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_ima_sig_ima_measurement_list() {
+	rm -f test-file
+}
+
+# Requires:
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+#
+# The purpose of this test is to verify that new files can be created when EVM
+# is initialized only with a public key.
+check_create_file() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	# To trigger the bug we need to enable public key verification without HMAC key loaded.
+	if [ $((evm_value & $EVM_INIT_X509)) -ne $EVM_INIT_X509 ]; then
+		echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}"
+		return $SKIP
+	fi
+
+	if [ $((evm_value & $EVM_INIT_HMAC)) -eq $EVM_INIT_HMAC ]; then
+		echo "${CYAN}EVM mode $EVM_INIT_HMAC must be disabled${NORM}"
+		return $SKIP
+	fi
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_create_file() {
+	rm -f test-file
+}
+
+# Requires:
+# - evm: Introduce evm_hmac_disabled() to safely ignore verification errors
+# - evm: Allow xattr/attr operations for portable signatures
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+#
+# The purpose of this test is to verify that EVM with the patches above allows
+# metadata to copied one by one, even if the portable signature verification
+# temporarily fails until the copy is completed.
+check_cp_preserve_xattrs() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	if [ $evm_value -ne $EVM_INIT_X509 ]; then
+		echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}"
+		return $SKIP
+	fi
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	evmctl sign -o -a sha256 --imahash --key $key_path test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	# Check if cp is allowed to set metadata for the new file.
+	cp -a test-file test-file.copy
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot copy test-file with attrs/xattrs preserved${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_cp_preserve_xattrs() {
+	rm -f test-file test-file.copy
+}
+
+# Requires:
+# - evm: Introduce evm_hmac_disabled() to safely ignore verification errors
+# - evm: Allow xattr/attr operations for portable signatures
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+# - ima: Don't remove security.ima if file must not be appraised
+#
+# The purpose of this test is similar to that of the previous test, with the
+# difference that tar is used instead of cp. One remark is that the owner is
+# intentionally different (or it should be) from the current owner, to
+# incrementally test the patches without 'evm: Allow setxattr() and setattr()
+# for unmodified metadata'.
+check_tar_extract_xattrs_different_owner() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	if [ $evm_value -ne $EVM_INIT_X509 ]; then
+		echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}"
+		return $SKIP
+	fi
+
+	mkdir in out
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot create directories${NORM}"
+		return $FAIL
+	fi
+
+	echo "test" > in/test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	chown 3000 in/test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change owner of test-file${NORM}"
+		return $FAIL
+	fi
+
+	chmod 600 in/test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change mode of test-file${NORM}"
+		return $FAIL
+	fi
+
+	evmctl sign -o -a sha256 --imahash --key $key_path in/test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	tar --xattrs-include=* -cf test-archive.tar in/test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot create archive with xattrs${NORM}"
+		return $FAIL
+	fi
+
+	# Check if tar is allowed to set metadata for the extracted file.
+	# Ensure that the owner from the archive is different from the
+	# owner of the extracted file to avoid that portable signature
+	# verification succeeds before restoring original metadata
+	# (a patch allows modification of immutable metadata if portable
+	# signature verification fails).
+	tar --xattrs-include=* -xf test-archive.tar -C out
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot extract archive with xattrs${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_tar_extract_xattrs_different_owner() {
+	rm -Rf in out test-archive.tar
+}
+
+# Requires:
+# - evm: Introduce evm_hmac_disabled() to safely ignore verification errors
+# - evm: Allow xattr/attr operations for portable signatures
+# - evm: Pass user namespace to set/remove xattr hooks
+# - evm: Allow setxattr() and setattr() for unmodified metadata
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+# - ima: Don't remove security.ima if file must not be appraised
+#
+# The purpose of this test is similar to that of the previous two tests. The
+# difference is that tar is used instead of cp, and the extracted files have
+# the same owner as the current one. Thus, this test requires 'evm: Allow
+# setxattr() and setattr() for unmodified metadata'.
+check_tar_extract_xattrs_same_owner() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	if [ $evm_value -ne $EVM_INIT_X509 ]; then
+		echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}"
+		return $SKIP
+	fi
+
+	mkdir in out
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot create directories${NORM}"
+		return $FAIL
+	fi
+
+	echo "test" > in/test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	evmctl sign -o -a sha256 --imahash --key $key_path in/test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	tar --xattrs-include=* -cf test-archive.tar in/test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot create archive with xattrs${NORM}"
+		return $FAIL
+	fi
+
+	# Check if tar is allowed to set metadata for the extracted file.
+	# This test is different from the previous one, as the owner
+	# from the archive is the same of the owner of the extracted
+	# file. tar will attempt anyway to restore the original owner but
+	# unlike the previous test, portable signature verification already
+	# succeeds at the time the owner is set (another patch allows
+	# metadata operations if those operations don't modify current
+	# values).
+	tar --xattrs-include=* -xf test-archive.tar -C out
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot extract archive with xattrs${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_tar_extract_xattrs_same_owner() {
+	rm -Rf in out test-archive.tar
+}
+
+# Requires:
+# - evm: Introduce evm_hmac_disabled() to safely ignore verification errors
+# - evm: Allow xattr/attr operations for portable signatures
+# - evm: Pass user namespace to set/remove xattr hooks
+# - evm: Allow setxattr() and setattr() for unmodified metadata
+# - ima: Don't remove security.ima if file must not be appraised
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+#
+# The purpose of this test is to further verify the patches above, by executing
+# commands to set the same or different metadata. Setting the same metadata
+# should be allowed, setting different metadata should be denied.
+check_metadata_change() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	if [ $evm_value -ne $EVM_INIT_X509 ]; then
+		echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}"
+		return $SKIP
+	fi
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	chown $METADATA_CHANGE_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change owner of test-file${NORM}"
+		return $FAIL
+	fi
+
+	chgrp $METADATA_CHANGE_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change group of test-file${NORM}"
+		return $FAIL
+	fi
+
+	chmod 2644 test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change mode of test-file${NORM}"
+		return $FAIL
+	fi
+
+	evmctl sign -o -a sha256 --imahash --key $key_path test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	# If metadata modification is not allowed, EVM should deny any
+	# operation that modifies metadata. Check if setting the same
+	# value is allowed.
+	chown $METADATA_CHANGE_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot set same owner for test-file${NORM}"
+		return $FAIL
+	fi
+
+	# Setting a different value should not be allowed.
+	chown $METADATA_CHANGE_FOWNER_2 test-file 2> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Owner change for test-file should not be allowed (immutable metadata)${NORM}"
+		return $FAIL
+	fi
+
+	# Repeat the test for the file mode.
+	chmod 2644 test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot set same mode for test-file${NORM}"
+		return $FAIL
+	fi
+
+	chmod 2666 test-file 2> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Mode change for test-file should not be allowed (immutable metadata)${NORM}"
+		return $FAIL
+	fi
+
+	if [ -n "$(which chcon 2> /dev/null)" ] && [ -n "$(which getenforce 2> /dev/null)" ] && [ "$(getenforce 2> /dev/null)" != "Disabled" ]; then
+		# Repeat the test for the SELinux label.
+		label=$(get_xattr security.selinux test-file)
+
+		if [ -n "$label" ]; then
+			chcon $label test-file
+			if [ $? -ne 0 ]; then
+				echo "${RED}Cannot set same security.selinux for test-file${NORM}"
+				return $FAIL
+			fi
+		fi
+
+		chcon unconfined_u:object_r:null_device_t:s0 test-file 2> /dev/null
+		if [ $? -eq 0 ]; then
+			echo "${RED}security.selinux change for test file should not be allowed (immutable metadata)${NORM}"
+			return $FAIL
+		fi
+	fi
+
+	# Repeat the test for the IMA signature.
+	ima_xattr=$(get_xattr security.ima test-file)
+	if [ -z "$ima_xattr" ]; then
+		echo "${RED}security.ima not found${NORM}"
+		return $FAIL
+	fi
+
+	setfattr -n security.ima -v 0x$ima_xattr test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot set same security.ima for test-file${NORM}"
+		return $FAIL
+	fi
+
+	last_char=${ima_xattr: -1}
+	((last_char += 1))
+	((last_char %= 10))
+	ima_xattr=${ima_xattr:0:-1}$last_char
+
+	setfattr -n security.ima -v 0x$ima_xattr test-file 2> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Change of security.ima for test-file should not be allowed (immutable metadata)${NORM}"
+		return $FAIL
+	fi
+
+	# Repeat the test for ACLs.
+	msg=$(exec 2>&1 && setfacl --set u::rw,g::r,o::r,m:r test-file)
+	if [ $? -ne 0 ]; then
+		if [ "${msg%not supported}" != "$msg" ]; then
+			return $OK
+		fi
+
+		echo "${RED}Cannot preserve system.posix_acl_access for test-file${NORM}"
+		return $FAIL
+	fi
+
+	setfacl --set u::rw,g::r,o::r,m:rw test-file 2> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Change of system.posix_acl_access for test-file should not be allowed (immutable metadata)${NORM}"
+		return $FAIL
+	fi
+
+	if [ -n "$mountpoint_idmapped" ]; then
+		pushd $mountpoint_idmapped > /dev/null
+
+		# Repeat the test for ACLs on an idmapped mount.
+		#
+		# This test relies on the fact that the caller of this script (root) is in
+		# the same owning group of test-file (in the idmapped mount the group is
+		# root, not $METADATA_CHANGE_FOWNER and, for this reason, the S_ISGID bit
+		# is not cleared. If EVM was not aware of the mapping, it would have
+		# determined that root is not in the owning group of test-file and given
+		# that also CAP_FSETID is cleared, the S_ISGID bit would have been cleared
+		# and thus the operation would fail (file metadata changed).
+		capsh --drop='cap_fsetid' -- -c 'setfacl --set u::rw,g::r,o::r test-file'
+		if [ $? -ne 0 ]; then
+			echo "${RED}Cannot preserve system.posix_acl_access for test-file${NORM}"
+			popd
+			return $FAIL
+		fi
+
+		popd > /dev/null
+	fi
+
+	return $OK
+}
+
+cleanup_metadata_change() {
+	rm -f test-file
+}
+
+# Requires:
+# - evm: Introduce evm_revalidate_status()
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+#
+# Note:
+# This test can be run if EVM_ALLOW_METADATA_WRITES is set in advance
+# before running this script. If it is not set before, this script sets
+# EVM_SETUP_COMPLETE, disabling further EVM mode modifications until reboot.
+#
+# Without EVM_ALLOW_METADATA_WRITES, EVM_SETUP_COMPLETE is necessary to ignore
+# the INTEGRITY_NOLABEL and INTEGRITY_NOXATTRS errors.
+#
+# The purpose of this test is to verify that IMA detected a metadata change
+# when EVM_ALLOW_METADATA_WRITES is set (metadata operations are always
+# allowed). After the first successful appraisal, the test intentionally changes
+# metadata and verifies that IMA revoked access to the file. The test also
+# verifies that IMA grants access again to the file after restoring the correct
+# metadata.
+check_evm_revalidate() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	if [ $evm_value -ne $(($EVM_INIT_X509 | $EVM_ALLOW_METADATA_WRITES)) ]; then
+		echo "${CYAN}EVM mode $(($EVM_INIT_X509 | $EVM_ALLOW_METADATA_WRITES)) required, execute echo 4 > /sys/kernel/security/evm before running this test${NORM}"
+		return $SKIP
+	fi
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	chmod 600 test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change mode of test-file${NORM}"
+		return $FAIL
+	fi
+
+	# We need to defer setting the correct owner, as there could be
+	# already an IMA policy rule preventing evmctl from reading the
+	# file to calculate the digest.
+	evmctl sign -o -a sha256 --imahash --uid $APPRAISE_FOWNER --key $key_path test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	chown $APPRAISE_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change owner of test-file${NORM}"
+		return $FAIL
+	fi
+
+	check_load_ima_rule "$APPRAISE_RULE"
+	result=$?
+	if [ $result -ne $OK ]; then
+		return $result
+	fi
+
+	# Read the file so that IMA would not re-appraise it next time.
+	cat test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file${NORM}"
+		return $FAIL
+	fi
+
+	# After enabling metadata modification, operations should succeed even
+	# if the file has a portable signature. However, the previously cached
+	# appraisal status should be invalidated.
+	chmod 644 test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change mode of test-file${NORM}"
+		return $FAIL
+	fi
+
+	# Here check if IMA re-appraised the file. The read should fail
+	# since now file metadata is invalid.
+	cat test-file &> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Read of test-file should not succeed (invalid mode)${NORM}"
