Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v5 0/4] IMA: kexec cmdline measurement
@ 2020-07-27 22:30 Petr Vorel
  2020-07-27 22:30 ` [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline Petr Vorel
                   ` (4 more replies)
  0 siblings, 5 replies; 10+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
  To: ltp
  Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
	balajib, linux-integrity

Hi all,

sending hopefully the last version. In the end I did quite few changes,
thus sending patchset instead of merging without review.

Tested on various setup:
ima_kexec 1 TCONF: IMA policy does not specify '^measure.*func=KEXEC_CMDLINE'
---
ima_kexec 1 TPASS: kexec -s -l /boot/vmlinuz-5.3.13-1-default --append=foo passed as expected
ima_kexec 1 TPASS: kexec cmdline for --append=foo was measured correctly
ima_kexec 2 TPASS: kexec -s -l /boot/vmlinuz-5.3.13-1-default --command-line=bar passed as expected
ima_kexec 2 TPASS: kexec cmdline for --command-line=bar was measured correctly
---
ima_kexec 1 TBROK: kexec failed: kexec_file_load failed: Required key not available
---
ima_kexec 1 TWARN: policy not readable, it might not contain required measure func=KEXEC_CMDLINE
ima_kexec 1 TBROK: unable to find a correct entry for --reuse-cmdline

Kind regards,
Petr

Lachlan Sneff (1):
  IMA: Add test for kexec cmdline measurement

Petr Vorel (3):
  IMA: Rename helper to require_ima_policy_cmdline
  IMA: Add policy related helpers
  IMA/ima_keys.sh: Fix policy readability check

 runtest/ima                                   |   1 +
 .../kernel/security/integrity/ima/README.md   |   8 ++
 .../integrity/ima/datafiles/kexec.policy      |   1 +
 .../integrity/ima/tests/evm_overlay.sh        |   2 +-
 .../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
 .../security/integrity/ima/tests/ima_keys.sh  |  10 +-
 .../integrity/ima/tests/ima_measurements.sh   |   2 +-
 .../security/integrity/ima/tests/ima_setup.sh |  41 ++++++-
 8 files changed, 164 insertions(+), 12 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh

-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline
  2020-07-27 22:30 [PATCH v5 0/4] IMA: kexec cmdline measurement Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
  2020-07-27 22:30 ` [PATCH v5 2/4] IMA: Add policy related helpers Petr Vorel
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 10+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
  To: ltp
  Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
	balajib, linux-integrity

To be clear we check /proc/cmdline. There will be another helper
function require_ima_policy_content().

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v5.

 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh    | 2 +-
 .../kernel/security/integrity/ima/tests/ima_measurements.sh     | 2 +-
 testcases/kernel/security/integrity/ima/tests/ima_setup.sh      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
index ac209e430..9d86778b6 100755
--- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
+++ b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
@@ -19,7 +19,7 @@ setup()
 	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
 	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
 
-	check_ima_policy "appraise_tcb"
+	require_ima_policy_cmdline "appraise_tcb"
 
 	lower="$TST_MNTPOINT/lower"
 	upper="$TST_MNTPOINT/upper"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 04d8e6353..9a7500c76 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -15,7 +15,7 @@ TST_NEEDS_DEVICE=1
 
 setup()
 {
-	check_ima_policy "tcb"
+	require_ima_policy_cmdline "tcb"
 
 	TEST_FILE="$PWD/test.txt"
 	POLICY="$IMA_DIR/policy"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 8ae477c1c..975ce9cbb 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -54,7 +54,7 @@ compute_digest()
 	return 1
 }
 
-check_ima_policy()
+require_ima_policy_cmdline()
 {
 	local policy="$1"
 	local i
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH v5 2/4] IMA: Add policy related helpers
  2020-07-27 22:30 [PATCH v5 0/4] IMA: kexec cmdline measurement Petr Vorel
  2020-07-27 22:30 ` [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
  2020-07-30 19:50   ` Mimi Zohar
  2020-07-27 22:30 ` [PATCH v5 3/4] IMA/ima_keys.sh: Fix policy readability check Petr Vorel
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 10+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
  To: ltp
  Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
	balajib, linux-integrity

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v5.

