From patchwork Wed Mar 14 15:57:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 885876 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 401bwR187Wz9sVK for ; Thu, 15 Mar 2018 02:57:58 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 5BD123E78CC for ; Wed, 14 Mar 2018 16:57:56 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [217.194.8.4]) by picard.linux.it (Postfix) with ESMTP id 3A2493E76E7 for ; Wed, 14 Mar 2018 16:57:51 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 895481000BD0 for ; Wed, 14 Mar 2018 16:57:49 +0100 (CET) Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id C25BFAEB8; Wed, 14 Mar 2018 15:57:48 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Date: Wed, 14 Mar 2018 16:57:28 +0100 Message-Id: <20180314155731.5943-2-pvorel@suse.cz> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180314155731.5943-1-pvorel@suse.cz> References: <20180314155731.5943-1-pvorel@suse.cz> X-Virus-Scanned: clamav-milter 0.99.2 at in-4.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-4.smtp.seeweb.it Cc: linux-integrity@vger.kernel.org, Mimi Zohar Subject: [LTP] [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" * simplify code, remove duplicity * ima_measurements.sh: - add support for "ima-ng" and "ima-sig" IMA measurement templates - add support for most of hash algorithms is defined in include/uapi/linux/hash_info.h (kernel headers); algorithms are detected from last occurance of tested file in /sys/kernel/security/ima/ascii_runtime_measurements - check i_version mount option only for ext[2-4] filesystems (other filesystems don't report it), TCONF when not mounted with it - XFS has iversion support from >= V5, TCONF when older version - chown only UID (GID of nobody is different on some OS, so it's better not to set it as it's not necessary for the test) * ima_policy.sh: - break tests instead of print TINFO when kernel is not configured to enable multiple writes to the IMA policy (IMA_WRITE_POLICY) - add warning when policy has been updated that reboot is needed * ima_violations.sh: - change check to measure occurrence of messages in log (previous way to grep tail of the log was buggy) + add sleep when SUT uses /var/log/messages to prevent failure during validate * ima_tpm.sh - change TCONF to TINFO in test1 (code behind that was never run) - make variables local * runtest file - rename the test ids to match the shell script names (more descriptive) and remove duplicate whitespace Signed-off-by: Petr Vorel --- Changes v1->v2: I increased sleep to 1s I still occasionally encounter errors on systems logging into /var/log/messages: ima_violations 2 TFAIL: ToMToU not found in /var/log/messages --- runtest/ima | 8 +- .../integrity/ima/tests/ima_measurements.sh | 239 +++++++++++---------- .../security/integrity/ima/tests/ima_policy.sh | 148 ++++++------- .../security/integrity/ima/tests/ima_setup.sh | 110 ++++------ .../kernel/security/integrity/ima/tests/ima_tpm.sh | 140 ++++++------ .../security/integrity/ima/tests/ima_violations.sh | 217 +++++++++---------- 6 files changed, 409 insertions(+), 453 deletions(-) mode change 100755 => 100644 testcases/kernel/security/integrity/ima/tests/ima_setup.sh diff --git a/runtest/ima b/runtest/ima index 251458af4..bcae16bb7 100644 --- a/runtest/ima +++ b/runtest/ima @@ -1,5 +1,5 @@ #DESCRIPTION:Integrity Measurement Architecture (IMA) -ima01 ima_measurements.sh -ima02 ima_policy.sh -ima03 ima_tpm.sh -ima04 ima_violations.sh +ima_measurements ima_measurements.sh +ima_policy ima_policy.sh +ima_tpm ima_tpm.sh +ima_violations ima_violations.sh diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index a3c357c8b..353e45b30 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -1,139 +1,156 @@ #!