Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] IMA: Add test for kexec cmdline measurement
@ 2020-07-21 18:24 Lachlan Sneff
  2020-07-22 14:04 ` Mimi Zohar
  0 siblings, 1 reply; 3+ messages in thread
From: Lachlan Sneff @ 2020-07-21 18:24 UTC (permalink / raw)
  To: zohar, pvorel, ltp; +Cc: nramas, balajib, linux-integrity

IMA policy can be set to measure the command line passed in the kexec system call.
There needs to be a test to validate this kexec command line measurement.

Add a testcase that verifies that the IMA subsystem has correctly
measured the cmdline specified during a kexec.

Note that this test does not actually reboot.

Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
 runtest/ima                                   |  1 +
 .../kernel/security/integrity/ima/README.md   | 11 +++
 .../security/integrity/ima/tests/ima_kexec.sh | 93 +++++++++++++++++++
 3 files changed, 105 insertions(+)
 create mode 100644 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh

diff --git a/runtest/ima b/runtest/ima
index 309d47420..5f4b4a7a1 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -4,4 +4,5 @@ ima_policy ima_policy.sh
 ima_tpm ima_tpm.sh
 ima_violations ima_violations.sh
 ima_keys ima_keys.sh
+ima_kexec ima_kexec.sh
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index db8819a99..926eb8478 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -30,6 +30,17 @@ measure func=KEY_CHECK keyrings=key_import_test template=ima-buf
 
 The test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
 
+### IMA kexec test
+
+This test requires that the ima policy contains:
+```
+measure func=KEXEC_CMDLINE
+```
+
+Even though the test does not actually reboot, it does require a valid,
+signed kernel image. By default, the test will look in `/boot/vmlinuz-$(uname r)`,
+but if no image is accessible there, a valid image be must be placed at `/tmp/Image`.
+
 ## EVM tests
 
 `evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
new file mode 100644
index 000000000..7d71557ee
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that kexec cmdline is measured correctly.
+
+TST_NEEDS_CMDS="kexec sed xargs printf grep"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+
+. ima_setup.sh
+
+# Since the test is executed inside some sort of
+# separate shell, *most* environment variables are
+# not accessible, so there's no way to set it from
+# the outside.
+#
+# `/boot/vmlinuz-$(uname-r)` is where the image is
+# located on many systems, but not all. Therefore,
+# if the image is not located there, require the
+# user to copy it to `/tmp/Image`.
+#
+# Ideally, this test shouldn't even require an image,
+# since it doesn't actually reboot, but the IMA cmdline
+# measurement occurs after the image is parsed and verified,
+# so we must pass a valid kernel image. There is a possiblity of
+# putting together a "faux" kernel image that has the right headers
+# and appears to be signed correctly, but doesn't actually contain any
+# code, but, after investigating that possiblity, it appears to be
+# quite difficult (and would require a new faux kernel for each arch).
+IMAGE="/boot/vmlinuz-$(uname -r)"
+if [ ! -f $IMAGE ]; then
+    IMAGE="/tmp/Image"
+fi
+
+measure() {
+    local found temp_file="file.txt" temp_file2="file2.txt" algorithm \
+        digest expected_digest
+
+    echo -n "$1" > $temp_file
+    grep "kexec-cmdline" $ASCII_MEASUREMENTS > $temp_file2
+
+    while read found
+    do
+        algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
+        digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
+
+        expected_digest=$(compute_digest $algorithm $temp_file)
+
+        if [ "$digest" = "$expected_digest" ]; then
+            return 0
+        fi
+    done < $temp_file2
+
+    return 1
+}
+
+# Test that the kexec cmdline is measured correctly.
+# NOTE: This does *not* actually reboot.
+test1() {
+    # Strip the `BOOT_IMAGE=...` part from the cmdline.
+    local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
+    if ! kexec -sl $IMAGE --reuse-cmdline; then
+        tst_brk TCONF "kexec failed: $?"
+    fi
+
+    if ! measure "$cmdline"; then
+        tst_brk TFAIL "kexec cmdline was measured incorrectly"
+    fi
+
+    cmdline="foo"
+    if ! kexec -sl $IMAGE --append=$cmdline; then
+        tst_brk TCONF "kexec failed: $?"
+    fi
+
+    if ! measure "$cmdline"; then
+        tst_brk TFAIL "kexec cmdline was measured incorrectly"
+    fi
+
+    cmdline="bar"
+    if ! kexec -sl $IMAGE --command-line=$cmdline; then
+        tst_brk TCONF "kexec failed: $?"
+    fi
+
+    if ! measure "$cmdline"; then
+        tst_brk TFAIL "kexec cmdline was measured incorrectly"
+    fi
+
+    tst_res TPASS "kexec cmldine was measured correctly"
+}
+
+tst_run
-- 
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] IMA: Add test for kexec cmdline measurement
  2020-07-21 18:24 [PATCH] IMA: Add test for kexec cmdline measurement Lachlan Sneff
@ 2020-07-22 14:04 ` Mimi Zohar
  2020-07-22 15:03   ` Lachlan Sneff
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2020-07-22 14:04 UTC (permalink / raw)
  To: Lachlan Sneff, pvorel, ltp; +Cc: nramas, balajib, linux-integrity