 .../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 975ce9cbb..c46f273ab 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -54,6 +54,45 @@ compute_digest()
 	return 1
 }
 
+check_policy_readable()
+{
+	if [ -f $IMA_POLICY ]; then
+		tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
+		return 1
+	fi
+	cat $IMA_POLICY > /dev/null 2>/dev/null
+}
+
+require_policy_readable()
+{
+	if [ -f $IMA_POLICY ]; then
+		tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
+	fi
+	if ! check_policy_readable; then
+		tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
+	fi
+}
+
+check_ima_policy_content()
+{
+	local pattern="$1"
+	local grep_params="${2--q}"
+
+	check_policy_readable || return 1
+	grep $grep_params "$pattern" $IMA_POLICY
+}
+
+require_ima_policy_content()
+{
+	local pattern="$1"
+	local grep_params="${2--q}"
+
+	require_policy_readable
+	if ! grep $grep_params "$pattern" $IMA_POLICY; then
+		tst_brk TCONF "IMA policy does not specify '$pattern'"
+	fi
+}
+
 require_ima_policy_cmdline()
 {
 	local policy="$1"
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH v5 3/4] IMA/ima_keys.sh: Fix policy readability check
  2020-07-27 22:30 [PATCH v5 0/4] IMA: kexec cmdline measurement Petr Vorel
  2020-07-27 22:30 ` [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline Petr Vorel
  2020-07-27 22:30 ` [PATCH v5 2/4] IMA: Add policy related helpers Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
  2020-07-27 22:30 ` [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement Petr Vorel
  2020-07-30 20:03 ` [PATCH v5 0/4] IMA: " Mimi Zohar
  4 siblings, 0 replies; 10+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
  To: ltp
  Cc: Petr Vorel, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar,
	balajib, linux-integrity

Using a proper check with cat, because file attributes were fixed in
ffb122de9a60 ("ima: Reflect correct permissions for policy") in v4.18.

Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys")

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* use require_ima_policy_content
* moved helper function to previous commit

 .../kernel/security/integrity/ima/tests/ima_keys.sh    | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 2f6c2b027..5a77deec1 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -19,15 +19,7 @@ test1()
 
 	tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
 
-	[ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
-
-	[ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
-
-	keycheck_lines=$(grep "func=KEY_CHECK" $IMA_POLICY)
-	if [ -z "$keycheck_lines" ]; then
-		tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
-	fi
-
+	keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "")
 	keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
 
 	if [ -z "$keycheck_line" ]; then
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
  2020-07-27 22:30 [PATCH v5 0/4] IMA: kexec cmdline measurement Petr Vorel
                   ` (2 preceding siblings ...)
  2020-07-27 22:30 ` [PATCH v5 3/4] IMA/ima_keys.sh: Fix policy readability check Petr Vorel
@ 2020-07-27 22:30 ` Petr Vorel
  2020-07-27 22:42   ` Lachlan Sneff
  2020-07-30 20:03 ` [PATCH v5 0/4] IMA: " Mimi Zohar
  4 siblings, 1 reply; 10+ messages in thread
From: Petr Vorel @ 2020-07-27 22:30 UTC (permalink / raw)
  To: ltp
  Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
	linux-integrity, Petr Vorel, Mimi Zohar

From: Lachlan Sneff <t-josne@linux.microsoft.com>

IMA policy can be set to measure the command line passed in the kexec
system call. Add a testcase that verifies that the IMA subsystem
correctly measure the cmdline specified during a kexec.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: improved setup, various LTP API cleanup ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:

* added kexec.policy, please check it (for lazy people, I still plan
some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)

* rewritten checks in setup:
  - simplify secure boot bootctl verification
  - try dmesg when bootctl not available
  - check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
  - improve logic for func=KEXEC_CMDLINE check (instead of requiring
	policy to be readable check only when readable, otherwise TWARN, ...)
  - TWARN on failures in setup => TWARN is kind of error as it exit with
	non-zero, but these cases are failures thus don't hide them)

* added cleanup commit (adding helpers)

* various LTP API cleanup:
  - added setup into separate function
  - reuse test code with kexec_test()

Kind regards,
Petr

 runtest/ima                                   |   1 +
 .../kernel/security/integrity/ima/README.md   |   8 ++
 .../integrity/ima/datafiles/kexec.policy      |   1 +
 .../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
 4 files changed, 121 insertions(+)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
 create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh

diff --git a/runtest/ima b/runtest/ima
index 309d47420..5f4b4a7a1 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -4,4 +4,5 @@ ima_policy ima_policy.sh
 ima_tpm ima_tpm.sh
 ima_violations ima_violations.sh
 ima_keys ima_keys.sh
+ima_kexec ima_kexec.sh
 evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 732cd912f..d4644ba39 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
 
 Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
 
+### IMA kexec test
+
+`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
+see example in `kexec.policy`.
+
+The test attempts to kexec the existing running kernel image.
+To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
+
 ## EVM tests
 
