Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it
Cc: Lachlan Sneff <t-josne@linux.microsoft.com>,
	Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	balajib@linux.microsoft.com, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v4 2/2] IMA: Add test for kexec cmdline measurement
Date: Fri, 24 Jul 2020 08:01:51 -0400
Message-ID: <1595592111.5211.246.camel@linux.ibm.com> (raw)
In-Reply-To: <20200724070038.29491-2-pvorel@suse.cz>

On Fri, 2020-07-24 at 09:00 +0200, Petr Vorel wrote:
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
> 
> IMA policy can be set to measure the command line passed in the kexec
> system call. Add a testcase that verifies that the IMA subsystem
> correctly measure the cmdline specified during a kexec.
> 
> Note that this test does not actually reboot.
> 
> Ideally, test shouldn't even require an image, since it doesn't actually
> reboot, but the IMA cmdline measurement occurs after the image is parsed
> and verified, so we must pass a valid kernel image.
> 
> There is a possibility of putting together a dummy kernel image that has
> the right headers and appears to be signed correctly, but doesn't
> actually contain any code, but, after investigating that possibility, it
> appears to be quite difficult (and would require a dummy kernel for each
> arch).

This test attempts to kexec the existing running kernel image.  To
kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
> 
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Hi,
> sent version with few my fixes.
> @Mimi: could you please have a quick look? (I know you reviewed previous
> version.)

Thanks, Petr.  Just a couple of comments ...

 
<snip>

> +# Test that the kexec cmdline is measured correctly.
> +# NOTE: This does *not* actually reboot.
> +test1() {
> +	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
> +		tst_brk TCONF "Kernel image not found ('$IMA_KEXEC_IMAGE'), specify it in \$IMA_KEXEC_IMAGE"
> +	fi
> +
> +	# Strip the `BOOT_IMAGE=...` part from the cmdline.
> +	local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
> +
> +	if ! kexec -sl $IMA_KEXEC_IMAGE --reuse-cmdline; then
> +		tst_res TCONF "kexec failed: $?"
> +
> +		local sb_status="$(bootctl status 2>/dev/null | grep 'Secure Boot' \
> +			| tr -d ' ' | sed 's/SecureBoot:*//')"
> +
> +		if [ "$sb_status" = "enabled" ]; then
> +			tst_res TINFO "secure boot is enabled, the specified kernel image may not be signed"
> +		fi

Independently of the secure boot status, the IMA policy itself could require a signature.

For example, a recent software update is preventing one of my test
laptops from booting with secure boot enabled, but the custom IMA
policy still requires the kexec kernel image to be signed.

Search the IMA policy for an appraise "func=KEXEC_KERNEL_CHECK" policy
rule.

> +
> +		return
> +	fi
> +
> +	kexec -su
> +
> +	if ! measure "$cmdline"; then
> +		tst_res TFAIL "unable to find a correct entry in the IMA log"
> +
> +		check_policy_readable
> +
> +		if ! grep "measure func=KEXEC_CMDLINE" $IMA_POLICY >/dev/null; then
> +			tst_brk TCONF "The IMA policy does not specify 'measure func=KEXEC_CMDLINE', see IMA test README"
> +		fi
> +

Other than the policy "action" - measure/dont_measure,
audit/dont_audit, appraise/dont_appraise - being the first keyword,
the ordering of the policy options and flags is flexible.  Most
policies do provide the "func" option immediately following the
"action".  This would normally work.


> +		return
> +	fi
> +
> +	cmdline="foo"
> +	if ! kexec -sl $IMA_KEXEC_IMAGE --append=$cmdline; then
> +		tst_brk TCONF "kexec failed: $?"
> +	fi
> +

The error messages are exactly the same here and below.  Should a hint
be provided as to which one failed?

Mimi

> +	kexec -su
> +
> +	if ! measure "$cmdline"; then
> +		tst_brk TFAIL "unable to find a correct entry in the IMA log"
> +	fi
> +
> +	cmdline="bar"
> +	if ! kexec -sl $IMA_KEXEC_IMAGE --command-line=$cmdline; then
> +		tst_brk TCONF "kexec failed: $?"
> +	fi
> +
> +	kexec -su
> +
> +	if ! measure "$cmdline"; then
> +		tst_brk TFAIL "unable to find a correct entry in the IMA log"
> +	fi
> +
> +	tst_res TPASS "kexec cmdline was measured correctly"
> +}
> +
> +tst_run


  reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-24  7:00 [PATCH v4 1/2] IMA: Fix policy readability check Petr Vorel
2020-07-24  7:00 ` [PATCH v4 2/2] IMA: Add test for kexec cmdline measurement Petr Vorel
2020-07-24 12:01   ` Mimi Zohar [this message]
2020-07-24 13:18     ` Petr Vorel
2020-07-24 16:06       ` Mimi Zohar
2020-07-24 16:19       ` Lachlan Sneff
2020-07-24 20:15         ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1595592111.5211.246.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=balajib@linux.microsoft.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=ltp@lists.linux.it \
    --cc=nramas@linux.microsoft.com \
    --cc=pvorel@suse.cz \
    --cc=t-josne@linux.microsoft.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git