Message ID | 20200617234957.10611-2-t-josne@linux.microsoft.com |
---|---|
State | Changes Requested |
Headers | show |
Series | IMA: Verify measurement of certificates | expand |
Hi Lachlan, Reviewed-by: Petr Vorel <pvorel@suse.cz> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > @@ -0,0 +1,67 @@ > +#!/bin/sh > +# SPDX-License-Identifier: GPL-2.0-or-later > +# Copyright (c) 2020 Microsoft Corporation > +# Author: Lachlan Sneff <t-josne@linux.microsoft.com> > +# > +# Verify that keys are measured correctly based on policy. > + > +TST_NEEDS_CMDS="grep mktemp cut sed tr" This is already a dependency for tst_test.sh, but it does not harm to have it here (in case we remove the dependency from tst_test.sh). > +TST_CNT=1 > +TST_NEEDS_DEVICE=1 > + > +. ima_setup.sh > + > +# Based on https://lkml.org/lkml/2019/12/13/564. > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") > +test1() > +{ > + local keyrings keycheck_line templates test_file=$(mktemp) Do we need mktemp? Can't it be just: local keyrings keycheck_line templates test_file="file.txt" ... > + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file Because you later just overwrite the file (simplicity). I also try to keep shell dependencies low so it's possible to run it with in dracut initramfs with rapido [1] without too many dependencies (although mktemp is already tst_test.sh dependency). > + > + expected_digest="$(compute_digest $algorithm $test_file)" || \ > + tst_brk TCONF "cannot compute digest for $algorithm" > + > + if [ "$digest" != "$expected_digest" ]; then > + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" > + fi > + done > + > + rm $test_file Again, IMHO no need to delete the file. [1] https://github.com/rapido-linux/rapido > + > + tst_res TPASS "specified keyrings were measured correctly" This TPASS will be called even if there is previous TFAIL "incorrect digest was found for the ($keyring) keyring". We should either exit testing with return, or have variable to detect failure and not call this (not sure what makes more sense). Kind regards, Petr
Hi Lachian, > + > +# Based on https://lkml.org/lkml/2019/12/13/564. > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") > +test1() > +{ > + local keyrings keycheck_line templates test_file=$(mktemp) > + > + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" > + > + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" > + > + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" > + > + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY) > + if [ -z "$keycheck_line" ]; then > + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" > + fi > + > + if echo "$keycheck_line" | grep -q "*keyrings*"; then > + tst_brk TCONF "ima policy does not specify a keyrings to check" > + fi > + > + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ > + sed "s/\./\\\./g" | cut -d'=' -f2) > + if [ -z "$keyrings" ]; then > + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" > + fi > + > + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ > + cut -d'=' -f2) > + > + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line Probably because I have multiple KEY_CHECK rules, this is failing: grep: Unmatched ( or \( And then it continues merrily alongs its way. ima_keys 1 TPASS: specified keyrings were measured correctly ima_keys 2 TCONF: missing /etc/keys/x509_ima.der Mimi > + do > + local digest expected_digest algorithm > + > + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) > + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) > + keyring=$(echo "$line" | cut -d' ' -f5) > + > + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file > + > + expected_digest="$(compute_digest $algorithm $test_file)" || \ > + tst_brk TCONF "cannot compute digest for $algorithm" > + > + if [ "$digest" != "$expected_digest" ]; then > + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" > + fi > + done > + > + rm $test_file > + > + tst_res TPASS "specified keyrings were measured correctly" > +}
[Resending due to mailer issues] On Wed, 2020-06-24 at 09:21 -0400, Mimi Zohar wrote: > Hi Lachian, > > > + > > +# Based on https://lkml.org/lkml/2019/12/13/564. > > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") > > +test1() > > +{ > > + local keyrings keycheck_line templates test_file=$(mktemp) > > + > > + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" > > + > > + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" > > + > > + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" > > + > > + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY) > > + if [ -z "$keycheck_line" ]; then > > + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" > > + fi > > + > > + if echo "$keycheck_line" | grep -q "*keyrings*"; then > > + tst_brk TCONF "ima policy does not specify a keyrings to check" > > + fi > > + > > + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ > > + sed "s/\./\\\./g" | cut -d'=' -f2) > > + if [ -z "$keyrings" ]; then > > + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" > > + fi > > + > > + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ > > + cut -d'=' -f2) > > + > > + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line > > Probably because I have multiple KEY_CHECK rules, this is failing: > > grep: Unmatched ( or \( > > And then it continues merrily alongs its way. > > ima_keys 1 TPASS: specified keyrings were measured correctly > ima_keys 2 TCONF: missing /etc/keys/x509_ima.der > > Mimi > > > + do > > + local digest expected_digest algorithm > > + > > + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) > > + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) > > + keyring=$(echo "$line" | cut -d' ' -f5) > > + > > + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file > > + > > + expected_digest="$(compute_digest $algorithm $test_file)" || \ > > + tst_brk TCONF "cannot compute digest for $algorithm" > > + > > + if [ "$digest" != "$expected_digest" ]; then > > + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" > > + fi > > + done > > + > > + rm $test_file > > + > > + tst_res TPASS "specified keyrings were measured correctly" > > +}