 `evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
new file mode 100644
index 000000000..58d66369e
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
@@ -0,0 +1 @@
+measure func=KEXEC_CMDLINE
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
new file mode 100755
index 000000000..fbad9b425
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
+#
+# Verify that kexec cmdline is measured correctly.
+# Test attempts to kexec the existing running kernel image.
+# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
+
+TST_NEEDS_CMDS="grep kexec sed"
+TST_CNT=2
+TST_NEEDS_DEVICE=1
+TST_SETUP="setup"
+
+. ima_setup.sh
+
+IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
+
+measure()
+{
+	local cmdline="$1"
+	local algorithm digest expected_digest found
+
+	printf "$cmdline" > file1
+	grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
+
+	while read found
+	do
+		algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
+		digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
+
+		expected_digest=$(compute_digest $algorithm file1)
+
+		if [ "$digest" = "$expected_digest" ]; then
+			return 0
+		fi
+	done < file2
+
+	return 1
+}
+
+setup()
+{
+	local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
+	local res=TBROK
+	local sb_enabled
+
+	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
+		tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
+	fi
+
+	if check_policy_readable; then
+		require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
+		res=TFAIL
+	fi
+
+	tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
+	if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
+		ROD kexec -su
+		if ! measure "$cmdline"; then
+			if [ "$res" = TBROK ]; then
+				tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
+			fi
+			tst_brk $res "unable to find a correct entry for --reuse-cmdline"
+		fi
+		return
+	fi
+
+	if tst_cmd_available bootctl; then
+		if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
+			sb_enabled=1
+		fi
+	elif tst_cmd_available dmesg; then
+		if dmesg | grep -qi 'Secure boot enabled'; then
+			sb_enabled=1
+		fi
+	fi
+	if [ "$sb_enabled" ]; then
+		tst_res TWARN "secure boot is enabled, kernel image may not be signed"
+	fi
+
+	if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
+		tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
+	fi
+
+	tst_brk TBROK "kexec failed: $(cat err)"
+}
+
+kexec_test()
+{
+	local cmdline="$1"
+	local param="$2"
+
+	EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
+	ROD kexec -su
+	if ! measure "$cmdline"; then
+		tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
+	fi
+	tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
+}
+
+test()
+{
+	case $1 in
+	1) kexec_test 'foo' '--append';;
+	2) kexec_test 'bar' '--command-line';;
+	esac
+}
+
+tst_run
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
  2020-07-27 22:30 ` [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement Petr Vorel
@ 2020-07-27 22:42   ` Lachlan Sneff
  2020-07-27 23:13     ` Petr Vorel
  0 siblings, 1 reply; 10+ messages in thread
From: Lachlan Sneff @ 2020-07-27 22:42 UTC (permalink / raw)
  To: Petr Vorel, ltp
  Cc: Lakshmi Ramasubramanian, Mimi Zohar, balajib, linux-integrity,
	Mimi Zohar

Hi Petr,

This patch removes the test of the `--reuse-cmdline` option of kexec.
Go ahead and merge this, and then I'll post a patch that adds 
`--reuse-cmdline` back.

