[LTP] [PATCH v2 1/2] IMA: Add a test to verify measurment of keys

Petr Vorel pvorel@suse.cz
Tue Jun 16 17:31:16 CEST 2020


Hi Lachlan,

Reviewed-by: Petr Vorel <pvorel@suse.cz>

..
> +++ b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
> @@ -0,0 +1 @@
> +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
Thanks for this!
You don't use it, but that's ok, I'll add that policy handling myself after
merging. I have some notes about documentation / setup for both commits.

It would be nice to mention CONFIG_IMA_READ_POLICY=y in
testcases/kernel/security/integrity/ima/README.md as it's required.
That trivial thing I could do myself, but it'd help to add more info for setup
needed (and it's always preferred to do the setup, if possible, but for some
tests e.g. EVM testing in evm_overlay.sh it must be during the installation).

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> new file mode 100755
> index 000000000..f9c60a6fc
> --- /dev/null
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -0,0 +1,65 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2020 Microsoft Corporation
> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
> +#
> +# Verify that keys are measured correctly based on policy.
> +
> +TST_NEEDS_CMDS="awk cut xxd"
nit: actually sed was meant to be added in this commit (I reported in previous
one).

Kind regards,
Petr


More information about the ltp mailing list