+		return $FAIL
+	fi
+
+	# Restore metadata back to the original value.
+	chmod 600 test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot restore original mode of test-file${NORM}"
+		return $FAIL
+	fi
+
+	# Ensure that now IMA appraisal succeeds.
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file after restoring correct mode${NORM}"
+		return $FAIL
+	fi
+
+	if [ -n "$(which chcon 2> /dev/null)" ] && [ -n "$(which getenforce 2> /dev/null)" ] && [ "$(getenforce 2> /dev/null)" != "Disabled" ]; then
+		# Repeat the test for the SELinux label.
+		label=$(get_xattr security.selinux test-file)
+
+		chcon unconfined_u:object_r:null_device_t:s0 test-file
+		if [ $? -ne 0 ]; then
+			echo "${RED}Cannot change security.selinux of test-file${NORM}"
+			return $FAIL
+		fi
+
+		cat test-file &> /dev/null
+		if [ $? -eq 0 ]; then
+			echo "${RED}Read of test-file should not succeed (invalid security.selinux)${NORM}"
+			return $FAIL
+		fi
+
+		if [ -n "$label" ]; then
+			chcon $label test-file
+			if [ $? -ne 0 ]; then
+				echo "${RED}Cannot restore original security.selinux of test-file${NORM}"
+				return $FAIL
+			fi
+		else
+			attr -S -r selinux test-file
+		fi
+
+		cat test-file > /dev/null
+		if [ $? -ne 0 ]; then
+			echo "${RED}Cannot read test-file after restoring correct security.selinux${NORM}"
+			return $FAIL
+		fi
+	fi
+
+	# Repeat the test for the IMA signature.
+	ima_xattr=$(get_xattr security.ima test-file)
+	if [ -z "$ima_xattr" ]; then
+		echo "${RED}security.ima not found${NORM}"
+		return $FAIL
+	fi
+
+	last_char=${ima_xattr: -1}
+	((last_char += 1))
+	((last_char %= 10))
+	ima_xattr_new=${ima_xattr:0:-1}$last_char
+
+	setfattr -n security.ima -v 0x$ima_xattr_new test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot set security.ima of test-file${NORM}"
+		return $FAIL
+	fi
+
+	cat test-file &> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Read of test-file should not succeed (invalid security.ima)${NORM}"
+		return $FAIL
+	fi
+
+	setfattr -n security.ima -v 0x$ima_xattr test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot restore original security.ima of test-file${NORM}"
+		return $FAIL
+	fi
+
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file after restoring correct security.ima${NORM}"
+		return $FAIL
+	fi
+
+	# Repeat the test for the EVM signature.
+	evm_xattr=$(get_xattr security.evm test-file)
+	if [ -z "$evm_xattr" ]; then
+		echo "${RED}security.evm not found${NORM}"
+		return $FAIL
+	fi
+
+	last_char=${evm_xattr: -1}
+	((last_char += 1))
+	((last_char %= 10))
+	evm_xattr_new=${evm_xattr:0:-1}$last_char
+
+	setfattr -n security.evm -v 0x$evm_xattr_new test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot set security.evm of test-file${NORM}"
+		return $FAIL
+	fi
+
+	cat test-file &> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Read of test-file should not succeed (invalid security.evm)${NORM}"
+		return $FAIL
+	fi
+
+	setfattr -n security.evm -v 0x$evm_xattr test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot restore original security.evm of test-file${NORM}"
+		return $FAIL
+	fi
+
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file after restoring correct security.evm${NORM}"
+		return $FAIL
+	fi
+
+	# Repeat the test for ACLs.
+	setfacl -m u::rwx test-file 2> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change system.posix_acl_access${NORM}"
+		return $FAIL
+	fi
+
+	cat test-file &> /dev/null
+	if [ $? -eq 0 ]; then
+		echo "${RED}Read of test-file should not succeed (invalid system.posix_acl_access)${NORM}"
+		return $FAIL
+	fi
+
+	setfacl -m u::rw test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot restore original system.posix_acl_access for test-file${NORM}"
+		return $FAIL
+	fi
+
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file after restoring correct system.posix_acl_access${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_evm_revalidate() {
+	rm -f test-file
+}
+
+# Requires:
+# - evm: Introduce evm_hmac_disabled() to safely ignore verification errors
+# - evm: Introduce evm_revalidate_status()
+# - ima: Allow imasig requirement to be satisfied by EVM portable signatures
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+#
+# The purpose of this test is to verify that IMA manages files with an EVM
+# portable signature similarly to those with an IMA signature: content can be
+# written to new files after adding the signature and files can be accessed
+# when the imasig requirement is specified in the IMA policy.
+check_evm_portable_sig_ima_appraisal() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	if [ $((evm_value & EVM_INIT_X509)) -ne $EVM_INIT_X509 ]; then
+		echo "${CYAN}EVM flag $EVM_INIT_X509 required${NORM}"
+		return $SKIP
+	fi
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	chmod 600 test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change mode of test-file${NORM}"
+		return $FAIL
+	fi
+
+	# We need to defer setting the correct owner, as there could be
+	# already an IMA policy rule preventing evmctl from reading the
+	# file to calculate the digest.
+	evmctl sign -o -a sha256 --imahash --uid $APPRAISE_DIGSIG_FOWNER --key $key_path test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	chown $APPRAISE_DIGSIG_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change owner of test-file${NORM}"
+		return $FAIL
+	fi
+
+	check_load_ima_rule "$APPRAISE_DIGSIG_RULE"
+	result=$?
+	if [ $result -ne $OK ]; then
+		return $result
+	fi
+
+	# Ensure that a file with a portable signature satisfies the
+	# appraise_type=imasig requirement specified in the IMA policy.
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file${NORM}"
+		return $FAIL
+	fi
+
+	# Even files with a portable signature should be considered as
+	# immutable by IMA. Write should fail.
+	echo "test" 2> /dev/null >> test-file
+	if [ $? -eq 0 ]; then
+		echo "${RED}Write to test-file should not succeed (immutable metadata)${NORM}"
+		return $FAIL
+	fi
+
+	tar --xattrs-include=* -cf test-archive.tar test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot create archive with xattrs${NORM}"
+		return $FAIL
+	fi
+
+	mkdir out
+
+	# Appraisal of the new file, extracted by tar, should succeed
+	# not only if the new file has an IMA signature but also if
+	# it has a portable signature.
+	tar --xattrs-include=* -xf test-archive.tar -C out
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot extract archive with xattrs${NORM}"
+		return $FAIL
+	fi
+
+	# Check if xattrs have been correctly set.
+	xattr_orig=$(get_xattr security.selinux test-file)
+	xattr=$(get_xattr security.selinux out/test-file)
+	if [ "$xattr" != "$xattr_orig" ]; then
+		echo "${RED}security.selinux mismatch between original and extracted file${NORM}"
+		return $FAIL
+	fi
+
+	xattr_orig=$(get_xattr security.ima test-file)
+	xattr=$(get_xattr security.ima out/test-file)
+	if [ "$xattr" != "$xattr_orig" ]; then
+		echo "${RED}security.ima mismatch between original and extracted file${NORM}"
+		return $FAIL
+	fi
+
+	xattr_orig=$(get_xattr security.evm test-file)
+	xattr=$(get_xattr security.evm out/test-file)
+	if [ "$xattr" != "$xattr_orig" ]; then
+		echo "${RED}security.evm mismatch between original and extracted file${NORM}"
+		return $FAIL
+	fi
+
+	# Check if attrs have been correctly set.
+	owner=$(stat -c "%u" out/test-file)
+	if [ "$owner" != "$APPRAISE_DIGSIG_FOWNER" ]; then
+		echo "${RED}owner mismatch between original and extracted file${NORM}"
+		return $FAIL
+	fi
+
+	mode=$(stat -c "%a" out/test-file)
+	if [ "$mode" != "600" ]; then
+		echo "${RED}mode mismatch between original and extracted file${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_evm_portable_sig_ima_appraisal() {
+	rm -f test-file test-archive.tar
+	rm -Rf out
+}
+
+# Requires:
+# - ima: Introduce template field evmsig and write to field sig as fallback
+# - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
+# - ima: Don't remove security.ima if file must not be appraised
+#
+# The purpose of this test is to verify that the EVM portable signature is
+# displayed in the measurement list.
+check_evm_portable_sig_ima_measurement_list() {
+	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
+
+	echo "test" > test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot write test-file${NORM}"
+		return $FAIL
+	fi
+
+	chown $MEASURE_FOWNER test-file
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot change owner of test-file${NORM}"
+		return $FAIL
+	fi
+
+	evmctl sign -o -a sha256 --imahash --key $key_path test-file &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot sign test-file${NORM}"
+		return $FAIL
+	fi
+
+	check_load_ima_rule "$MEASURE_RULE"
+	result=$?
+	if [ $result -ne $OK ]; then
+		return $result
+	fi
+
+	# Invalidate previous measurement to add new entry
+	touch test-file
+
+	# Read the file to add it to the measurement list.
+	cat test-file > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Cannot read test-file${NORM}"
+		return $FAIL
+	fi
+
+	evm_sig_fs=$(get_xattr security.evm test-file)
+	if [ -z "$evm_sig_fs" ]; then
+		echo "${RED}security.evm not found${NORM}"
+		return $FAIL
+	fi
+
+	# Search security.evm in the measurement list.
+	evm_sig_list=$(cat /sys/kernel/security/ima/ascii_runtime_measurements | awk '$6 == "'$evm_sig_fs'"')
+	if [ -z "$evm_sig_list" ]; then
+		echo "${RED}security.evm mismatch (xattr != measurement list)${NORM}"
+		return $FAIL
+	fi
+
+	return $OK
+}
+
+cleanup_evm_portable_sig_ima_measurement_list() {
+	rm -f test-file
+}
+
+# Run in User Mode Linux.
+_run_user_mode ../linux $PWD/$(basename $0) "UML_MODE=$UML_MODE PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH"
+
+# Run in User Mode Linux (skipped test).
+_run_user_mode ../linux $PWD/$(basename $0) "UML_MODE=$UML_MODE PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH TST_LIST=check_evm_revalidate"
+
+# Exit from the parent if UML was used.
+_exit_user_mode ../linux
+
+# Mount filesystems in UML environment.
+_init_user_mode
+
+mountpoint=$(mktemp -d)
+image=$(mktemp)
+
+if [ -z "$mountpoint" ]; then
+	echo "${RED}Mountpoint directory not created${NORM}"
+	exit $FAIL
+fi
+
+if [ $(whoami) != "root" ]; then
+	echo "${CYAN}This script must be executed as root${NORM}"
+	exit $SKIP
+fi
+
+key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
+if [ -f "$PWD/../signing_key.pem" ]; then
+	key_path=$PWD/../signing_key.pem
+fi
+
+if [ -n "$TST_KEY_PATH" ]; then
+	key_path=$TST_KEY_PATH
+fi
+
+if [ ${key_path:0:1} != "/" ]; then
+	echo "${RED}Absolute path required for the signing key${NORM}"
+	exit $FAIL
+fi
+
+key_path_der=$(mktemp)
+
+if [ ! -f $key_path ]; then
+	echo "${CYAN}Kernel signing key not found in $key_path${NORM}"
+	exit $SKIP
+fi
+
+if [ ! -f "/sys/kernel/security/evm" ]; then
+	echo "${CYAN}EVM support in the kernel disabled${NORM}"
+	exit $SKIP
+fi
+
+# Assume that the EVM mode can be changed in a UML kernel
+if [ -f $PWD/../linux ]; then
+	TST_EVM_CHANGE_MODE=1
+fi
+
+evm_value=$(cat /sys/kernel/security/evm)
+
+openssl x509 -in $key_path -out $key_path_der -outform der
+cat $key_path_der | keyctl padd asymmetric pubkey %keyring:.ima &> /dev/null
+if [ $? -ne 0 ]; then
+	echo "${RED}Public key cannot be added to the IMA keyring${NORM}"
+	exit $FAIL
+fi
+
+dd if=/dev/zero of=$image bs=1M count=20 &> /dev/null
+if [ $? -ne 0 ]; then
+	echo "${RED}Cannot create test image${NORM}"
+	exit $FAIL
+fi
+
+dev=$(losetup -f $image --show)
+if [ -z "$dev" ]; then
+	echo "${RED}Cannot create loop device${NORM}"
+	exit $FAIL
+fi
+
+mkfs.ext4 -U $IMA_UUID -b 4096 $dev &> /dev/null
+if [ $? -ne 0 ]; then
+	echo "${RED}Cannot format $dev${NORM}"
+	exit $FAIL
+fi
+
+mount -o i_version $dev $mountpoint
+if [ $? -ne 0 ]; then
+	echo "${RED}Cannot mount loop device${NORM}"
+	exit $FAIL
+fi
+
+if [ -n "$(which mount-idmapped 2> /dev/null)" ]; then
+	mountpoint_idmapped=$(mktemp -d)
+	mount-idmapped --map-mount b:$METADATA_CHANGE_FOWNER:0:1 $mountpoint $mountpoint_idmapped
+	if [ $? -ne 0 ]; then
+		echo "${RED}mount-idmapped failed${NORM}"
+		exit $FAIL
+	fi
+fi
+
+loop_mounted=1
+pushd $mountpoint > /dev/null
+
+expect_pass check_ima_sig_appraisal
+cleanup_ima_sig_appraisal
+expect_pass check_ima_sig_ima_measurement_list
+cleanup_ima_sig_ima_measurement_list
+
+if [ $(echo -e "$(uname -r)\n5.12" | sort -V | head -n 1) != "5.12" ]; then
+	exit $OK
+fi
+
+if [ $((evm_value & EVM_INIT_X509)) -ne $EVM_INIT_X509 ] && [ "$TST_EVM_CHANGE_MODE" -eq 1 ]; then
+	cat $key_path_der | keyctl padd asymmetric pubkey %keyring:.evm &> /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${RED}Public key cannot be added to the EVM keyring${NORM}"
+		exit $FAIL
+	fi
+
+	echo $EVM_INIT_X509 > /sys/kernel/security/evm 2> /dev/null
+fi
+
+if [ $(expr index "$TST_LIST" "check_evm_revalidate") -gt 0 ] && [ "$TST_EVM_CHANGE_MODE" -eq 1 ]; then
+	echo $EVM_ALLOW_METADATA_WRITES > /sys/kernel/security/evm 2> /dev/null
+fi
+
+# We cannot determine from securityfs if EVM_SETUP_COMPLETE is set, so we set it unless EVM_ALLOW_METADATA_WRITES is set.
+if [ $((evm_value & EVM_ALLOW_METADATA_WRITES)) -ne $EVM_ALLOW_METADATA_WRITES ] && [ "$TST_EVM_CHANGE_MODE" -eq 1 ]; then
+	echo $EVM_SETUP_COMPLETE > /sys/kernel/security/evm 2> /dev/null
+fi
+
+evm_value=$(cat /sys/kernel/security/evm)
+
+expect_pass check_create_file
+cleanup_create_file
+expect_pass check_cp_preserve_xattrs
+cleanup_cp_preserve_xattrs
+expect_pass check_tar_extract_xattrs_different_owner
+cleanup_tar_extract_xattrs_different_owner
+expect_pass check_tar_extract_xattrs_same_owner
+cleanup_tar_extract_xattrs_same_owner
+expect_pass check_metadata_change
+cleanup_metadata_change
+expect_pass check_evm_revalidate
+cleanup_evm_revalidate
+expect_pass check_evm_portable_sig_ima_appraisal
+cleanup_evm_portable_sig_ima_appraisal
+expect_pass check_evm_portable_sig_ima_measurement_list
+cleanup_evm_portable_sig_ima_measurement_list
-- 
2.25.1