Thank you,
Lachlan

On 7/27/20 6:30 PM, Petr Vorel wrote:
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
>
> IMA policy can be set to measure the command line passed in the kexec
> system call. Add a testcase that verifies that the IMA subsystem
> correctly measure the cmdline specified during a kexec.
>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
> [ pvorel: improved setup, various LTP API cleanup ]
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Changes v4->v5:
>
> * added kexec.policy, please check it (for lazy people, I still plan
> some automatic mechanism for loading policies on CONFIG_IMA_WRITE_POLICY)
>
> * rewritten checks in setup:
>    - simplify secure boot bootctl verification
>    - try dmesg when bootctl not available
>    - check on failure also ^appraise.*func=KEXEC_KERNEL_CHECK policy
>    - improve logic for func=KEXEC_CMDLINE check (instead of requiring
> 	policy to be readable check only when readable, otherwise TWARN, ...)
>    - TWARN on failures in setup => TWARN is kind of error as it exit with
> 	non-zero, but these cases are failures thus don't hide them)
>
> * added cleanup commit (adding helpers)
>
> * various LTP API cleanup:
>    - added setup into separate function
>    - reuse test code with kexec_test()
>
> Kind regards,
> Petr
>
>   runtest/ima                                   |   1 +
>   .../kernel/security/integrity/ima/README.md   |   8 ++
>   .../integrity/ima/datafiles/kexec.policy      |   1 +
>   .../security/integrity/ima/tests/ima_kexec.sh | 111 ++++++++++++++++++
>   4 files changed, 121 insertions(+)
>   create mode 100644 testcases/kernel/security/integrity/ima/datafiles/kexec.policy
>   create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
>
> diff --git a/runtest/ima b/runtest/ima
> index 309d47420..5f4b4a7a1 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -4,4 +4,5 @@ ima_policy ima_policy.sh
>   ima_tpm ima_tpm.sh
>   ima_violations ima_violations.sh
>   ima_keys ima_keys.sh
> +ima_kexec ima_kexec.sh
>   evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 732cd912f..d4644ba39 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -36,6 +36,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
>   
>   Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
>   
> +### IMA kexec test
> +
> +`ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
> +see example in `kexec.policy`.
> +
> +The test attempts to kexec the existing running kernel image.
> +To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
> +
>   ## EVM tests
>   
>   `evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
> diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> new file mode 100644
> index 000000000..58d66369e
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/datafiles/kexec.policy
> @@ -0,0 +1 @@
> +measure func=KEXEC_CMDLINE
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> new file mode 100755
> index 000000000..fbad9b425
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> @@ -0,0 +1,111 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2020 Microsoft Corporation
> +# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
> +#
> +# Verify that kexec cmdline is measured correctly.
> +# Test attempts to kexec the existing running kernel image.
> +# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
> +
> +TST_NEEDS_CMDS="grep kexec sed"
> +TST_CNT=2
> +TST_NEEDS_DEVICE=1
> +TST_SETUP="setup"
> +
> +. ima_setup.sh
> +
> +IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
> +
> +measure()
> +{
> +	local cmdline="$1"
> +	local algorithm digest expected_digest found
> +
> +	printf "$cmdline" > file1
> +	grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
> +
> +	while read found
> +	do
> +		algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
> +		digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
> +
> +		expected_digest=$(compute_digest $algorithm file1)
> +
> +		if [ "$digest" = "$expected_digest" ]; then
> +			return 0
> +		fi
> +	done < file2
> +
> +	return 1
> +}
> +
> +setup()
> +{
> +	local cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
> +	local res=TBROK
> +	local sb_enabled
> +
> +	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
> +		tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
> +	fi
> +
> +	if check_policy_readable; then
> +		require_ima_policy_content '^measure.*func=KEXEC_CMDLINE'
> +		res=TFAIL
> +	fi
> +
> +	tst_res TINFO "loading kernel $IMA_KEXEC_IMAGE, cmdline: $cmdline"
> +	if kexec -s -l $IMA_KEXEC_IMAGE --reuse-cmdline 2>err; then
> +		ROD kexec -su
> +		if ! measure "$cmdline"; then
> +			if [ "$res" = TBROK ]; then
> +				tst_res TWARN "policy not readable, it might not contain required measure func=KEXEC_CMDLINE"
> +			fi
> +			tst_brk $res "unable to find a correct entry for --reuse-cmdline"
> +		fi
> +		return
> +	fi
> +
> +	if tst_cmd_available bootctl; then
> +		if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
> +			sb_enabled=1
> +		fi
> +	elif tst_cmd_available dmesg; then
> +		if dmesg | grep -qi 'Secure boot enabled'; then
> +			sb_enabled=1
> +		fi
> +	fi
> +	if [ "$sb_enabled" ]; then
> +		tst_res TWARN "secure boot is enabled, kernel image may not be signed"
> +	fi
> +
> +	if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
> +		tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
> +	fi
> +
> +	tst_brk TBROK "kexec failed: $(cat err)"
> +}
> +
> +kexec_test()
> +{
> +	local cmdline="$1"
> +	local param="$2"
> +
> +	EXPECT_PASS_BRK kexec -s -l $IMA_KEXEC_IMAGE $param=$cmdline
> +	ROD kexec -su
> +	if ! measure "$cmdline"; then
> +		tst_brk TFAIL "unable to find a correct entry for $param=$cmdline"
> +	fi
> +	tst_res TPASS "kexec cmdline for $param=$cmdline was measured correctly"
> +}
> +
> +test()
> +{
> +	case $1 in
> +	1) kexec_test 'foo' '--append';;
> +	2) kexec_test 'bar' '--command-line';;
> +	esac
> +}
> +
> +tst_run


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement
  2020-07-27 22:42   ` Lachlan Sneff
@ 2020-07-27 23:13     ` Petr Vorel
  0 siblings, 0 replies; 10+ messages in thread
From: Petr Vorel @ 2020-07-27 23:13 UTC (permalink / raw)
  To: Lachlan Sneff
  Cc: ltp, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
	linux-integrity, Mimi Zohar

Hi Lachlan,

> This patch removes the test of the `--reuse-cmdline` option of kexec.
> Go ahead and merge this, and then I'll post a patch that adds
> `--reuse-cmdline` back.
Thanks for the report, I'll send v6.

