* [PATCH v5 0/2] IMA: Verify measurement of certificates
@ 2020-07-14 18:17 Lachlan Sneff
2020-07-14 18:17 ` [PATCH v5 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff
2020-07-14 18:17 ` [PATCH v5 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff
0 siblings, 2 replies; 4+ messages in thread
From: Lachlan Sneff @ 2020-07-14 18:17 UTC (permalink / raw)
To: zohar, pvorel, ltp; +Cc: nramas, balajib, linux-integrity
The IMA subsystem is capable of importing and measuring certificates. This
set of patches adds tests for verifying that keys are imported and measured
correctly.
Changelog:
v5
- Fix failure case of key measurement test.
v4
- Clarify documentation about required certificate.
- Fix case where multiple KEY_CHECK rules are present.
v3
- Document requirements for running the ima key tests and provide resources
for generating keys.
v2
- Un-linebreak a few strings
- Enforce that some commands are available before running
- Move compute_digest function to ima_setup.sh
- Fix file permissions on ima_key.sh
- Move IMA_POLICY variable to ima_setup.sh
- Add keycheck.policy datafile
v1
- The following patchsets should be applied in that order.
- Add tests that verify measurement of keys and importing certificates.
Lachlan Sneff (2):
IMA: Add a test to verify measurment of keys
IMA: Add a test to verify importing a certificate into keyring
runtest/ima | 1 +
.../kernel/security/integrity/ima/README.md | 22 ++++
.../integrity/ima/datafiles/keycheck.policy | 1 +
.../security/integrity/ima/tests/ima_keys.sh | 111 ++++++++++++++++++
.../integrity/ima/tests/ima_measurements.sh | 36 +-----
.../integrity/ima/tests/ima_policy.sh | 1 -
.../security/integrity/ima/tests/ima_setup.sh | 35 ++++++
7 files changed, 171 insertions(+), 36 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh
--
2.25.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v5 1/2] IMA: Add a test to verify measurment of keys
2020-07-14 18:17 [PATCH v5 0/2] IMA: Verify measurement of certificates Lachlan Sneff
@ 2020-07-14 18:17 ` Lachlan Sneff
2020-07-15 13:00 ` Petr Vorel
2020-07-14 18:17 ` [PATCH v5 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff
1 sibling, 1 reply; 4+ messages in thread
From: Lachlan Sneff @ 2020-07-14 18:17 UTC (permalink / raw)
To: zohar, pvorel, ltp; +Cc: nramas, balajib, linux-integrity
Add a testcase that verifies that the IMA subsystem has correctly
measured keys added to keyrings specified in the IMA policy file.
Additionally, add support for handling a new IMA template descriptor,
namely ima-buf[1], in the IMA measurement tests.
[1]: https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
runtest/ima | 1 +
.../integrity/ima/datafiles/keycheck.policy | 1 +
.../security/integrity/ima/tests/ima_keys.sh | 71 +++++++++++++++++++
.../integrity/ima/tests/ima_measurements.sh | 36 +---------
.../integrity/ima/tests/ima_policy.sh | 1 -
.../security/integrity/ima/tests/ima_setup.sh | 35 +++++++++
6 files changed, 109 insertions(+), 36 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh
diff --git a/runtest/ima b/runtest/ima
index f3ea88cf0..309d47420 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -3,4 +3,5 @@ ima_measurements ima_measurements.sh
ima_policy ima_policy.sh
ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
+ima_keys ima_keys.sh
evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
new file mode 100644
index 000000000..3f1934a3d
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
@@ -0,0 +1 @@
+measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
new file mode 100755
index 000000000..4d53cd04f
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that keys are measured correctly based on policy.
+
+TST_NEEDS_CMDS="grep mktemp cut sed tr"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+
+. ima_setup.sh
+
+# Based on https://lkml.org/lkml/2019/12/13/564.
+# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
+test1()
+{
+ local keyrings keycheck_lines keycheck_line templates test_file="file.txt" fail
+
+ tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
+
+ [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
+
+ [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
+
+ keycheck_lines=$(grep "func=KEY_CHECK" $IMA_POLICY)
+ if [ -z "$keycheck_lines" ]; then
+ tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
+ fi
+
+ keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
+
+ if [ -z "$keycheck_line" ]; then
+ tst_brk TCONF "ima policy does not specify a keyrings to check"
+ fi
+
+ keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
+ sed "s/\./\\\./g" | cut -d'=' -f2)
+ if [ -z "$keyrings" ]; then
+ tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
+ fi
+
+ templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
+ cut -d'=' -f2)
+
+ grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
+ do
+ local digest expected_digest algorithm
+
+ digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
+ algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+ keyring=$(echo "$line" | cut -d' ' -f5)
+
+ echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
+
+ expected_digest="$(compute_digest $algorithm $test_file)" || \
+ tst_brk TCONF "cannot compute digest for $algorithm"
+
+ if [ "$digest" != "$expected_digest" ]; then
+ fail=1
+ tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
+ break
+ fi
+ done
+
+ if [ "$fail" ]; then
+ tst_res TPASS "specified keyrings were measured correctly"
+ fi
+}
+
+tst_run
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 54237d688..04d8e6353 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -28,7 +28,7 @@ setup()
# parse digest index
# https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
case "$template" in
- ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
+ ima|ima-ng|ima-sig|ima-buf) DIGEST_INDEX=4 ;;
*)
# using ima_template_fmt kernel parameter
local IFS="|"
@@ -46,40 +46,6 @@ setup()
"Cannot find digest index (template: '$template')"
}
-# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
-compute_digest()
-{
- local algorithm="$1"
- local file="$2"
- local digest
-
- digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')"
- if [ -n "$digest" ]; then
- echo "$digest"
- return 0
- fi
-
- digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')"
- if [ -n "$digest" ]; then
- echo "$digest"
- return 0
- fi
-
- # uncommon ciphers
- local arg="$algorithm"
- case "$algorithm" in
- tgr192) arg="tiger" ;;
- wp512) arg="whirlpool" ;;
- esac
-
- digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')"
- if [ -n "$digest" ]; then
- echo "$digest"
- return 0
- fi
- return 1
-}
-
ima_check()
{
local delimiter=':'
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
index 6286277b4..244cf081d 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh
@@ -23,7 +23,6 @@ check_policy_writable()
setup()
{
- IMA_POLICY="$IMA_DIR/policy"
check_policy_writable
VALID_POLICY="$TST_DATAROOT/measure.policy"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 58a12eda3..8ae477c1c 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -20,6 +20,40 @@ SYSFS="/sys"
UMOUNT=
TST_FS_TYPE="ext3"
+# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
+compute_digest()
+{
+ local algorithm="$1"
+ local file="$2"
+ local digest
+
+ digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')"
+ if [ -n "$digest" ]; then
+ echo "$digest"
+ return 0
+ fi
+
+ digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')"
+ if [ -n "$digest" ]; then
+ echo "$digest"
+ return 0
+ fi
+
+ # uncommon ciphers
+ local arg="$algorithm"
+ case "$algorithm" in
+ tgr192) arg="tiger" ;;
+ wp512) arg="whirlpool" ;;
+ esac
+
+ digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')"
+ if [ -n "$digest" ]; then
+ echo "$digest"
+ return 0
+ fi
+ return 1
+}
+
check_ima_policy()
{
local policy="$1"
@@ -85,6 +119,7 @@ ima_setup()
[ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel"
ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements"
BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
+ IMA_POLICY="$IMA_DIR/policy"
print_ima_config
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v5 2/2] IMA: Add a test to verify importing a certificate into keyring
2020-07-14 18:17 [PATCH v5 0/2] IMA: Verify measurement of certificates Lachlan Sneff
2020-07-14 18:17 ` [PATCH v5 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff
@ 2020-07-14 18:17 ` Lachlan Sneff
1 sibling, 0 replies; 4+ messages in thread
From: Lachlan Sneff @ 2020-07-14 18:17 UTC (permalink / raw)
To: zohar, pvorel, ltp; +Cc: nramas, balajib, linux-integrity
Add an IMA measurement test that verifies that an x509 certificate
can be imported into the .ima keyring and measured correctly.
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
.../kernel/security/integrity/ima/README.md | 22 ++++++++++
.../security/integrity/ima/tests/ima_keys.sh | 44 ++++++++++++++++++-
2 files changed, 64 insertions(+), 2 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 16a1f48c3..9e6790306 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -16,6 +16,28 @@ CONFIG_INTEGRITY=y
CONFIG_IMA=y
```
+IMA Key Import test
+-------------
+`ima_keys.sh` requires an x509 certificate to be signed by a key on one
+of the trusted keyrings. The x509 certificate must be placed at
+`/etc/keys/x509_ima.der` for this test or the path must be passed in
+the CERT_FILE env var.
+
+The x509 public key key must be signed by the private key you generate.
+Follow these instructions:
+https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys.
+
+The test cannot be set-up automatically because the x509 public key must be
+built into the kernel and loaded onto a trusted keyring.
+
+As well as what's required for the IMA tests, the following are also required
+in the kernel configuration:
+```
+CONFIG_IMA_READ_POLICY=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
+```
+
EVM tests
---------
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 4d53cd04f..c10427481 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -5,10 +5,12 @@
#
# Verify that keys are measured correctly based on policy.
-TST_NEEDS_CMDS="grep mktemp cut sed tr"
-TST_CNT=1
+TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp"
+TST_CNT=2
TST_NEEDS_DEVICE=1
+CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}"
+
. ima_setup.sh
# Based on https://lkml.org/lkml/2019/12/13/564.
@@ -68,4 +70,42 @@ test1()
fi
}
+
+# Test that a cert can be imported into the ".ima" keyring correctly.
+test2() {
+ local keyring_id key_id test_file="file.txt"
+
+ [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE"
+
+ if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then
+ tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate"
+ fi
+
+ tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)"
+
+ keyring_id=$(keyctl describe %:.ima | cut -d' ' -f2 | tr -d ':') || \
+ tst_btk TCONF "unable to retrieve .ima keyring id"
+
+ if ! tst_is_num "$keyring_id"; then
+ tst_brk TCONF "unable to parse keyring id from keyring"
+ fi
+
+ evmctl import $CERT_FILE "$keyring_id" > /dev/null || \
+ tst_brk TCONF "unable to import a cert into the .ima keyring"
+
+ grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \
+ xxd -r -p > $test_file || \
+ tst_brk TCONF "cert not found in ascii_runtime_measurements log"
+
+ if ! openssl x509 -in $test_file -inform der > /dev/null; then
+ tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate"
+ fi
+
+ if cmp -s "$test_file" $CERT_FILE; then
+ tst_res TPASS "logged cert matches original cert"
+ else
+ tst_res TFAIL "logged cert does not match original cert"
+ fi
+}
+
tst_run
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v5 1/2] IMA: Add a test to verify measurment of keys
2020-07-14 18:17 ` [PATCH v5 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff
@ 2020-07-15 13:00 ` Petr Vorel
0 siblings, 0 replies; 4+ messages in thread
From: Petr Vorel @ 2020-07-15 13:00 UTC (permalink / raw)
To: Lachlan Sneff; +Cc: zohar, ltp, nramas, balajib, linux-integrity
Hi Lachlan, Mimi,
> Add a testcase that verifies that the IMA subsystem has correctly
> measured keys added to keyrings specified in the IMA policy file.
> Additionally, add support for handling a new IMA template descriptor,
> namely ima-buf[1], in the IMA measurement tests.
To speedup things, based on Mimi's comments and review of v4 I pushed this first
commit with few changes (below diff, only ima_keys.sh part)
* simplify error handling ($fail is not needed; I used tst_res and return
because there will be second test, otherwise I'd use tst_brk)
* added modified docs into this commit
* fix commit title
TODO
* I'll send a patch to read CONFIG_IMA_X509_PATH (I've amended the commit
already enough)
* @Lachlan: expect you send another version for test2.
* @Lachlan: would you also implement Mimi's suggestion? [1]:
An additional test might be to verify that only the keys in the
measurement list are actually on the specified keyring and nothing
else.
Kind regards,
Petr
[1] http://lists.linux.it/pipermail/ltp/2020-July/018018.html
diff --git testcases/kernel/security/integrity/ima/tests/ima_keys.sh testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 4d53cd04f..904b7515b 100755
--- testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -15,7 +15,7 @@ TST_NEEDS_DEVICE=1
# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
test1()
{
- local keyrings keycheck_lines keycheck_line templates test_file="file.txt" fail
+ local keyrings keycheck_lines keycheck_line templates test_file="file.txt"
tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
@@ -57,15 +57,12 @@ test1()
tst_brk TCONF "cannot compute digest for $algorithm"
if [ "$digest" != "$expected_digest" ]; then
- fail=1
tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
- break
+ return
fi
done
- if [ "$fail" ]; then
- tst_res TPASS "specified keyrings were measured correctly"
- fi
+ tst_res TPASS "specified keyrings were measured correctly"
}
tst_run
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-15 13:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-14 18:17 [PATCH v5 0/2] IMA: Verify measurement of certificates Lachlan Sneff
2020-07-14 18:17 ` [PATCH v5 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff
2020-07-15 13:00 ` Petr Vorel
2020-07-14 18:17 ` [PATCH v5 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).