diff --git a/runtest/ima b/runtest/ima index f3ea88cf0..309d47420 100644 --- a/runtest/ima +++ b/runtest/ima @@ -3,4 +3,5 @@ ima_measurements ima_measurements.sh ima_policy ima_policy.sh ima_tpm ima_tpm.sh ima_violations ima_violations.sh +ima_keys ima_keys.sh evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy new file mode 100644 index 000000000..3f1934a3d --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy @@ -0,0 +1 @@ +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh new file mode 100755 index 000000000..2b5324dbf --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lachlan Sneff <t-josne@linux.microsoft.com> +# +# Verify that keys are measured correctly based on policy. + +TST_NEEDS_CMDS="grep mktemp cut sed tr" +TST_CNT=1 +TST_NEEDS_DEVICE=1 + +. ima_setup.sh + +# Based on https://lkml.org/lkml/2019/12/13/564. +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") +test1() +{ + local keyrings keycheck_line templates test_file=$(mktemp) + + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" + + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" + + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" + + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY) + if [ -z "$keycheck_line" ]; then + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" + fi + + if echo "$keycheck_line" | grep -q "*keyrings*"; then + tst_brk TCONF "ima policy does not specify a keyrings to check" + fi + + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ + sed "s/\./\\\./g" | cut -d'=' -f2) + if [ -z "$keyrings" ]; then + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" + fi + + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ + cut -d'=' -f2) + + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line + do + local digest expected_digest algorithm + + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + keyring=$(echo "$line" | cut -d' ' -f5) + + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file + + expected_digest="$(compute_digest $algorithm $test_file)" || \ + tst_brk TCONF "cannot compute digest for $algorithm" + + if [ "$digest" != "$expected_digest" ]; then + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" + fi + done + + rm $test_file + + tst_res TPASS "specified keyrings were measured correctly" +} + +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 54237d688..04d8e6353 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -28,7 +28,7 @@ setup() # parse digest index # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use case "$template" in - ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; + ima|ima-ng|ima-sig|ima-buf) DIGEST_INDEX=4 ;; *) # using ima_template_fmt kernel parameter local IFS="|" @@ -46,40 +46,6 @@ setup() "Cannot find digest index (template: '$template')" } -# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 -compute_digest() -{ - local algorithm="$1" - local file="$2" - local digest - - digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - # uncommon ciphers - local arg="$algorithm" - case "$algorithm" in - tgr192) arg="tiger" ;; - wp512) arg="whirlpool" ;; - esac - - digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - return 1 -} - ima_check() { local delimiter=':' diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 6286277b4..244cf081d 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -23,7 +23,6 @@ check_policy_writable() setup() { - IMA_POLICY="$IMA_DIR/policy" check_policy_writable VALID_POLICY="$TST_DATAROOT/measure.policy" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 58a12eda3..8ae477c1c 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -20,6 +20,40 @@ SYSFS="/sys" UMOUNT= TST_FS_TYPE="ext3" +# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 +compute_digest() +{ + local algorithm="$1" + local file="$2" + local digest + + digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + # uncommon ciphers + local arg="$algorithm" + case "$algorithm" in + tgr192) arg="tiger" ;; + wp512) arg="whirlpool" ;; + esac + + digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + return 1 +} + check_ima_policy() { local policy="$1" @@ -85,6 +119,7 @@ ima_setup() [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" + IMA_POLICY="$IMA_DIR/policy" print_ima_config
Add a testcase that verifies that the IMA subsystem has correctly measured keys added to keyrings specified in the IMA policy file. Additionally, add support for handling a new IMA template descriptor, namely ima-buf[1], in the IMA measurement tests. [1]: https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> --- runtest/ima | 1 + .../integrity/ima/datafiles/keycheck.policy | 1 + .../security/integrity/ima/tests/ima_keys.sh | 67 +++++++++++++++++++ .../integrity/ima/tests/ima_measurements.sh | 36 +--------- .../integrity/ima/tests/ima_policy.sh | 1 - .../security/integrity/ima/tests/ima_setup.sh | 35 ++++++++++ 6 files changed, 105 insertions(+), 36 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh