[LTP] [PATCH v2 1/2] IMA: Add a test to verify measurment of keys
Petr Vorel
pvorel@suse.cz
Fri Jun 19 10:56:37 CEST 2020
Hi Lachlan,
...
> + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY)
> + if [ -z "$keycheck_line" ]; then
> + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
> + fi
> +
> + if echo "$keycheck_line" | grep -q "*keyrings*"; then
I guess "*keyrings*" as grep parameter is wrong. * for regexp should be .*
If you meant to grep for keyrings, it should be:
if ! echo "$keycheck_line" | grep -q "keyrings"; then
tst_brk TCONF "ima policy does not specify a keyrings to check"
fi
Few more changes (mostly nits), is that ok for you?
Kind regards,
Petr
diff --git testcases/kernel/security/integrity/ima/README.md testcases/kernel/security/integrity/ima/README.md
index 16a1f48c3..66d0f5308 100644
--- testcases/kernel/security/integrity/ima/README.md
+++ testcases/kernel/security/integrity/ima/README.md
@@ -16,6 +16,24 @@ CONFIG_INTEGRITY=y
CONFIG_IMA=y
```
+IMA Key Import tests
+~~~~~~~~~~~~~~~~~~~~
+
+`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der`.
+The key must be signed by the private key you generate. Follow these instructions:
+https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys.
+
+The test cannot be set-up automatically because the kernel must be built
+with one of the keys you generate.
+
+As well as what's required for the IMA tests, the following are also required
+in the kernel configuration:
+```
+CONFIG_IMA_READ_POLICY=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
+```
+
EVM tests
---------
diff --git testcases/kernel/security/integrity/ima/tests/ima_keys.sh testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 2b5324dbf..398ee141c 100755
--- testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -5,17 +5,18 @@
#
# Verify that keys are measured correctly based on policy.
-TST_NEEDS_CMDS="grep mktemp cut sed tr"
+TST_NEEDS_CMDS="cut grep sed tr xxd"
TST_CNT=1
TST_NEEDS_DEVICE=1
. ima_setup.sh
-# Based on https://lkml.org/lkml/2019/12/13/564.
+# Based on https://lkml.org/lkml/2019/12/13/564
# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
test1()
{
- local keyrings keycheck_line templates test_file=$(mktemp)
+ local err keycheck_line keyrings line templates
+ local test_file="file.txt"
tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
@@ -28,7 +29,7 @@ test1()
tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
fi
- if echo "$keycheck_line" | grep -q "*keyrings*"; then
+ if ! echo "$keycheck_line" | grep -q "keyrings"; then
tst_brk TCONF "ima policy does not specify a keyrings to check"
fi
@@ -41,12 +42,12 @@ test1()
templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
cut -d'=' -f2)
- grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
+ grep -E "($templates)*$keyrings" $ASCII_MEASUREMENTS | while read line
do
- local digest expected_digest algorithm
+ local algorithm digest expected_digest keyring
- digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
+ digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
keyring=$(echo "$line" | cut -d' ' -f5)
echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
@@ -56,12 +57,12 @@ test1()
if [ "$digest" != "$expected_digest" ]; then
tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
+ err=1
fi
done
- rm $test_file
-
- tst_res TPASS "specified keyrings were measured correctly"
+ [ -z "$err" ] && \
+ tst_res TPASS "specified keyrings were measured correctly"
}
tst_run
More information about the ltp
mailing list