[LTP] [PATCH 2/2] ima_{conditionals, policy}: Handle policy required to be signed
Mimi Zohar
zohar@linux.ibm.com
Fri Sep 12 15:23:45 CEST 2025
On Fri, 2025-09-12 at 09:32 +0200, Petr Vorel wrote:
> Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot.
> Skip testing in that case.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b
>
> This fixes errors:
>
> ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times
> ima_policy 2 TFAIL: problem loading or extending policy (may require policy to be signed)
> https://openqa.suse.de/tests/18723792#step/ima_conditionals/6
>
> ima_conditionals 1 TINFO: verify measuring user files when requested via uid
> echo: write error: Permission denied
> ima_conditionals 1 TBROK: echo measure uid=65534 > /sys/kernel/security/ima/policy failed
>
> Ideally there would be test which check that unsigned policy cannot be
> written.
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Thanks, Petr.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
At some point, consider adding support for signing policy rules, if the
private/public keypair is provided.
Mimi
More information about the ltp
mailing list