[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

Petr Vorel pvorel@suse.cz
Mon Aug 31 12:29:34 CEST 2020


Hi Mimi,

> On Fri, 2020-08-28 at 14:49 +0200, Petr Vorel wrote:
> > > On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote:
> > > > BTW there are also plans for reboot support [1] [2], that could be used as
> > > > workaround for configuration without CONFIG_IMA_READ_POLICY=y and
> > > > CONFIG_IMA_WRITE_POLICY=y.
> > > The reboot support could also be used for carrying the IMA measurement
> > > list across kexec and verifying the TPM PCRs.

> > Adding into my TODO list. I'd just run whole test ima_kexec.sh twice and reboot
> > in between.

> The ima_kexec.sh tests measures the kexec boot cmdline and kernel
> image.   What's needed is walking the measurement list re-calculating
> the PCRs and then verifying them against the actual TPM PCRs.  Maybe
> running the ima_tpm.sh test twice.
Right, thanks for clarification :).

It takes some time till reboot implementation in LTP API is implemented. But I
hope to send fix for TPM 2.0 and sha256 hash (these changes in v5.8) for
ima_tpm.sh this week.


Kind regards,
Petr


More information about the ltp mailing list