[LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes
Mimi Zohar
zohar@linux.vnet.ibm.com
Tue Feb 6 14:19:19 CET 2018
On Fri, 2018-01-26 at 14:16 +0100, Cyril Hrubis wrote:
> Hi!
> > > For the new template format measurement lists, walking the measurement
> > > list, re-calculating the PCRs and comparing them with the HW or vTPM
> > > PCRs fail. ??The ima-evm-utils package has a working version. ??Invoke
> > > "evmctl" with the "ima_measurement" option.
> > So you mean that src/ima_measure.c is broken and should be replaced by evmctl from your
> > repository on sf.net [4]? Fortunately this package is on all major distros [5] (except
> > Debian, but Ubuntu package is installable on Debian), so we don't need to include your
> > repository as submodule.
>
> Well if the package is included in major distributions we may as just
> state the dependency in the README and TCONF the test if it's not
> installed.
I've cleaned up "evmctl ima_measurement" a bit, so that there are
different levels of output. The default is to just return errors.
Verbose (-v) returns the keys used in the verification, the calculated
PCR and the HW PCR. Verbose+ (-v -v) includes the measurement list as
well.
example:
$ sudo src/evmctl ima_measurement -k "/etc/keys/ima/distro-cert-6e6c1046.der,
/etc/keys/ima/app-cert-c4e2426e.der, /etc/keys/ima/local-cert-14c2d147.der"
-v /sys/kernel/security/ima/binary_runtime_measurements
key 1: 6e6c1046 /etc/keys/ima/distro-cert-6e6c1046.der
key 2: c4e2426e /etc/keys/ima/app-cert-c4e2426e.der
key 3: 14c2d147 /etc/keys/ima/local-cert-14c2d147.der
PCRAgg 10: a19dfba0ac6eef26cb342470374b0808aea80a12
HW PCR-10: a19dfba0ac6eef26cb342470374b0808aea80a12
The patches for this version are in the next branch.
Mimi
More information about the ltp
mailing list