[PATCH ima-evm-utils v2 7/9] Adapt fsverity.test to work with UML kernel

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Adapt fsverity.test by adding calls to the UML kernel API in functions.sh.
If the UML_MODE environment variable is set to 1, run first the UML kernel
specified as first argument of _run_user_mode() and execute the tests in
the new environment. Otherwise, keep the current behavior.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 tests/fsverity.test | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/tests/fsverity.test b/tests/fsverity.test
index 549c42a32608..84312aa08a30 100755
--- a/tests/fsverity.test
+++ b/tests/fsverity.test
@@ -49,7 +49,7 @@ _require dd mkfs blkid e2fsck tune2fs evmctl setfattr
 
 trap cleanup SIGINT SIGTERM EXIT
 
-cleanup() {
+_cleanup() {
         if [ -e $TST_MNT ]; then
 		if [ $LOOPBACK_MOUNTED -eq 1 ]; then
 			umount $TST_MNT
@@ -61,6 +61,11 @@ cleanup() {
 	_report_exit_and_cleanup
 }
 
+cleanup() {
+	_cleanup_user_mode _cleanup
+	_report_exit_and_cleanup
+}
+
 # Loopback mount a file
 mount_loopback_file() {
 	local ret
@@ -309,6 +314,15 @@ measure-ima() {
 	return "$error"
 }
 
+# Run in User Mode Linux.
+_run_user_mode ../linux $PWD/$(basename $0) "UML_MODE=$UML_MODE PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
+
+# Exit from the parent if UML was used.
+_exit_user_mode ../linux
+
+# Mount filesystems in UML environment.
+_init_user_mode
+
 # Dependency on being able to read and write the IMA policy file.
 # Requires both CONFIG_IMA_WRITE_POLICY, CONFIG_IMA_READ_POLICY be
 # enabled.
-- 
2.25.1

[PATCH ima-evm-utils v2 8/9] Use in-place built fsverity binary instead of installing it

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Instead of making changes to the system, use in-place built fsverity binary
by adding ../fsverity-utils to the PATH variable, so that the binary can be
found with the 'which' command.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 tests/fsverity.test       | 2 +-
 tests/install-fsverity.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/fsverity.test b/tests/fsverity.test
index 84312aa08a30..e05978be7ea6 100755
--- a/tests/fsverity.test
+++ b/tests/fsverity.test
@@ -30,7 +30,7 @@
 # custom policy rules might take precedence.
 
 cd "$(dirname "$0")" || exit 1
-PATH=../src:$PATH
+PATH=../src:../fsverity-utils:$PATH
 source ./functions.sh
 
 # Base VERBOSE on the environment variable, if set.
diff --git a/tests/install-fsverity.sh b/tests/install-fsverity.sh
index 418fc42f472b..d00674c0d3a2 100755
--- a/tests/install-fsverity.sh
+++ b/tests/install-fsverity.sh
@@ -2,6 +2,6 @@
 
 git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
 cd fsverity-utils
-CC=gcc make -j$(nproc) && sudo make install
+CC=gcc make -j$(nproc)
 cd ..
 rm -rf fsverity-utils
-- 
2.25.1

[PATCH ima-evm-utils v2 9/9] ci: haveged requires EPEL on CentOS stream:8

[Roberto Sassu]

From: Mimi Zohar <zohar@linux.ibm.com>

The travis "fedora:latest" matrix rule fails due to not finding
"haveged".  Install "haveged" after enabling EPEL.

Fixes: 1a2d4767a8b1 ("Add support for UML in functions.sh")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 ci/fedora.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ci/fedora.sh b/ci/fedora.sh
index 3f75d2e1ddbd..1d17c6bfb89d 100755
--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@@ -46,7 +46,6 @@ yum -y install \
 	wget \
 	which \
 	zstd \
-	haveged \
 	systemd \
 	keyutils \
 	e2fsprogs \
@@ -62,5 +61,8 @@ if [ -f /etc/centos-release ]; then
 fi
 yum -y install softhsm || true
 
+# haveged is available via EPEL on CentOS stream8.
+yum -y install haveged || true
+
 ./tests/install-fsverity.sh
 ./tests/install-mount-idmapped.sh
-- 
2.25.1

Re: [PATCH ima-evm-utils v2 1/9] Fix error messages and mdlen init in calc_evm_hmac()

[Stefan Berger]

On 1/12/23 07:24, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Make sure that the function name in the error message corresponds to the
> actual function called. Also, initialize mdlen to the size of 'hash'
> (MAX_DIGEST_SIZE), as this is expected by EVP_DigestSignFinal().

This code was converted from HMAC_Final() where the man page doesn't say much
about mdlen on input but required md to be of size EVP_MAX_MD_SIZE. Now it's
called sig & siglen in the man page:


        maximum necessary size of the output buffer is written to the siglen parameter. If sig is not NULL then before the
        call the siglen parameter should contain the length of the sig buffer. If the call is successful the signature is
        written to sig and the amount of data written to siglen.

It say's 'should' not 'must'. Following the last sentence abive I think evmctl will NOT have created short
HMAC signatures.
The mdlen should be called siglen and hash should defintely be renamed to sig at some point because it's not a 'hash'
and never was.

> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

> ---
>   src/evmctl.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 0ac7930da6f2..d4912d7ee891 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1186,7 +1186,7 @@ static int cmd_setxattr_ima(struct command *cmd)
>   
>   static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
>   {
> -	size_t mdlen;
> +	size_t mdlen = MAX_DIGEST_SIZE;
>   	EVP_MD_CTX *pctx;
>   	EVP_PKEY *pkey = NULL;
>   	struct stat st;
> @@ -1260,7 +1260,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
>   
>   	pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, evmkey, sizeof(evmkey));
>   	if (!pkey) {
> -		log_err("HMAC_Init() failed\n");
> +		log_err("EVP_PKEY_new_mac_key() failed\n");
>   		goto out;
>   	}
>   
> @@ -1326,12 +1326,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
>   
>   	err = EVP_DigestSignUpdate(pctx, &hmac_misc, hmac_size);
>   	if (err != 1) {
> -		log_err("HMAC_Update() failed\n");
> +		log_err("EVP_DigestSignUpdate() failed\n");
>   		goto out_ctx_cleanup;
>   	}
>   	err = EVP_DigestSignFinal(pctx, hash, &mdlen);
>   	if (err != 1)
> -		log_err("HMAC_Final() failed\n");
> +		log_err("EVP_DigestSignFinal() failed\n");
>   out_ctx_cleanup:
>   	EVP_PKEY_free(pkey);
>   #if OPENSSL_VERSION_NUMBER >= 0x10100000

Re: [PATCH ima-evm-utils v2 2/9] Add config for UML kernel

[Stefan Berger]

On 1/12/23 07:24, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Add config-uml, with test-specific options that are not enabled in the
> kernel configuration generated with 'make ARCH=um olddefconfig'. The new
> options will be merged with the merge_config.sh script from the kernel
> source code in a Github workflow step.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Acked-by: Stefan Berger <stefanb@linux.ibm.com>