On Tue, 2020-07-21 at 14:24 -0400, Lachlan Sneff wrote:

<snip>

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> new file mode 100644
> index 000000000..7d71557ee
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> @@ -0,0 +1,93 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2020 Microsoft Corporation
> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
> +#
> +# Verify that kexec cmdline is measured correctly.
> +
> +TST_NEEDS_CMDS="kexec sed xargs printf grep"
> +TST_CNT=1
> +TST_NEEDS_DEVICE=1
> +
> +. ima_setup.sh
> +
> +# Since the test is executed inside some sort of
> +# separate shell, *most* environment variables are
> +# not accessible, so there's no way to set it from
> +# the outside.
> +#
> +# `/boot/vmlinuz-$(uname-r)` is where the image is
> +# located on many systems, but not all. Therefore,
> +# if the image is not located there, require the
> +# user to copy it to `/tmp/Image`.
> +#
> +# Ideally, this test shouldn't even require an image,
> +# since it doesn't actually reboot, but the IMA cmdline
> +# measurement occurs after the image is parsed and verified,
> +# so we must pass a valid kernel image. There is a possiblity of
> +# putting together a "faux" kernel image that has the right headers
> +# and appears to be signed correctly, but doesn't actually contain any
> +# code, but, after investigating that possiblity, it appears to be
> +# quite difficult (and would require a new faux kernel for each arch).

The comment formatting is inconsistent.  Please correct.

> +IMAGE="/boot/vmlinuz-$(uname -r)"
> +if [ ! -f $IMAGE ]; then
> +    IMAGE="/tmp/Image"
> +fi
> +
> +measure() {
> +    local found temp_file="file.txt" temp_file2="file2.txt" algorithm \
> +        digest expected_digest
> +
> +    echo -n "$1" > $temp_file
> +    grep "kexec-cmdline" $ASCII_MEASUREMENTS > $temp_file2
> +
> +    while read found
> +    do
> +        algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
> +        digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
> +
> +        expected_digest=$(compute_digest $algorithm $temp_file)
> +
> +        if [ "$digest" = "$expected_digest" ]; then
> +            return 0
> +        fi
> +    done < $temp_file2
> +
> +    return 1
> +}
> +
> +# Test that the kexec cmdline is measured correctly.
> +# NOTE: This does *not* actually reboot.
> +test1() {
> +    # Strip the `BOOT_IMAGE=...` part from the cmdline.
> +    local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
> +    if ! kexec -sl $IMAGE --reuse-cmdline; then
> +        tst_brk TCONF "kexec failed: $?"
> +    fi

Most likely one of the reasons for the kexec to fail is that the
kernel image isn't properly signed.  How about checking the secure-
boot status to provide some contextual information.

> +
> +    if ! measure "$cmdline"; then
> +        tst_brk TFAIL "kexec cmdline was measured incorrectly"
> +    fi

This assumes that a kexec command line measurement was found.  The
output needs to differentiate between no measurement and an invalid
measurement.  In the case that the rule doesn't exist, at that point
you have a choice of skipping the test or extending the IMA policy. 

The kernel kexec selftests checks both the Kconfig and the IMA runtime
policy.  Different testing infrastructures have different policies
about basing tests on them.

> +
> +    cmdline="foo"

Wondering if unknown command line options could cause the kexec to
fail.

> +    if ! kexec -sl $IMAGE --append=$cmdline; then
> +        tst_brk TCONF "kexec failed: $?"
> +    fi

Should the first kernel image be unloaded first?

Mimi

> +
> +    if ! measure "$cmdline"; then
> +        tst_brk TFAIL "kexec cmdline was measured incorrectly"
> +    fi
> +
> +    cmdline="bar"
> +    if ! kexec -sl $IMAGE --command-line=$cmdline; then
> +        tst_brk TCONF "kexec failed: $?"
> +    fi
> +
> +    if ! measure "$cmdline"; then
> +        tst_brk TFAIL "kexec cmdline was measured incorrectly"
> +    fi
> +
> +    tst_res TPASS "kexec cmldine was measured correctly"
> +}
> +
> +tst_run


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] IMA: Add test for kexec cmdline measurement
  2020-07-22 14:04 ` Mimi Zohar
@ 2020-07-22 15:03   ` Lachlan Sneff
  0 siblings, 0 replies; 3+ messages in thread
From: Lachlan Sneff @ 2020-07-22 15:03 UTC (permalink / raw)
  To: Mimi Zohar, pvorel, ltp; +Cc: nramas, balajib, linux-integrity

Thank you for the review, Mimi!