/bin/sh - -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software Foundation, ## -## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# File : ima_measurements.sh +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Description: This file verifies measurements are added to the measurement -# list based on policy. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com -################################################################################ -export TST_TOTAL=3 -export TCID="ima_measurements" +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# +# Verify that measurements are added to the measurement list based on policy. + +TST_TESTFUNC="test" +TST_SETUP="init" +TST_CNT=3 +TST_NEEDS_TMPDIR=1 + +. ima_setup.sh + +DEFAULT_DIGEST_OLD_FORMAT="sha1" +POLICY="$IMA_DIR/policy" init() { - tst_check_cmds sha1sum + tst_check_cmds awk - # verify using default policy - if [ ! -f "$IMA_DIR/policy" ]; then - tst_resm TINFO "not using default policy" - fi + [ -f "$POLICY" ] || tst_res TINFO "not using default policy" + + TEST_FILE="$PWD/test.txt" + DIGEST_INDEX= + grep -q "ima-ng" $ASCII_MEASUREMENTS && DIGEST_INDEX=1 + grep -q "ima-sig" $ASCII_MEASUREMENTS && DIGEST_INDEX=2 } -# Function: test01 -# Description - Verify reading a file causes a new measurement to -# be added to the IMA measurement list. -test01() +# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 +compute_hash() { - # Create file test.txt - cat > test.txt <<-EOF - $(date) - this is a test file - EOF - if [ $? -ne 0 ]; then - tst_brkm TBROK "Unable to create test file" - fi + local digest="$1" + local file="$2" - # Calculating the sha1sum of test.txt should add - # the measurement to the measurement list. - # (Assumes SHA1 IMA measurements.) - hash=$(sha1sum "test.txt" | sed 's/ -//') - - # Check if the file is measured - # (i.e. contained in the ascii measurement list.) - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements - sleep 1 - $(grep $hash measurements > /dev/null) - if [ $? -ne 0 ]; then - tst_resm TFAIL "TPM ascii measurement list does not contain sha1sum" - else - tst_resm TPASS "TPM ascii measurement list contains sha1sum" - fi + hash="$(${digest}sum $file 2>/dev/null | cut -f1 -d ' ')" + [ -n "$hash" ] && { echo $hash; return; } + + hash="$(openssl $digest $file 2>/dev/null | cut -f2 -d ' ')" + [ -n "$hash" ] && { echo $hash; return; } + + # uncommon ciphers + local arg="$digest" + case "$digest" in + tgr192) arg="tiger" ;; + wp512) arg="whirlpool" ;; + esac + + hash="$(rhash --$arg $file 2>/dev/null | cut -f1 -d ' ')" + [ -n "$hash" ] && { echo $hash; return; } } -# Function: test02 -# Description - Verify modifying, then reading, a file causes a new -# measurement to be added to the IMA measurement list. -test02() +ima_check() { - # Modify test.txt - echo $(date) - file modified >> test.txt + local digest="$DEFAULT_DIGEST_OLD_FORMAT" + local hash expected_hash line + + # need to read file to get updated $ASCII_MEASUREMENTS + cat $TEST_FILE > /dev/null - # Calculating the sha1sum of test.txt should add - # the new measurement to the measurement list - hash=$(sha1sum test.txt | sed 's/ -//') + line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)" + [ -n "$line" ] || tst_res TFAIL "cannot find measurement for '$TEST_FILE'" - # Check if the new measurement exists - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements - $(grep $hash measurements > /dev/null) + [ "$DIGEST_INDEX" ] && digest="$(echo "$line" | awk '{print $(NF-'$DIGEST_INDEX')}' | cut -d ':' -f 1)" + hash="$(echo "$line" | awk '{print $(NF-1)}' | cut -d ':' -f 2)" - if [ $? -ne 0 ]; then - tst_resm TFAIL "Modified file not measured" - tst_resm TINFO "iversion not supported; or not mounted with iversion" + tst_res TINFO "computing hash for $digest digest" + expected_hash="$(compute_hash $digest $TEST_FILE)" || \ + { tst_res TCONF "cannot compute hash for '$digest' digest"; return; } + + if [ "$hash" = "$expected_hash" ]; then + tst_res TPASS "correct hash found" else - tst_resm TPASS "Modified file measured" + tst_res