> ---
>   config-uml | 235 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 235 insertions(+)
>   create mode 100644 config-uml
> 
> diff --git a/config-uml b/config-uml
> new file mode 100644
> index 000000000000..2d3bb8ba8edb
> --- /dev/null
> +++ b/config-uml
> @@ -0,0 +1,235 @@
> +CONFIG_LOCALVERSION="-dont-use"
> +CONFIG_WATCH_QUEUE=y
> +CONFIG_AUDIT=y
> +CONFIG_AUDITSYSCALL=y
> +CONFIG_HZ_PERIODIC=y
> +CONFIG_LOG_BUF_SHIFT=17
> +CONFIG_USER_NS=y
> +CONFIG_PID_NS=y
> +CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
> +CONFIG_KALLSYMS_ALL=y
> +CONFIG_SYSTEM_DATA_VERIFICATION=y
> +CONFIG_TRACEPOINTS=y
> +CONFIG_CON_CHAN="xterm"
> +CONFIG_SSL_CHAN="pty"
> +CONFIG_MODULE_SIG_FORMAT=y
> +CONFIG_MODULE_SIG=y
> +CONFIG_MODULE_SIG_FORCE=y
> +CONFIG_MODULE_SIG_ALL=y
> +CONFIG_MODULE_SIG_SHA1=y
> +CONFIG_MODULE_SIG_HASH="sha1"
> +CONFIG_MODULES_TREE_LOOKUP=y
> +CONFIG_BLK_DEBUG_FS=y
> +CONFIG_ASN1=y
> +CONFIG_UNINLINE_SPIN_UNLOCK=y
> +CONFIG_SLUB=y
> +CONFIG_COMPACTION=y
> +CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
> +CONFIG_MIGRATION=y
> +CONFIG_BLK_DEV_LOOP=y
> +CONFIG_LEGACY_PTY_COUNT=256
> +CONFIG_NULL_TTY=y
> +CONFIG_SERIAL_DEV_BUS=y
> +CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
> +CONFIG_VALIDATE_FS_PARSER=y
> +CONFIG_EXT4_FS_POSIX_ACL=y
> +CONFIG_EXT4_FS_SECURITY=y
> +CONFIG_EXT4_DEBUG=y
> +CONFIG_REISERFS_FS_XATTR=y
> +CONFIG_REISERFS_FS_POSIX_ACL=y
> +CONFIG_REISERFS_FS_SECURITY=y
> +CONFIG_FS_POSIX_ACL=y
> +CONFIG_FS_VERITY=y
> +CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
> +CONFIG_TMPFS_POSIX_ACL=y
> +CONFIG_TMPFS_XATTR=y
> +CONFIG_CONFIGFS_FS=y
> +CONFIG_KEYS=y
> +CONFIG_ENCRYPTED_KEYS=y
> +CONFIG_SECURITY=y
> +CONFIG_SECURITYFS=y
> +CONFIG_SECURITY_NETWORK=y
> +CONFIG_SECURITY_PATH=y
> +CONFIG_INTEGRITY=y
> +CONFIG_INTEGRITY_SIGNATURE=y
> +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
> +CONFIG_INTEGRITY_TRUSTED_KEYRING=y
> +CONFIG_INTEGRITY_AUDIT=y
> +CONFIG_IMA=y
> +CONFIG_IMA_MEASURE_PCR_IDX=10
> +CONFIG_IMA_NG_TEMPLATE=y
> +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> +CONFIG_IMA_DEFAULT_HASH_SHA256=y
> +CONFIG_IMA_DEFAULT_HASH="sha256"
> +CONFIG_IMA_WRITE_POLICY=y
> +CONFIG_IMA_READ_POLICY=y
> +CONFIG_IMA_APPRAISE=y
> +CONFIG_IMA_ARCH_POLICY=y
> +CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> +CONFIG_IMA_APPRAISE_BOOTPARAM=y
> +CONFIG_IMA_APPRAISE_MODSIG=y
> +CONFIG_IMA_TRUSTED_KEYRING=y
> +CONFIG_IMA_BLACKLIST_KEYRING=y
> +CONFIG_IMA_LOAD_X509=y
> +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> +CONFIG_EVM=y
> +CONFIG_EVM_ATTR_FSUUID=y
> +CONFIG_EVM_ADD_XATTRS=y
> +CONFIG_EVM_LOAD_X509=y
> +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
> +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
> +CONFIG_CRYPTO_AEAD2=y
> +CONFIG_CRYPTO_SKCIPHER=y
> +CONFIG_CRYPTO_SKCIPHER2=y
> +CONFIG_CRYPTO_RNG=y
> +CONFIG_CRYPTO_RNG2=y
> +CONFIG_CRYPTO_RNG_DEFAULT=y
> +CONFIG_CRYPTO_AKCIPHER2=y
> +CONFIG_CRYPTO_AKCIPHER=y
> +CONFIG_CRYPTO_KPP2=y
> +CONFIG_CRYPTO_ACOMP2=y
> +CONFIG_CRYPTO_MANAGER=y
> +CONFIG_CRYPTO_MANAGER2=y
> +CONFIG_CRYPTO_NULL2=y
> +CONFIG_CRYPTO_RSA=y
> +CONFIG_CRYPTO_ECC=y
> +CONFIG_CRYPTO_ECDSA=y
> +CONFIG_CRYPTO_AES=y
> +CONFIG_CRYPTO_CBC=y
> +CONFIG_CRYPTO_HMAC=y
> +CONFIG_CRYPTO_MD5=y
> +CONFIG_CRYPTO_SHA1=y
> +CONFIG_CRYPTO_SHA256=y
> +CONFIG_CRYPTO_SHA512=y
> +CONFIG_CRYPTO_WP512=y
> +CONFIG_CRYPTO_LZO=y
> +CONFIG_CRYPTO_ZSTD=y
> +CONFIG_CRYPTO_DRBG_MENU=y
> +CONFIG_CRYPTO_DRBG_HMAC=y
> +CONFIG_CRYPTO_DRBG=y
> +CONFIG_CRYPTO_JITTERENTROPY=y
> +CONFIG_CRYPTO_HASH_INFO=y
> +CONFIG_ASYMMETRIC_KEY_TYPE=y
> +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
> +CONFIG_X509_CERTIFICATE_PARSER=y
> +CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
> +CONFIG_PKCS7_MESSAGE_PARSER=y
> +CONFIG_PKCS7_TEST_KEY=y
> +CONFIG_SIGNED_PE_FILE_VERIFICATION=y
> +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
> +CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
> +CONFIG_SYSTEM_TRUSTED_KEYRING=y
> +CONFIG_SYSTEM_TRUSTED_KEYS=""
> +CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
> +CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
> +CONFIG_SECONDARY_TRUSTED_KEYRING=y
> +CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> +CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
> +CONFIG_SYSTEM_REVOCATION_LIST=y
> +CONFIG_SYSTEM_REVOCATION_KEYS=""
> +CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE=y
> +CONFIG_BINARY_PRINTF=y
> +CONFIG_CRYPTO_LIB_AES=y
> +CONFIG_CRYPTO_LIB_SHA256=y
> +CONFIG_CRC_CCITT=y
> +CONFIG_XXHASH=y
> +CONFIG_AUDIT_GENERIC=y
> +CONFIG_LZO_COMPRESS=y
> +CONFIG_LZO_DECOMPRESS=y
> +CONFIG_ZSTD_COMMON=y
> +CONFIG_ZSTD_COMPRESS=y
> +CONFIG_ZSTD_DECOMPRESS=y
> +CONFIG_ASSOCIATIVE_ARRAY=y
> +CONFIG_SGL_ALLOC=y
> +CONFIG_GLOB=y
> +CONFIG_CLZ_TAB=y
> +CONFIG_MPILIB=y
> +CONFIG_SIGNATURE=y
> +CONFIG_OID_REGISTRY=y
> +CONFIG_STACKDEPOT=y
> +CONFIG_STACKDEPOT_ALWAYS_INIT=y
> +CONFIG_PRINTK_TIME=y
> +CONFIG_PRINTK_CALLER=y
> +CONFIG_DYNAMIC_DEBUG=y
> +CONFIG_DYNAMIC_DEBUG_CORE=y
> +CONFIG_DEBUG_INFO_DWARF5=y
> +CONFIG_GDB_SCRIPTS=y
> +CONFIG_FRAME_WARN=2048
> +CONFIG_READABLE_ASM=y
> +CONFIG_DEBUG_SECTION_MISMATCH=y
> +CONFIG_DEBUG_FS=y
> +CONFIG_DEBUG_FS_ALLOW_ALL=y
> +CONFIG_UBSAN=y
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +CONFIG_UBSAN_DIV_ZERO=y
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +CONFIG_UBSAN_ALIGNMENT=y
> +CONFIG_PAGE_EXTENSION=y
> +CONFIG_DEBUG_PAGEALLOC=y
> +CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
> +CONFIG_SLUB_DEBUG=y
> +CONFIG_SLUB_DEBUG_ON=y
> +CONFIG_PAGE_OWNER=y
> +CONFIG_PAGE_POISONING=y
> +CONFIG_DEBUG_OBJECTS=y
> +CONFIG_DEBUG_OBJECTS_FREE=y
> +CONFIG_DEBUG_OBJECTS_TIMERS=y
> +CONFIG_DEBUG_OBJECTS_WORK=y
> +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
> +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
> +CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
> +CONFIG_DEBUG_KMEMLEAK=y
> +CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE=16000
> +CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y
> +CONFIG_DEBUG_STACK_USAGE=y
> +CONFIG_SCHED_STACK_END_CHECK=y
> +CONFIG_DEBUG_SHIRQ=y
> +CONFIG_PANIC_ON_OOPS=y
> +CONFIG_PANIC_ON_OOPS_VALUE=1
> +CONFIG_LOCKUP_DETECTOR=y
> +CONFIG_SOFTLOCKUP_DETECTOR=y
> +CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
> +CONFIG_DETECT_HUNG_TASK=y
> +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
> +CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
> +CONFIG_WQ_WATCHDOG=y
> +CONFIG_DEBUG_TIMEKEEPING=y
> +CONFIG_PROVE_LOCKING=y
> +CONFIG_PROVE_RAW_LOCK_NESTING=y
> +CONFIG_LOCK_STAT=y
> +CONFIG_DEBUG_RT_MUTEXES=y
> +CONFIG_DEBUG_SPINLOCK=y
> +CONFIG_DEBUG_MUTEXES=y
> +CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
> +CONFIG_DEBUG_RWSEMS=y
> +CONFIG_DEBUG_LOCK_ALLOC=y
> +CONFIG_LOCKDEP=y
> +CONFIG_LOCKDEP_BITS=15
> +CONFIG_LOCKDEP_CHAINS_BITS=16
> +CONFIG_LOCKDEP_STACK_TRACE_BITS=19
> +CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS=14
> +CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS=12
> +CONFIG_WW_MUTEX_SELFTEST=y
> +CONFIG_CSD_LOCK_WAIT_DEBUG=y
> +CONFIG_TRACE_IRQFLAGS=y
> +CONFIG_DEBUG_IRQFLAGS=y
> +CONFIG_DEBUG_LIST=y
> +CONFIG_DEBUG_PLIST=y
> +CONFIG_DEBUG_SG=y
> +CONFIG_DEBUG_NOTIFIERS=y
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> +CONFIG_PROVE_RCU=y
> +CONFIG_RCU_TRACE=y
> +CONFIG_NOP_TRACER=y
> +CONFIG_TRACE_CLOCK=y
> +CONFIG_RING_BUFFER=y
> +CONFIG_EVENT_TRACING=y
> +CONFIG_CONTEXT_SWITCH_TRACER=y
> +CONFIG_PREEMPTIRQ_TRACEPOINTS=y
> +CONFIG_TRACING=y