On 7/22/20 10:04 AM, Mimi Zohar wrote:
> On Tue, 2020-07-21 at 14:24 -0400, Lachlan Sneff wrote:
>
> <snip>
>
>> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
>> new file mode 100644
>> index 000000000..7d71557ee
>> --- /dev/null
>> +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
>> @@ -0,0 +1,93 @@
>> +#!/bin/sh
>> +# SPDX-License-Identifier: GPL-2.0-or-later
>> +# Copyright (c) 2020 Microsoft Corporation
>> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
>> +#
>> +# Verify that kexec cmdline is measured correctly.
>> +
>> +TST_NEEDS_CMDS="kexec sed xargs printf grep"
>> +TST_CNT=1
>> +TST_NEEDS_DEVICE=1
>> +
>> +. ima_setup.sh
>> +
>> +# Since the test is executed inside some sort of
>> +# separate shell, *most* environment variables are
>> +# not accessible, so there's no way to set it from
>> +# the outside.
>> +#
>> +# `/boot/vmlinuz-$(uname-r)` is where the image is
>> +# located on many systems, but not all. Therefore,
>> +# if the image is not located there, require the
>> +# user to copy it to `/tmp/Image`.
>> +#
>> +# Ideally, this test shouldn't even require an image,
>> +# since it doesn't actually reboot, but the IMA cmdline
>> +# measurement occurs after the image is parsed and verified,
>> +# so we must pass a valid kernel image. There is a possiblity of
>> +# putting together a "faux" kernel image that has the right headers
>> +# and appears to be signed correctly, but doesn't actually contain any
>> +# code, but, after investigating that possiblity, it appears to be
>> +# quite difficult (and would require a new faux kernel for each arch).
> The comment formatting is inconsistent.  Please correct.
Oops, sorry, will fix!
>> +IMAGE="/boot/vmlinuz-$(uname -r)"
>> +if [ ! -f $IMAGE ]; then
>> +    IMAGE="/tmp/Image"
>> +fi
>> +
>> +measure() {
>> +    local found temp_file="file.txt" temp_file2="file2.txt" algorithm \
>> +        digest expected_digest
>> +
>> +    echo -n "$1" > $temp_file
>> +    grep "kexec-cmdline" $ASCII_MEASUREMENTS > $temp_file2
>> +
>> +    while read found
>> +    do
>> +        algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
>> +        digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
>> +
>> +        expected_digest=$(compute_digest $algorithm $temp_file)
>> +
>> +        if [ "$digest" = "$expected_digest" ]; then
>> +            return 0
>> +        fi
>> +    done < $temp_file2
>> +
>> +    return 1
>> +}
>> +
>> +# Test that the kexec cmdline is measured correctly.
>> +# NOTE: This does *not* actually reboot.
>> +test1() {
>> +    # Strip the `BOOT_IMAGE=...` part from the cmdline.
>> +    local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
>> +    if ! kexec -sl $IMAGE --reuse-cmdline; then
>> +        tst_brk TCONF "kexec failed: $?"
>> +    fi
> Most likely one of the reasons for the kexec to fail is that the
> kernel image isn't properly signed.  How about checking the secure-
> boot status to provide some contextual information.
Good call, I'll add that check if kexec fails. On some of the systems 
that this test
needs to run on, there is no `bootctl` or `mokutil` command, so I'll try 
running one of those
if they exist to check.
>
>> +
>> +    if ! measure "$cmdline"; then
>> +        tst_brk TFAIL "kexec cmdline was measured incorrectly"
>> +    fi
> This assumes that a kexec command line measurement was found.  The
> output needs to differentiate between no measurement and an invalid
> measurement.  In the case that the rule doesn't exist, at that point
> you have a choice of skipping the test or extending the IMA policy.
>
> The kernel kexec selftests checks both the Kconfig and the IMA runtime
> policy.  Different testing infrastructures have different policies
> about basing tests on them.
Okay, I can check if no measurement was found, or if it occurred 
incorrectly.
The kconfig is not available on the systems I need to run this test on, 
so I will read
the ima policy to check if the system is, in fact, set up to measure the 
kexec cmdline.
>> +
>> +    cmdline="foo"
> Wondering if unknown command line options could cause the kexec to
> fail.
I haven't had this fail, what do you suggest?
>
>> +    if ! kexec -sl $IMAGE --append=$cmdline; then
>> +        tst_brk TCONF "kexec failed: $?"
>> +    fi
> Should the first kernel image be unloaded first?
Probably a good thing to do, but it hasn't influenced the test so far.
I assume each kernel is unloaded once another attempts to be loaded.
>
> Mimi
>
>> +
>> +    if ! measure "$cmdline"; then
>> +        tst_brk TFAIL "kexec cmdline was measured incorrectly"
>> +    fi
>> +
>> +    cmdline="bar"
>> +    if ! kexec -sl $IMAGE --command-line=$cmdline; then
>> +        tst_brk TCONF "kexec failed: $?"
>> +    fi
>> +
>> +    if ! measure "$cmdline"; then
>> +        tst_brk TFAIL "kexec cmdline was measured incorrectly"
>> +    fi
>> +
>> +    tst_res TPASS "kexec cmldine was measured correctly"
>> +}
>> +
>> +tst_run

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-21 18:24 [PATCH] IMA: Add test for kexec cmdline measurement Lachlan Sneff
2020-07-22 14:04 ` Mimi Zohar
2020-07-22 15:03   ` Lachlan Sneff

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git