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v5 2/4] IMA: Add policy related helpers
  2020-07-27 22:30 ` [PATCH v5 2/4] IMA: Add policy related helpers Petr Vorel
@ 2020-07-30 19:50   ` Mimi Zohar
  2020-07-31  5:26     ` Petr Vorel
  0 siblings, 1 reply; 10+ messages in thread
From: Mimi Zohar @ 2020-07-30 19:50 UTC (permalink / raw)
  To: Petr Vorel, ltp
  Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
	linux-integrity

On Tue, 2020-07-28 at 00:30 +0200, Petr Vorel wrote:
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Other than inverting the [ -f $IMA_POLICY ] tests.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
> New in v5.
> 
>  .../security/integrity/ima/tests/ima_setup.sh | 39 +++++++++++++++++++
>  1 file changed, 39 insertions(+)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> index 975ce9cbb..c46f273ab 100644
> --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -54,6 +54,45 @@ compute_digest()
>  	return 1
>  }
>  
> +check_policy_readable()
> +{
> +	if [ -f $IMA_POLICY ]; then
> +		tst_res TINFO "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
> +		return 1
> +	fi
> +	cat $IMA_POLICY > /dev/null 2>/dev/null
> +}
> +
> +require_policy_readable()
> +{
> +	if [ -f $IMA_POLICY ]; then
> +		tst_brk TCONF "missing $IMA_POLICY (reboot or CONFIG_IMA_WRITE_POLICY=y required)"
> +	fi
> +	if ! check_policy_readable; then
> +		tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
> +	fi
> +}
> +
> +check_ima_policy_content()
> +{
> +	local pattern="$1"
> +	local grep_params="${2--q}"
> +
> +	check_policy_readable || return 1
> +	grep $grep_params "$pattern" $IMA_POLICY
> +}
> +
> +require_ima_policy_content()
> +{
> +	local pattern="$1"
> +	local grep_params="${2--q}"
> +
> +	require_policy_readable
> +	if ! grep $grep_params "$pattern" $IMA_POLICY; then
> +		tst_brk TCONF "IMA policy does not specify '$pattern'"
> +	fi
> +}
> +
>  require_ima_policy_cmdline()
>  {
>  	local policy="$1"


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v5 0/4] IMA: kexec cmdline measurement
  2020-07-27 22:30 [PATCH v5 0/4] IMA: kexec cmdline measurement Petr Vorel
                   ` (3 preceding siblings ...)
  2020-07-27 22:30 ` [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement Petr Vorel
@ 2020-07-30 20:03 ` Mimi Zohar
  4 siblings, 0 replies; 10+ messages in thread
From: Mimi Zohar @ 2020-07-30 20:03 UTC (permalink / raw)
  To: Petr Vorel, ltp
  Cc: Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
	linux-integrity

On Tue, 2020-07-28 at 00:30 +0200, Petr Vorel wrote:
> Hi all,
> 
> sending hopefully the last version. In the end I did quite few changes,
> thus sending patchset instead of merging without review.

Nice! Thank you.

Mimi

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v5 2/4] IMA: Add policy related helpers
  2020-07-30 19:50   ` Mimi Zohar
@ 2020-07-31  5:26     ` Petr Vorel
  0 siblings, 0 replies; 10+ messages in thread
From: Petr Vorel @ 2020-07-31  5:26 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: ltp, Lachlan Sneff, Lakshmi Ramasubramanian, Mimi Zohar, balajib,
	linux-integrity

Hi Mimi,

> Other than inverting the [ -f $IMA_POLICY ] tests.
Thanks for catching obvious error! Coding late night...

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, back to index

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-27 22:30 [PATCH v5 0/4] IMA: kexec cmdline measurement Petr Vorel
2020-07-27 22:30 ` [PATCH v5 1/4] IMA: Rename helper to require_ima_policy_cmdline Petr Vorel
2020-07-27 22:30 ` [PATCH v5 2/4] IMA: Add policy related helpers Petr Vorel
2020-07-30 19:50   ` Mimi Zohar
2020-07-31  5:26     ` Petr Vorel
2020-07-27 22:30 ` [PATCH v5 3/4] IMA/ima_keys.sh: Fix policy readability check Petr Vorel
2020-07-27 22:30 ` [PATCH v5 4/4] IMA: Add test for kexec cmdline measurement Petr Vorel
2020-07-27 22:42   ` Lachlan Sneff
2020-07-27 23:13     ` Petr Vorel
2020-07-30 20:03 ` [PATCH v5 0/4] IMA: " Mimi Zohar

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git