Re: [PATCH ima-evm-utils v2 0/9] Support testing with UML kernel

[Mimi Zohar]

On Thu, 2023-01-12 at 13:24 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> UML kernels differ from other kernels for the ability of being executed as
> processes in the current environment, without requirements such as
> virtualization. It is sufficient to execute the binary, like the other
> binaries.
> 
> In addition, UML kernels have the ability to see the host filesystem and
> thus they could for example run an executable from the host as init and
> have a fully working system without creating an image, as it would happen
> if a regular virtual machine is used.
> 
> These features make UML kernels very suitable for integration in existing
> test suites designed to perform the tests in the current environment such
> as ima-evm-utils. In the current environment, test suites cannot test new
> functionality not yet integrated in the host kernel, or with custom kernel
> configuration options not usually enabled in production. Also, test suites
> might not be able to set/reset kernel settings for security reasons.
> 
> With the ability to do kernel testing more in depth, ima-evm-utils might
> introduce specific tests for that, separated from the tests to verify the
> ima-evm-utils user space functionality. At the moment, there is no such
> distinction, existing tests verify both.
> 
> The goal of this patch set is to overcome the limitations by making the
> test suite in ima-evm-utils able to run in an environment created by the
> UML kernel, with minimal changes. At the same time, it will preserve the
> ability of the test suite to run in the current environment.
> 
> First, fix error messages and a variable in evmctl. Then, add the
> config-uml file with custom kernel configuration options for the tests, to
> be merged with the default configuration. Add a new job in the Github
> workflow to build the UML kernel from a repository and branch specified in
> the LINUX_URL and LINUX_BRANCH variables. Per Github documentation, these
> variables can be defined at organization, repository and environment level.
> 
> Introduce a new API for using UML kernels for existing and new test
> scripts. Unless the environment variable UML_MODE is set to 1, calling the
> API results in a nop, and tests are executed in the current environment.
> 
> Add the possibility to select individual tests to run in a test script,
> with the TST_LIST variable, so that the UML kernel can be launched multiple
> times with a subset of tests (useful if for example a test require kernel
> settings different from the previous test).
> 
> Add tests for EVM portable signatures supporting UML kernels and port
> fsverity.test to use UML kernels.
> 
> Finally, don't require making changes to the system to run fsverity.test
> and install a software dependency after the appropriate repository has been
> set up.

Thank you, Roberto!   The UML support should simplify testing new
kernel features before they are upstreamed and/or configured/enabled by
the distros.  Building a UML kernel is relatively quick (~8 minutes). 
With the UML kernel and image caching, the impact should be minimal.

Once everyone has had a chance to review, comment, and test this patch
set, we'll release a new version of ima-evm-utils.

thanks,

Mimi
> 
> Mimi Zohar (1):
>   ci: haveged requires EPEL on CentOS stream:8
> 
> Roberto Sassu (8):
>   Fix error messages and mdlen init in calc_evm_hmac()
>   Add config for UML kernel
>   Compile the UML kernel and download it in Github Actions
>   Add support for UML in functions.sh
>   Introduce TST_LIST variable to select a test to execute
>   Add tests for EVM portable signatures
>   Adapt fsverity.test to work with UML kernel
>   Use in-place built fsverity binary instead of installing it
> 
>  .github/workflows/ci.yml        |   96 ++-
>  build.sh                        |    5 +
>  ci/fedora.sh                    |   12 +-
>  config-uml                      |  235 +++++++
>  src/evmctl.c                    |    8 +-
>  tests/Makefile.am               |    2 +-
>  tests/fsverity.test             |   18 +-
>  tests/functions.sh              |   91 ++-
>  tests/install-fsverity.sh       |    2 +-
>  tests/install-mount-idmapped.sh |    7 +
>  tests/portable_signatures.test  | 1173 +++++++++++++++++++++++++++++++
>  11 files changed, 1637 insertions(+), 12 deletions(-)
>  create mode 100644 config-uml
>  create mode 100755 tests/install-mount-idmapped.sh
>  create mode 100755 tests/portable_signatures.test
> 

Re: [PATCH ima-evm-utils v2 4/9] Add support for UML in functions.sh

[Stefan Berger]

On 1/12/23 07:24, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Add the new functions _run_user_mode(), _exit_user_mode(),
> _init_user_mode() and _cleanup_user_mode() to run the tests inside a system
> booted with the UML kernel.
> 
> A typical structure of a script with tests is:
> 
> trap cleanup SIGINT SIGTERM SIGSEGV EXIT
> 
> _cleanup() {
> 	<test cleanup>
> }
> 
> cleanup() {
> 	_cleanup_user_mode _cleanup
> 	_report_exit_and_cleanup
> }
> 
> <tests implementations>
> 
> _run_user_mode ../linux $PWD/$(basename $0) "env_var1=$env_var1 ..."
> 
> _exit_user_mode ../linux
> 
> _init_user_mode
> 
> <tests init>
> 
> <tests call>
> 
> If the UML_MODE environment variable is not set to 1, ignore the UML kernel
> execution and initialization requests, and perform the cleanup in the
> current environment. Ignore the same also if the script is already run in
> the UML environment, to avoid loops. Instead, for cleanup, do it only in
> the UML environment and skip it in the host environment.
> 
> Signal to the host environment failures of tests run in the UML environment
> with an unclean shutdown of the UML kernel.
> 
> Add haveged and systemd as dependencies for the tests in ci/fedora.sh,
> respectively for initializing the random number generator and for shutting
> down the system in the environment created by the UML kernel.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   ci/fedora.sh       |  4 ++-
>   tests/functions.sh | 79 +++++++++++++++++++++++++++++++++++++++++++++-
>   2 files changed, 81 insertions(+), 2 deletions(-)
> 
> diff --git a/ci/fedora.sh b/ci/fedora.sh
> index e60de7981c60..198034a34e3c 100755
> --- a/ci/fedora.sh
> +++ b/ci/fedora.sh
> @@ -45,7 +45,9 @@ yum -y install \
>   	vim-common \
>   	wget \
>   	which \
> -	zstd
> +	zstd \
> +	haveged \
> +	systemd
>   
>   yum -y install docbook5-style-xsl || true
>   yum -y install swtpm || true
> diff --git a/tests/functions.sh b/tests/functions.sh
> index 8f6f02dfcd95..98829d94fae1 100755
> --- a/tests/functions.sh
> +++ b/tests/functions.sh
> @@ -267,6 +267,16 @@ _report_exit_and_cleanup() {
>     [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
>     echo " FAIL: $testsfail"
>     echo "$NORM"
> +  # Signal failure to UML caller with an unclean shutdown.
> +  if [ -n "$UML_MODE" ] && [ "$UML_MODE" -eq 1 ] && [ $$ -eq 1 ]; then
> +    if [ -z "$(which poweroff)" ]; then
> +      echo "Warning: cannot properly shutdown system"
> +    fi
> +
> +    if [ $testsfail -eq 0 ]; then
> +      poweroff -f
> +    fi
> +  fi
>     if [ $testsfail -gt 0 ]; then
>       exit "$FAIL"
>     elif [ $testspass -gt 0 ]; then
> @@ -312,4 +322,71 @@ _softhsm_teardown() {
>     rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
>     unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
>       EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
> -}
> \ No newline at end of file
> +}
> +
> +# Syntax: _run_user_mode <UML binary> <init> <additional kernel parameters>
> +_run_user_mode() {
> +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> +    return
> +  fi
> +
> +  if [ $$ -eq 1 ]; then
> +    return
> +  fi
> +
> +  expect_pass $1 rootfstype=hostfs rw init=$2 quiet mem=256M $3
> +}
> +
> +# Syntax: _exit_user_mode <UML binary>
> +_exit_user_mode() {
> +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> +    return
> +  fi
> +
> +  if [ $$ -eq 1 ]; then
> +    return
> +  fi
> +
> +  if [ -f "$1" ]; then
> +    exit $OK
> +  fi
> +}
> +
> +# Syntax: _init_user_mode
> +_init_user_mode() {
> +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> +    return
> +  fi
> +
> +  if [ $$ -ne 1 ]; then
> +    return
> +  fi
> +
> +  mount -t proc proc /proc
> +  mount -t sysfs sysfs /sys
> +  mount -t securityfs securityfs /sys/kernel/security
> +
> +  if [ -n "$(which haveged 2> /dev/null)" ]; then
> +    $(which haveged) -w 1024 &> /dev/null
> +  fi

What's different when it's missing?

> +
> +  pushd $PWD > /dev/null
> +}
> +
> +# Syntax: _cleanup_user_mode <cleanup function>
> +_cleanup_user_mode() {
> +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> +    $1
> +    return
> +  fi
> +
> +  if [ $$ -ne 1 ]; then
> +    return
> +  fi
> +
> +  $1
> +
> +  umount /sys/kernel/security
> +  umount /sys
> +  umount /proc
> +}

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Re: [PATCH ima-evm-utils v2 4/9] Add support for UML in functions.sh

[Roberto Sassu]

On Thu, 2023-01-12 at 10:00 -0500, Stefan Berger wrote:
> On 1/12/23 07:24, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Add the new functions _run_user_mode(), _exit_user_mode(),
> > _init_user_mode() and _cleanup_user_mode() to run the tests inside a system
> > booted with the UML kernel.
> > 
> > A typical structure of a script with tests is:
> > 
> > trap cleanup SIGINT SIGTERM SIGSEGV EXIT
> > 
> > _cleanup() {
> > 	<test cleanup>
> > }
> > 
> > cleanup() {
> > 	_cleanup_user_mode _cleanup
> > 	_report_exit_and_cleanup
> > }
> > 
> > <tests implementations>
> > 
> > _run_user_mode ../linux $PWD/$(basename $0) "env_var1=$env_var1 ..."
> > 
> > _exit_user_mode ../linux
> > 
> > _init_user_mode
> > 
> > <tests init>
> > 
> > <tests call>
> > 
> > If the UML_MODE environment variable is not set to 1, ignore the UML kernel
> > execution and initialization requests, and perform the cleanup in the
> > current environment. Ignore the same also if the script is already run in
> > the UML environment, to avoid loops. Instead, for cleanup, do it only in
> > the UML environment and skip it in the host environment.
> > 
> > Signal to the host environment failures of tests run in the UML environment
> > with an unclean shutdown of the UML kernel.
> > 
> > Add haveged and systemd as dependencies for the tests in ci/fedora.sh,
> > respectively for initializing the random number generator and for shutting
> > down the system in the environment created by the UML kernel.
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> >   ci/fedora.sh       |  4 ++-
> >   tests/functions.sh | 79 +++++++++++++++++++++++++++++++++++++++++++++-
> >   2 files changed, 81 insertions(+), 2 deletions(-)
> > 
> > diff --git a/ci/fedora.sh b/ci/fedora.sh
> > index e60de7981c60..198034a34e3c 100755
> > --- a/ci/fedora.sh
> > +++ b/ci/fedora.sh
> > @@ -45,7 +45,9 @@ yum -y install \
> >   	vim-common \
> >   	wget \
> >   	which \
> > -	zstd
> > +	zstd \
> > +	haveged \
> > +	systemd
> >   
> >   yum -y install docbook5-style-xsl || true
> >   yum -y install swtpm || true
> > diff --git a/tests/functions.sh b/tests/functions.sh
> > index 8f6f02dfcd95..98829d94fae1 100755
> > --- a/tests/functions.sh
> > +++ b/tests/functions.sh
> > @@ -267,6 +267,16 @@ _report_exit_and_cleanup() {
> >     [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
> >     echo " FAIL: $testsfail"
> >     echo "$NORM"
> > +  # Signal failure to UML caller with an unclean shutdown.
> > +  if [ -n "$UML_MODE" ] && [ "$UML_MODE" -eq 1 ] && [ $$ -eq 1 ]; then
> > +    if [ -z "$(which poweroff)" ]; then
> > +      echo "Warning: cannot properly shutdown system"
> > +    fi
> > +
> > +    if [ $testsfail -eq 0 ]; then
> > +      poweroff -f
> > +    fi
> > +  fi
> >     if [ $testsfail -gt 0 ]; then
> >       exit "$FAIL"
> >     elif [ $testspass -gt 0 ]; then
> > @@ -312,4 +322,71 @@ _softhsm_teardown() {
> >     rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
> >     unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
> >       EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
> > -}
> > \ No newline at end of file
> > +}
> > +
> > +# Syntax: _run_user_mode <UML binary> <init> <additional kernel parameters>
> > +_run_user_mode() {
> > +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> > +    return
> > +  fi
> > +
> > +  if [ $$ -eq 1 ]; then
> > +    return
> > +  fi
> > +
> > +  expect_pass $1 rootfstype=hostfs rw init=$2 quiet mem=256M $3
> > +}
> > +
> > +# Syntax: _exit_user_mode <UML binary>
> > +_exit_user_mode() {
> > +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> > +    return
> > +  fi
> > +
> > +  if [ $$ -eq 1 ]; then
> > +    return
> > +  fi
> > +
> > +  if [ -f "$1" ]; then
> > +    exit $OK
> > +  fi
> > +}
> > +
> > +# Syntax: _init_user_mode
> > +_init_user_mode() {
> > +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> > +    return
> > +  fi
> > +
> > +  if [ $$ -ne 1 ]; then
> > +    return
> > +  fi
> > +
> > +  mount -t proc proc /proc
> > +  mount -t sysfs sysfs /sys
> > +  mount -t securityfs securityfs /sys/kernel/security
> > +
> > +  if [ -n "$(which haveged 2> /dev/null)" ]; then
> > +    $(which haveged) -w 1024 &> /dev/null
> > +  fi
> 
> What's different when it's missing?

The boot time is longer, if I remember correctly.

Thanks

Roberto

> > +
> > +  pushd $PWD > /dev/null
> > +}
> > +
> > +# Syntax: _cleanup_user_mode <cleanup function>
> > +_cleanup_user_mode() {
> > +  if [ -z "$UML_MODE" ] || [ "$UML_MODE" -ne 1 ]; then
> > +    $1
> > +    return
> > +  fi
> > +
> > +  if [ $$ -ne 1 ]; then
> > +    return
> > +  fi
> > +
> > +  $1
> > +
> > +  umount /sys/kernel/security
> > +  umount /sys
> > +  umount /proc
> > +}
> 
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Re: [PATCH ima-evm-utils v2 5/9] Introduce TST_LIST variable to select a test to execute

[Stefan Berger]

On 1/12/23 07:24, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> It might be desirable, due to restrictions in the testing environment, to
> execute tests individually. Introduce the TST_LIST variable, which can be
> set with the name of the test to execute. If the variable is set,
> expect_pass and expect_fail automatically skip the tests when the first
> argument of those functions does not match the value of TST_LIST.
> 
> TST_LIST can be also used in conjunction with the UML kernel. It is
> sufficient to add it to the kernel command line.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   tests/functions.sh | 12 ++++++++++++
>   1 file changed, 12 insertions(+)
> 
> diff --git a/tests/functions.sh b/tests/functions.sh
> index 98829d94fae1..298c30393ce6 100755
> --- a/tests/functions.sh
> +++ b/tests/functions.sh
> @@ -72,6 +72,12 @@ declare -i TNESTED=0 # just for sanity checking
>   expect_pass() {
>     local -i ret
>   
> +  if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = $TST_LIST ]; then

"$TSR_LIST" for consistency and if it comes to shellcheck also to address "Double quote to prevent globbing and word splitting."

> +    [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
> +    testsskip+=1
> +    return $SKIP
> +  fi
> +
>     if [ $TNESTED -gt 0 ]; then
>       echo $RED"expect_pass should not be run nested"$NORM
>       testsfail+=1
> @@ -98,6 +104,12 @@ expect_pass() {
>   expect_fail() {
>     local ret
>   
> +  if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = $TST_LIST ]; then

Same here.

> +    [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
> +    testsskip+=1
> +    return $SKIP
> +  fi
> +
>     if [ $TNESTED -gt 0 ]; then
>       echo $RED"expect_fail should not be run nested"$NORM
>       testsfail+=1

Re: [PATCH ima-evm-utils v2 6/9] Add tests for EVM portable signatures

[Stefan Berger]

On 1/12/23 07:24, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Verify that operations on files with EVM portable signatures succeed and
> that the new kernel patch set does not break the existing kernel integrity
> expectations. Build and install mount-idmapped for ci/fedora.sh, to
> additionally test idmapped mounts.
> 
> To run the tests, pass the path of the kernel private key with the
> TST_KEY_PATH environment variable. If not provided, the script searches the
> key in /lib/modules/$(uname -r)/source/certs/signing_key.pem and in the
> current directory. Root privileges are required to mount the image,
> configure IMA/EVM and set xattrs.
> 
> Set UML_MODE to 1, to relaunch the script in a new environment after
> booting an UML kernel. The UML kernel must be named 'linux' and placed in
> the ima-evm-utils directory.
> 
> Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the
> current EVM mode, if a test needs a different one. Otherwise, execute only
> the tests compatible with the current EVM mode.
> 
> Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before
> launching the script, to run the check_evm_revalidate() test. Execute:
> 
> echo 4 > /sys/kernel/security/evm
> 
> The last two environment variables above affect which tests will run the
> next time the script is executed. Without setting UML_MODE to 1, changes to
> the current EVM mode will be irreversibly done in the host. Next time,
> unless the host is rebooted, only tests compatible with the last EVM mode
> set will run. The others will be skipped.
> 
> With the UML kernel, this problem does not arise as, every time the UML
> kernel is executed, it will create a clean environment with no flags set in
> the EVM mode.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   build.sh                        |    5 +
>   ci/fedora.sh                    |    7 +-
>   tests/Makefile.am               |    2 +-
>   tests/install-mount-idmapped.sh |    7 +
>   tests/portable_signatures.test  | 1173 +++++++++++++++++++++++++++++++
>   5 files changed, 1192 insertions(+), 2 deletions(-)
>   create mode 100755 tests/install-mount-idmapped.sh
>   create mode 100755 tests/portable_signatures.test
> 
> diff --git a/build.sh b/build.sh
> index 4e2f1bb7353b..0920599b2780 100755
> --- a/build.sh
> +++ b/build.sh
> @@ -114,6 +114,11 @@ if [ $ret -eq 0 ]; then
>   		grep "skipped" tests/fsverity.log  && \
>   		   grep "skipped" tests/fsverity.log | wc -l
>   	fi
> +	if [ -f tests/portable_signatures.log ]; then
> +		[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
> +		grep "skipped" tests/portable_signatures.log  && \
> +		   grep "skipped" tests/portable_signatures.log | wc -l
> +	fi
>   	exit 0
>   fi
>   
> diff --git a/ci/fedora.sh b/ci/fedora.sh
> index 198034a34e3c..3f75d2e1ddbd 100755
> --- a/ci/fedora.sh
> +++ b/ci/fedora.sh
> @@ -47,7 +47,11 @@ yum -y install \
>   	which \
>   	zstd \
>   	haveged \
> -	systemd
> +	systemd \
> +	keyutils \
> +	e2fsprogs \
> +	acl \
> +	libcap
>   
>   yum -y install docbook5-style-xsl || true
>   yum -y install swtpm || true
> @@ -59,3 +63,4 @@ fi
>   yum -y install softhsm || true
>   
>   ./tests/install-fsverity.sh
> +./tests/install-mount-idmapped.sh
> diff --git a/tests/Makefile.am b/tests/Makefile.am
> index 305082483f36..421fac577b55 100644
> --- a/tests/Makefile.am
> +++ b/tests/Makefile.am
> @@ -2,7 +2,7 @@ check_SCRIPTS =
>   TESTS = $(check_SCRIPTS)
>   
>   check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
> -		 fsverity.test
> +		 fsverity.test portable_signatures.test
>   
>   clean-local:
>   	-rm -f *.txt *.out *.sig *.sig2
> diff --git a/tests/install-mount-idmapped.sh b/tests/install-mount-idmapped.sh
> new file mode 100755
> index 000000000000..e9768e2fbf7a
> --- /dev/null
> +++ b/tests/install-mount-idmapped.sh
> @@ -0,0 +1,7 @@
> +#!/bin/sh
> +
> +git clone https://github.com/brauner/mount-idmapped.git
> +cd mount-idmapped
> +gcc -o mount-idmapped mount-idmapped.c
> +cd ..
> +rm -rf mount-idmapped

Where did you just install the executable to? It looks to me like it was removed.

> diff --git a/tests/portable_signatures.test b/tests/portable_signatures.test
> new file mode 100755
> index 000000000000..a6d79c929281
> --- /dev/null
> +++ b/tests/portable_signatures.test
> @@ -0,0 +1,1173 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Copyright (C) 2022-2023 Roberto Sassu <roberto.sassu@huawei.com>
> +#
> +# Check if operations on files with EVM portable signatures succeed.
> +
> +trap cleanup SIGINT SIGTERM SIGSEGV EXIT
> +
> +# Base VERBOSE on the environment variable, if set.
> +VERBOSE="${VERBOSE:-0}"
> +TST_EVM_CHANGE_MODE="${TST_EVM_CHANGE_MODE:-0}"
> +UML_MODE="${UML_MODE:-0}"
> +
> +# From security/integrity/evm/evm.h in kernel source directory.
> +let "EVM_INIT_HMAC=0x0001"
> +let "EVM_INIT_X509=0x0002"
> +let "EVM_ALLOW_METADATA_WRITES=0x0004"
> +let "EVM_SETUP_COMPLETE=0x80000000"
> +
> +cd "$(dirname "$0")"
> +export PATH=$PWD/../src:$PWD/../mount-idmapped:$PATH
> +export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
> +. ./functions.sh
> +_require evmctl
> +
> +_cleanup() {> +	if [ "$loop_mounted" = "1" ]; then

These global variables make it quite a bit tricky even though it's 'just a test case'. They
could clash with variables elsewhere. Maybe prefix them with 'g_' if you don't want to
pass them as parameters into the function, which I would think is yet more preferable.


> +		popd > /dev/null
> +
> +		if [ -n "$mountpoint_idmapped" ]; then
> +			umount $mountpoint_idmapped
> +		fi
> +
> +		umount $mountpoint
> +	fi
> +
> +	if [ -n "$dev" ]; then
> +		losetup -d $dev
> +	fi
> +
> +	if [ -n "$image" ]; then
> +		rm -f $image
> +	fi
> +
> +	if [ -n "$key_path_der" ]; then
> +		rm -f $key_path_der
> +	fi
> +
> +	if [ -n "$mountpoint" ]; then
> +		rm -Rf $mountpoint
> +	fi
> +
> +	if [ -n "$mountpoint_idmapped" ]; then
> +		rm -Rf $mountpoint_idmapped
> +	fi
> +}
> +
> +cleanup() {
> +	_cleanup_user_mode _cleanup
> +	_report_exit_and_cleanup
> +}
> +
> +get_xattr() {
> +	format="hex"

Don't want to use 'local format=....' to avoid clashes with possibly global variables of same name?

I would also urge to consider using shellcheck on shell script files. It helps a bit.

For now I leave it at these comment.

    Stefan

Re: [PATCH ima-evm-utils v2 6/9] Add tests for EVM portable signatures

[Roberto Sassu]

On Thu, 2023-01-12 at 10:22 -0500, Stefan Berger wrote:
> 
> On 1/12/23 07:24, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Verify that operations on files with EVM portable signatures succeed and
> > that the new kernel patch set does not break the existing kernel integrity
> > expectations. Build and install mount-idmapped for ci/fedora.sh, to
> > additionally test idmapped mounts.
> > 
> > To run the tests, pass the path of the kernel private key with the
> > TST_KEY_PATH environment variable. If not provided, the script searches the
> > key in /lib/modules/$(uname -r)/source/certs/signing_key.pem and in the
> > current directory. Root privileges are required to mount the image,
> > configure IMA/EVM and set xattrs.
> > 
> > Set UML_MODE to 1, to relaunch the script in a new environment after
> > booting an UML kernel. The UML kernel must be named 'linux' and placed in
> > the ima-evm-utils directory.
> > 
> > Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the
> > current EVM mode, if a test needs a different one. Otherwise, execute only
> > the tests compatible with the current EVM mode.
> > 
> > Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before
> > launching the script, to run the check_evm_revalidate() test. Execute:
> > 
> > echo 4 > /sys/kernel/security/evm
> > 
> > The last two environment variables above affect which tests will run the
> > next time the script is executed. Without setting UML_MODE to 1, changes to
> > the current EVM mode will be irreversibly done in the host. Next time,
> > unless the host is rebooted, only tests compatible with the last EVM mode
> > set will run. The others will be skipped.
> > 
> > With the UML kernel, this problem does not arise as, every time the UML
> > kernel is executed, it will create a clean environment with no flags set in
> > the EVM mode.
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> >   build.sh                        |    5 +
> >   ci/fedora.sh                    |    7 +-
> >   tests/Makefile.am               |    2 +-
> >   tests/install-mount-idmapped.sh |    7 +
> >   tests/portable_signatures.test  | 1173 +++++++++++++++++++++++++++++++
> >   5 files changed, 1192 insertions(+), 2 deletions(-)
> >   create mode 100755 tests/install-mount-idmapped.sh
> >   create mode 100755 tests/portable_signatures.test
> > 
> > diff --git a/build.sh b/build.sh
> > index 4e2f1bb7353b..0920599b2780 100755
> > --- a/build.sh
> > +++ b/build.sh
> > @@ -114,6 +114,11 @@ if [ $ret -eq 0 ]; then
> >   		grep "skipped" tests/fsverity.log  && \
> >   		   grep "skipped" tests/fsverity.log | wc -l
> >   	fi
> > +	if [ -f tests/portable_signatures.log ]; then
> > +		[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
> > +		grep "skipped" tests/portable_signatures.log  && \
> > +		   grep "skipped" tests/portable_signatures.log | wc -l
> > +	fi
> >   	exit 0
> >   fi
> >   
> > diff --git a/ci/fedora.sh b/ci/fedora.sh
> > index 198034a34e3c..3f75d2e1ddbd 100755
> > --- a/ci/fedora.sh
> > +++ b/ci/fedora.sh
> > @@ -47,7 +47,11 @@ yum -y install \
> >   	which \
> >   	zstd \
> >   	haveged \
> > -	systemd
> > +	systemd \
> > +	keyutils \
> > +	e2fsprogs \
> > +	acl \
> > +	libcap
> >   
> >   yum -y install docbook5-style-xsl || true
> >   yum -y install swtpm || true
> > @@ -59,3 +63,4 @@ fi
> >   yum -y install softhsm || true
> >   
> >   ./tests/install-fsverity.sh
> > +./tests/install-mount-idmapped.sh
> > diff --git a/tests/Makefile.am b/tests/Makefile.am
> > index 305082483f36..421fac577b55 100644
> > --- a/tests/Makefile.am
> > +++ b/tests/Makefile.am
> > @@ -2,7 +2,7 @@ check_SCRIPTS =
> >   TESTS = $(check_SCRIPTS)
> >   
> >   check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
> > -		 fsverity.test
> > +		 fsverity.test portable_signatures.test
> >   
> >   clean-local:
> >   	-rm -f *.txt *.out *.sig *.sig2
> > diff --git a/tests/install-mount-idmapped.sh b/tests/install-mount-idmapped.sh
> > new file mode 100755
> > index 000000000000..e9768e2fbf7a
> > --- /dev/null
> > +++ b/tests/install-mount-idmapped.sh
> > @@ -0,0 +1,7 @@
> > +#!/bin/sh
> > +
> > +git clone https://github.com/brauner/mount-idmapped.git
> > +cd mount-idmapped
> > +gcc -o mount-idmapped mount-idmapped.c
> > +cd ..
> > +rm -rf mount-idmapped
> 
> Where did you just install the executable to? It looks to me like it was removed.

Right, my mistake. Will fix it.

> > diff --git a/tests/portable_signatures.test b/tests/portable_signatures.test
> > new file mode 100755
> > index 000000000000..a6d79c929281
> > --- /dev/null
> > +++ b/tests/portable_signatures.test
> > @@ -0,0 +1,1173 @@
> > +#!/bin/bash
> > +# SPDX-License-Identifier: GPL-2.0
> > +#
> > +# Copyright (C) 2022-2023 Roberto Sassu <roberto.sassu@huawei.com>
> > +#
> > +# Check if operations on files with EVM portable signatures succeed.
> > +
> > +trap cleanup SIGINT SIGTERM SIGSEGV EXIT
> > +
> > +# Base VERBOSE on the environment variable, if set.
> > +VERBOSE="${VERBOSE:-0}"
> > +TST_EVM_CHANGE_MODE="${TST_EVM_CHANGE_MODE:-0}"
> > +UML_MODE="${UML_MODE:-0}"
> > +
> > +# From security/integrity/evm/evm.h in kernel source directory.
> > +let "EVM_INIT_HMAC=0x0001"
> > +let "EVM_INIT_X509=0x0002"
> > +let "EVM_ALLOW_METADATA_WRITES=0x0004"
> > +let "EVM_SETUP_COMPLETE=0x80000000"
> > +
> > +cd "$(dirname "$0")"
> > +export PATH=$PWD/../src:$PWD/../mount-idmapped:$PATH
> > +export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
> > +. ./functions.sh
> > +_require evmctl
> > +
> > +_cleanup() {> +	if [ "$loop_mounted" = "1" ]; then
> 
> These global variables make it quite a bit tricky even though it's 'just a test case'. They
> could clash with variables elsewhere. Maybe prefix them with 'g_' if you don't want to
> pass them as parameters into the function, which I would think is yet more preferable.

Ok.

Thanks

Roberto

> > +		popd > /dev/null
> > +
> > +		if [ -n "$mountpoint_idmapped" ]; then
> > +			umount $mountpoint_idmapped
> > +		fi
> > +
> > +		umount $mountpoint
> > +	fi
> > +
> > +	if [ -n "$dev" ]; then
> > +		losetup -d $dev
> > +	fi
> > +
> > +	if [ -n "$image" ]; then
> > +		rm -f $image
> > +	fi
> > +
> > +	if [ -n "$key_path_der" ]; then
> > +		rm -f $key_path_der
> > +	fi
> > +
> > +	if [ -n "$mountpoint" ]; then
> > +		rm -Rf $mountpoint
> > +	fi
> > +
> > +	if [ -n "$mountpoint_idmapped" ]; then
> > +		rm -Rf $mountpoint_idmapped
> > +	fi
> > +}
> > +
> > +cleanup() {
> > +	_cleanup_user_mode _cleanup
> > +	_report_exit_and_cleanup
> > +}
> > +
> > +get_xattr() {
> > +	format="hex"
> 
> Don't want to use 'local format=....' to avoid clashes with possibly global variables of same name?
> 
> I would also urge to consider using shellcheck on shell script files. It helps a bit.
> 
> For now I leave it at these comment.
> 
>     Stefan

Re: [PATCH ima-evm-utils v2 9/9] ci: haveged requires EPEL on CentOS stream:8

[Stefan Berger]

On 1/12/23 07:24, Roberto Sassu wrote:
> From: Mimi Zohar <zohar@linux.ibm.com>
> 
> The travis "fedora:latest" matrix rule fails due to not finding
> "haveged".  Install "haveged" after enabling EPEL.
> 
> Fixes: 1a2d4767a8b1 ("Add support for UML in functions.sh")
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

> ---
>   ci/fedora.sh | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/ci/fedora.sh b/ci/fedora.sh
> index 3f75d2e1ddbd..1d17c6bfb89d 100755
> --- a/ci/fedora.sh
> +++ b/ci/fedora.sh
> @@ -46,7 +46,6 @@ yum -y install \
>   	wget \
>   	which \
>   	zstd \
> -	haveged \
>   	systemd \
>   	keyutils \
>   	e2fsprogs \
> @@ -62,5 +61,8 @@ if [ -f /etc/centos-release ]; then
>   fi
>   yum -y install softhsm || true
>   
> +# haveged is available via EPEL on CentOS stream8.
> +yum -y install haveged || true
> +
>   ./tests/install-fsverity.sh
>   ./tests/install-mount-idmapped.sh

Re: [PATCH ima-evm-utils v2 8/9] Use in-place built fsverity binary instead of installing it

[Stefan Berger]

On 1/12/23 07:24, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Instead of making changes to the system, use in-place built fsverity binary
> by adding ../fsverity-utils to the PATH variable, so that the binary can be
> found with the 'which' command.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

> ---
>   tests/fsverity.test       | 2 +-
>   tests/install-fsverity.sh | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/tests/fsverity.test b/tests/fsverity.test
> index 84312aa08a30..e05978be7ea6 100755
> --- a/tests/fsverity.test
> +++ b/tests/fsverity.test
> @@ -30,7 +30,7 @@
>   # custom policy rules might take precedence.
>   
>   cd "$(dirname "$0")" || exit 1
> -PATH=../src:$PATH
> +PATH=../src:../fsverity-utils:$PATH
>   source ./functions.sh
>   
>   # Base VERBOSE on the environment variable, if set.
> diff --git a/tests/install-fsverity.sh b/tests/install-fsverity.sh
> index 418fc42f472b..d00674c0d3a2 100755
> --- a/tests/install-fsverity.sh
> +++ b/tests/install-fsverity.sh
> @@ -2,6 +2,6 @@
>   
>   git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
>   cd fsverity-utils
> -CC=gcc make -j$(nproc) && sudo make install
> +CC=gcc make -j$(nproc)
>   cd ..
>   rm -rf fsverity-utils

Re: [PATCH ima-evm-utils v2 8/9] Use in-place built fsverity binary instead of installing it

[Roberto Sassu]

On Thu, 2023-01-12 at 11:11 -0500, Stefan Berger wrote:
> 
> On 1/12/23 07:24, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Instead of making changes to the system, use in-place built fsverity binary
> > by adding ../fsverity-utils to the PATH variable, so that the binary can be
> > found with the 'which' command.
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> 
> > ---
> >   tests/fsverity.test       | 2 +-
> >   tests/install-fsverity.sh | 2 +-
> >   2 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/tests/fsverity.test b/tests/fsverity.test
> > index 84312aa08a30..e05978be7ea6 100755
> > --- a/tests/fsverity.test
> > +++ b/tests/fsverity.test
> > @@ -30,7 +30,7 @@
> >   # custom policy rules might take precedence.
> >   
> >   cd "$(dirname "$0")" || exit 1
> > -PATH=../src:$PATH
> > +PATH=../src:../fsverity-utils:$PATH
> >   source ./functions.sh
> >   
> >   # Base VERBOSE on the environment variable, if set.
> > diff --git a/tests/install-fsverity.sh b/tests/install-fsverity.sh
> > index 418fc42f472b..d00674c0d3a2 100755
> > --- a/tests/install-fsverity.sh
> > +++ b/tests/install-fsverity.sh
> > @@ -2,6 +2,6 @@
> >   
> >   git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
> >   cd fsverity-utils
> > -CC=gcc make -j$(nproc) && sudo make install
> > +CC=gcc make -j$(nproc)
> >   cd ..
> >   rm -rf fsverity-utils

Argh... same problem.

Will just delete the last two lines. It is just for CI.

Roberto

Re: [PATCH ima-evm-utils v2 8/9] Use in-place built fsverity binary instead of installing it

[Stefan Berger]

On 1/12/23 11:20, Roberto Sassu wrote:
> On Thu, 2023-01-12 at 11:11 -0500, Stefan Berger wrote:
>>
>> On 1/12/23 07:24, Roberto Sassu wrote:
>>> From: Roberto Sassu <roberto.sassu@huawei.com>
>>>
>>> Instead of making changes to the system, use in-place built fsverity binary
>>> by adding ../fsverity-utils to the PATH variable, so that the binary can be
>>> found with the 'which' command.
>>>
>>> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
>>
>> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
>>
>>> ---
>>>    tests/fsverity.test       | 2 +-
>>>    tests/install-fsverity.sh | 2 +-
>>>    2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/tests/fsverity.test b/tests/fsverity.test
>>> index 84312aa08a30..e05978be7ea6 100755
>>> --- a/tests/fsverity.test
>>> +++ b/tests/fsverity.test
>>> @@ -30,7 +30,7 @@
>>>    # custom policy rules might take precedence.
>>>    
>>>    cd "$(dirname "$0")" || exit 1
>>> -PATH=../src:$PATH
>>> +PATH=../src:../fsverity-utils:$PATH
>>>    source ./functions.sh
>>>    
>>>    # Base VERBOSE on the environment variable, if set.
>>> diff --git a/tests/install-fsverity.sh b/tests/install-fsverity.sh
>>> index 418fc42f472b..d00674c0d3a2 100755
>>> --- a/tests/install-fsverity.sh
>>> +++ b/tests/install-fsverity.sh
>>> @@ -2,6 +2,6 @@
>>>    
>>>    git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
>>>    cd fsverity-utils
>>> -CC=gcc make -j$(nproc) && sudo make install
>>> +CC=gcc make -j$(nproc)
>>>    cd ..
>>>    rm -rf fsverity-utils
> 
> Argh... same problem.
> 
> Will just delete the last two lines. It is just for CI.

Must be skipping tests when the tool is not found

> 
> Roberto
> 

Re: [PATCH ima-evm-utils v2 8/9] Use in-place built fsverity binary instead of installing it

[Roberto Sassu]

On Thu, 2023-01-12 at 11:26 -0500, Stefan Berger wrote:
> 
> On 1/12/23 11:20, Roberto Sassu wrote:
> > On Thu, 2023-01-12 at 11:11 -0500, Stefan Berger wrote:
> > > On 1/12/23 07:24, Roberto Sassu wrote:
> > > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > > 
> > > > Instead of making changes to the system, use in-place built fsverity binary
> > > > by adding ../fsverity-utils to the PATH variable, so that the binary can be
> > > > found with the 'which' command.
> > > > 
> > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > 
> > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> > > 
> > > > ---
> > > >    tests/fsverity.test       | 2 +-
> > > >    tests/install-fsverity.sh | 2 +-
> > > >    2 files changed, 2 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/tests/fsverity.test b/tests/fsverity.test
> > > > index 84312aa08a30..e05978be7ea6 100755
> > > > --- a/tests/fsverity.test
> > > > +++ b/tests/fsverity.test
> > > > @@ -30,7 +30,7 @@
> > > >    # custom policy rules might take precedence.
> > > >    
> > > >    cd "$(dirname "$0")" || exit 1
> > > > -PATH=../src:$PATH
> > > > +PATH=../src:../fsverity-utils:$PATH
> > > >    source ./functions.sh
> > > >    
> > > >    # Base VERBOSE on the environment variable, if set.
> > > > diff --git a/tests/install-fsverity.sh b/tests/install-fsverity.sh
> > > > index 418fc42f472b..d00674c0d3a2 100755
> > > > --- a/tests/install-fsverity.sh
> > > > +++ b/tests/install-fsverity.sh
> > > > @@ -2,6 +2,6 @@
> > > >    
> > > >    git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
> > > >    cd fsverity-utils
> > > > -CC=gcc make -j$(nproc) && sudo make install
> > > > +CC=gcc make -j$(nproc)
> > > >    cd ..
> > > >    rm -rf fsverity-utils
> > 
> > Argh... same problem.
> > 
> > Will just delete the last two lines. It is just for CI.
> 
> Must be skipping tests when the tool is not found

Yes, it does:

SKIP: fsverity is not installed
PASS: 0 SKIP: 0 FAIL: 0

Roberto

Re: [PATCH ima-evm-utils v2 8/9] Use in-place built fsverity binary instead of installing it

[Mimi Zohar]

On Thu, 2023-01-12 at 17:28 +0100, Roberto Sassu wrote:
> On Thu, 2023-01-12 at 11:26 -0500, Stefan Berger wrote:
> > 
> > On 1/12/23 11:20, Roberto Sassu wrote:
> > > On Thu, 2023-01-12 at 11:11 -0500, Stefan Berger wrote:
> > > > On 1/12/23 07:24, Roberto Sassu wrote:
> > > > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > > > 
> > > > > Instead of making changes to the system, use in-place built fsverity binary
> > > > > by adding ../fsverity-utils to the PATH variable, so that the binary can be
> > > > > found with the 'which' command.
> > > > > 
> > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > > 
> > > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > 
> > > > > ---
> > > > >    tests/fsverity.test       | 2 +-
> > > > >    tests/install-fsverity.sh | 2 +-
> > > > >    2 files changed, 2 insertions(+), 2 deletions(-)
> > > > > 
> > > > > diff --git a/tests/fsverity.test b/tests/fsverity.test
> > > > > index 84312aa08a30..e05978be7ea6 100755
> > > > > --- a/tests/fsverity.test
> > > > > +++ b/tests/fsverity.test
> > > > > @@ -30,7 +30,7 @@
> > > > >    # custom policy rules might take precedence.
> > > > >    
> > > > >    cd "$(dirname "$0")" || exit 1
> > > > > -PATH=../src:$PATH
> > > > > +PATH=../src:../fsverity-utils:$PATH
> > > > >    source ./functions.sh
> > > > >    
> > > > >    # Base VERBOSE on the environment variable, if set.
> > > > > diff --git a/tests/install-fsverity.sh b/tests/install-fsverity.sh
> > > > > index 418fc42f472b..d00674c0d3a2 100755
> > > > > --- a/tests/install-fsverity.sh
> > > > > +++ b/tests/install-fsverity.sh
> > > > > @@ -2,6 +2,6 @@
> > > > >    
> > > > >    git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
> > > > >    cd fsverity-utils
> > > > > -CC=gcc make -j$(nproc) && sudo make install
> > > > > +CC=gcc make -j$(nproc)
> > > > >    cd ..
> > > > >    rm -rf fsverity-utils
> > > 
> > > Argh... same problem.
> > > 
> > > Will just delete the last two lines. It is just for CI.
> > 
> > Must be skipping tests when the tool is not found
> 
> Yes, it does:
> 
> SKIP: fsverity is not installed
> PASS: 0 SKIP: 0 FAIL: 0

RH doesn't have the fsverity-utils package.  tests/install-fsverity.sh
builds and installs it.  The script ci/fedora.sh builds and installs
it.

Mimi

Re: [PATCH ima-evm-utils v2 6/9] Add tests for EVM portable signatures

[Mimi Zohar]

Hi Roberto,

On Thu, 2023-01-12 at 13:24 +0100, Roberto Sassu wrote:
> +
> +key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
> +if [ -f "$PWD/../signing_key.pem" ]; then
> +       key_path=$PWD/../signing_key.pem
> +fi
> +

For testing locally, how about first checking the file exists, before
setting key_path?  On not finding it, perhaps check whether
"/lib/modules/$(uname -r)/build/certs/signing_key.pem" exists.

-- 
thanks,

Mimi

Re: [PATCH ima-evm-utils v2 6/9] Add tests for EVM portable signatures

[Roberto Sassu]

On Mon, 2023-01-23 at 09:40 -0500, Mimi Zohar wrote:
> Hi Roberto,
> 
> On Thu, 2023-01-12 at 13:24 +0100, Roberto Sassu wrote:
> > +
> > +key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
> > +if [ -f "$PWD/../signing_key.pem" ]; then
> > +       key_path=$PWD/../signing_key.pem
> > +fi
> > +
> 
> For testing locally, how about first checking the file exists, before
> setting key_path?  On not finding it, perhaps check whether
> "/lib/modules/$(uname -r)/build/certs/signing_key.pem" exists.

The precedence is:

TST_KEY_PATH -> ../signing_key.pem -> /lib/modules...

If TST_KEY_PATH is not found, probably it is a good idea to not
fallback to the other alternatives, as it is user input.

Roberto

Re: [PATCH ima-evm-utils v2 6/9] Add tests for EVM portable signatures

[Mimi Zohar]

On Mon, 2023-01-23 at 16:31 +0100, Roberto Sassu wrote:
> On Mon, 2023-01-23 at 09:40 -0500, Mimi Zohar wrote:
> > Hi Roberto,
> > 
> > On Thu, 2023-01-12 at 13:24 +0100, Roberto Sassu wrote:
> > > +
> > > +key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
> > > +if [ -f "$PWD/../signing_key.pem" ]; then
> > > +       key_path=$PWD/../signing_key.pem
> > > +fi
> > > +
> > 
> > For testing locally, how about first checking the file exists, before
> > setting key_path?  On not finding it, perhaps check whether
> > "/lib/modules/$(uname -r)/build/certs/signing_key.pem" exists.
> 
> The precedence is:
> 
> TST_KEY_PATH -> ../signing_key.pem -> /lib/modules...

This is still /lib/modules, just not "source/", but "build/".

-key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
+if [ -f "/lib/modules/$(uname -r)/source/certs/signing_key.pem" ]; then
+       key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
+elif [ -f "/lib/modules/$(uname -r)/build/certs/signing_key.pem" ]; then
+       key_path="/lib/modules/$(uname -r)/build/certs/signing_key.pem"
+fi
+

Mimi

> 
> If TST_KEY_PATH is not found, probably it is a good idea to not
> fallback to the other alternatives, as it is user input.

Re: [PATCH ima-evm-utils v2 6/9] Add tests for EVM portable signatures

[Roberto Sassu]

On Mon, 2023-01-23 at 10:43 -0500, Mimi Zohar wrote:
> On Mon, 2023-01-23 at 16:31 +0100, Roberto Sassu wrote:
> > On Mon, 2023-01-23 at 09:40 -0500, Mimi Zohar wrote:
> > > Hi Roberto,
> > > 
> > > On Thu, 2023-01-12 at 13:24 +0100, Roberto Sassu wrote:
> > > > +
> > > > +key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
> > > > +if [ -f "$PWD/../signing_key.pem" ]; then
> > > > +       key_path=$PWD/../signing_key.pem
> > > > +fi
> > > > +
> > > 
> > > For testing locally, how about first checking the file exists, before
> > > setting key_path?  On not finding it, perhaps check whether
> > > "/lib/modules/$(uname -r)/build/certs/signing_key.pem" exists.
> > 
> > The precedence is:
> > 
> > TST_KEY_PATH -> ../signing_key.pem -> /lib/modules...
> 
> This is still /lib/modules, just not "source/", but "build/".
> 
> -key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
> +if [ -f "/lib/modules/$(uname -r)/source/certs/signing_key.pem" ]; then
> +       key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
> +elif [ -f "/lib/modules/$(uname -r)/build/certs/signing_key.pem" ]; then
> +       key_path="/lib/modules/$(uname -r)/build/certs/signing_key.pem"
> +fi
> +

Ok, will add it.

Thanks

Roberto

> Mimi
> 
> > If TST_KEY_PATH is not found, probably it is a good idea to not
> > fallback to the other alternatives, as it is user input.
> 
>