TFAIL "hash not found" fi } -# Function: test03 -# Description - Verify files are measured based on policy -# (Default policy does not measure user files.) -test03() +test1() { - # create file user-test.txt - mkdir -m 0700 user - chown nobody.nobody user - cd user - hash=0 - - # As user nobody, create and cat the new file - # (The LTP tests assumes existence of 'nobody'.) - sudo -n -u nobody sh -c "echo $(date) - create test.txt > ./test.txt; - cat ./test.txt > /dev/null" - - # Calculating the hash will add the measurement to the measurement - # list, so only calc the hash value after getting the measurement - # list. - cat /sys/kernel/security/ima/ascii_runtime_measurements > measurements - hash=$(sha1sum test.txt | sed 's/ -//') - cd - >/dev/null - - # Check if the file is measured - grep $hash measurements > /dev/null - if [ $? -ne 0 ]; then - tst_resm TPASS "user file test.txt not measured" - else - tst_resm TFAIL "user file test.txt measured" - fi + tst_res TINFO "verify adding record to the IMA measurement list" + ROD echo "$(date) this is a test file" \> $TEST_FILE + ima_check } -. ima_setup.sh +test2() +{ + local device mount fs + + tst_res TINFO "verify updating record in the IMA measurement list" + + device="$(df . | sed -e 1d | cut -f1 -d ' ')" + mount="$(grep $device /proc/mounts | head -1)" + fs="$(echo $mount | awk '{print $3'})" + + case "$fs" in + ext[2-4]) + if ! echo "$mount" | grep -q -w "i_version"; then + tst_res TCONF "device '$device' is not mounted with iversion, please mount it with 'mount $device -o remount,iversion'" + return + fi + ;; + xfs) + if dmesg | grep -q "XFS.*Mounting V[1-4] Filesystem"; then + tst_res TCONF "XFS Filesystem >= V5 required for iversion support" + return + fi + ;; + '') + tst_res TWARN "could not find mount info for device '$device'" + ;; + esac + + ROD echo "$(date) modified file" \> $TEST_FILE + ima_check +} + +test3() +{ + local user="nobody" + local dir="$PWD/user" + local file="$dir/test.txt" -setup -TST_CLEANUP=cleanup + # Default policy does not measure user files + tst_res TINFO "verify not measuring user files" -init -test01 -test02 -test03 + if ! id $user >/dev/null 2>/dev/null; then + tst_res TCONF "missing system user $user (wrong installation)" + return + fi + tst_check_cmds sudo + + mkdir -m 0700 $dir + chown $user $dir + cd $dir + # need to read file to get updated $ASCII_MEASUREMENTS + sudo -n -u $user sh -c "echo $(date) user file > $file; cat $file > /dev/null" + cd .. + + EXPECT_FAIL "grep $file $ASCII_MEASUREMENTS" +} -tst_exit +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index ad5900975..08e34c6f8 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -1,127 +1,115 @@ #!/bin/sh -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel # -# File : ima_policy.sh +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# Description: This file tests replacing the default integrity measurement -# policy. +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com -################################################################################ -export TST_TOTAL=3 -export TCID="ima_policy" +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# +# Test replacing the default integrity measurement policy. + +TST_TESTFUNC="test" +TST_SETUP="init" +TST_CNT=3 + +. ima_setup.sh init() { - # verify using default policy - IMA_POLICY=$IMA_DIR/policy - if [ ! -f $IMA_POLICY ]; then - tst_resm TINFO "default policy already replaced" - fi + IMA_POLICY="$IMA_DIR/policy" + [ -f $IMA_POLICY ] || \ + tst_brk TCONF "IMA policy already loaded and kernel not configured to enable multiple writes it" - VALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy - if [ ! -f $VALID_POLICY ]; then - tst_resm TINFO "missing $VALID_POLICY" - fi + VALID_POLICY="$TST_DATAROOT/measure.policy" + [ -f $VALID_POLICY ] || tst_brk TCONF "missing $VALID_POLICY" - INVALID_POLICY=$LTPROOT/testcases/data/ima_policy/measure.policy-invalid - if [ ! -f $INVALID_POLICY ]; then - tst_resm TINFO "missing $INVALID_POLICY" - fi + INVALID_POLICY="$TST_DATAROOT/measure.policy-invalid" + [ -f $INVALID_POLICY ] || tst_brk TCONF "missing $INVALID_POLICY" } load_policy() { + local ret + exec 2>/dev/null 4>$IMA_POLICY - if [ $? -ne 0 ]; then - exit 1 - fi + [ $? -eq 0 ] || exit 1 cat $1 | - while read line ; do - { - if [ "${line#\#}" = "${line}" ] ; then - echo $line >&4 2> /dev/null + while read line; do + if [ "${line#\#}" = "${line}" ]; then + echo "$line" >&4 2> /dev/null if [ $? -ne 0 ]; then exec 4>&- return 1 fi fi - } done -} + ret=$? + [ $ret -eq 0 ] && \ + tst_res TINFO "IMA policy updated, please reboot after testing to restore settings" -# Function: test01 -# Description - Verify invalid policy doesn't replace default policy. -test01() + return $ret +} + +test1() { + tst_res TINFO "verify that invalid policy doesn't replace default policy" + + local p1 + load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then - tst_resm TPASS "didn't load invalid policy" + tst_res TPASS "didn't load invalid policy" else - tst_resm TFAIL "loaded invalid policy" + tst_res TFAIL "loaded invalid policy" fi } -# Function: test02 -# Description - Verify policy file is opened sequentially, not concurrently -# and install new policy -test02() +test2() { + tst_res TINFO "verify that policy file is opened sequentially and installs new policy" + + local p1 p2 rc1 rc2 + load_policy $VALID_POLICY & p1=$! # forked process 1 load_policy $VALID_POLICY & p2=$! # forked process 2 - wait "$p1"; RC1=$? - wait "$p2"; RC2=$? - if [ $RC1 -eq 0 ] && [ $RC2 -eq 0 ]; then - tst_resm TFAIL "measurement policy opened concurrently" - elif [ $RC1 -eq 0 ] || [ $RC2 -eq 0 ]; then - tst_resm TPASS "replaced default measurement policy" + wait "$p1"; rc1=$? + wait "$p2"; rc2=$? + if [ $rc1 -eq 0 ] && [ $rc2 -eq 0 ]; then + tst_res TFAIL "measurement policy opened concurrently" + elif [ $rc1 -eq 0 ] || [ $rc2 -eq 0 ]; then + tst_res TPASS "replaced default measurement policy" else - tst_resm TFAIL "problems opening measurement policy" + tst_res TFAIL "problems opening measurement policy" fi } -# Function: test03 -# Description - Verify can't load another measurement policy. -test03() +test3() { + tst_res TINFO "verify that valid policy isn't replaced" + + local p1 + load_policy $INVALID_POLICY & p1=$! wait "$p1" if [ $? -ne 0 ]; then - tst_resm TPASS "didn't replace valid policy" + tst_res TPASS "didn't replace valid policy" else - tst_resm TFAIL "replaced valid policy" + tst_res TFAIL "replaced valid policy" fi } -. ima_setup.sh - -setup -TST_CLEANUP=cleanup - -init -test01 -test02 -test03 - -tst_exit +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh old mode 100755 new mode 100644 index 0ff38d23b..1a2df154d --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -1,86 +1,68 @@ #!/bin/sh -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software Foundation, ## -## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel # -# File : ima_setup.sh +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# Description: setup/cleanup routines for the integrity tests. +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com -################################################################################ -. test.sh -mount_sysfs() -{ - SYSFS=$(mount 2>/dev/null | awk '$5 == "sysfs" { print $3 }') - if [ "x$SYSFS" = x ] ; then +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com - SYSFS=/sys +TST_CLEANUP="cleanup" +TST_NEEDS_TMPDIR=1 +TST_NEEDS_ROOT=1 - test -d $SYSFS || mkdir -p $SYSFS 2>/dev/null - if [ $? -ne 0 ] ; then - tst_brkm TBROK "Failed to mkdir $SYSFS" - fi - if ! mount -t sysfs sysfs $SYSFS 2>/dev/null ; then - tst_brkm TBROK "Failed to mount $SYSFS" - fi +. tst_test.sh - fi -} +export TCID="${TCID:-$(basename $0 | cut -d. -f1)}" -mount_securityfs() -{ - SECURITYFS=$(mount 2>/dev/null | awk '$5 == "securityfs" { print $3 }') - if [ "x$SECURITYFS" = x ] ; then +SYSFS="/sys" +UMOUNT= - SECURITYFS="$SYSFS/kernel/security" +mount_helper() +{ + local type="$1" + local default_dir="$2" + local dir - test -d $SECURITYFS || mkdir -p $SECURITYFS 2>/dev/null - if [ $? -ne 0 ] ; then - tst_brkm TBROK "Failed to mkdir $SECURITYFS" - fi - if ! mount -t securityfs securityfs $SECURITYFS 2>/dev/null ; then - tst_brkm TBROK "Failed to mount $SECURITYFS" - fi + dir="$(grep ^$type /proc/mounts | cut -d ' ' -f2 | head -1)" + [ -n "$dir" ] && { echo "$dir"; return; } + if ! mkdir -p $default_dir; then + tst_brk TBROK "Failed to create $default_dir" fi + if ! mount -t $type $type $default_dir; then + tst_brk TBROK "Failed to mount $type" + fi + UMOUNT="$default_dir $UMOUNT" + echo $default_dir } setup() { - tst_require_root - - tst_tmpdir - - mount_sysfs + SECURITYFS="$(mount_helper securityfs $SYSFS/kernel/security)" - # mount securityfs if it is not already mounted - mount_securityfs - - # IMA must be configured in the kernel - IMA_DIR=$SECURITYFS/ima - if [ ! -d "$IMA_DIR" ]; then - tst_brkm TCONF "IMA not enabled in kernel" - fi + IMA_DIR="$SECURITYFS/ima" + [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" + ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" + BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" } cleanup() { - tst_rmdir + local dir + for dir in $UMOUNT; do + umount $dir + done } + +setup diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh index 333bf5f8a..e78926165 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh @@ -1,70 +1,63 @@ #!/bin/sh - -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# File : ima_tpm.sh +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Description: This file verifies the boot and PCR aggregates +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com # -# Return - zero on success -# - non zero on failure. return value from commands ($RC) -################################################################################ -export TST_TOTAL=3 -export TCID="ima_tpm" +# Verify the boot and PCR aggregates. + +TST_TESTFUNC="test" +TST_SETUP="init" +TST_CNT=3 + +. ima_setup.sh init() { tst_check_cmds ima_boot_aggregate ima_measure } -# Function: test01 -# Description - Verify boot aggregate value is correct -test01() +test1() { - zero="0000000000000000000000000000000000000000" + tst_res TINFO "verify boot aggregate" + + local zero="0000000000000000000000000000000000000000" + local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements" + local ima_measurements="$ASCII_MEASUREMENTS" + local boot_aggregate boot_hash ima_hash line # IMA boot aggregate - ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements read line < $ima_measurements - ima_aggr=$(expr substr "${line}" 49 40) + ima_hash=$(expr substr "${line}" 49 40) - # verify TPM is available and enabled. - tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements if [ ! -f "$tpm_bios" ]; then - tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled" + tst_res TINFO "TPM not builtin kernel, or TPM not enabled" - if [ "${ima_aggr}" = "${zero}" ]; then - tst_resm TPASS "bios boot aggregate is 0." + if [ "${ima_hash}" = "${zero}" ]; then + tst_res TPASS "bios boot aggregate is 0" else - tst_resm TFAIL "bios boot aggregate is not 0." + tst_res TFAIL "bios boot aggregate is not 0" fi else boot_aggregate=$(ima_boot_aggregate $tpm_bios) - boot_aggr=$(expr substr $boot_aggregate 16 40) - if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then - tst_resm TPASS "bios aggregate matches IMA boot aggregate." + boot_hash=$(expr substr $boot_aggregate 16 40) + if [ "${ima_hash}" = "${boot_hash}" ]; then + tst_res TPASS "bios aggregate matches IMA boot aggregate" else - tst_resm TFAIL "bios aggregate does not match IMA boot aggregate." + tst_res TFAIL "bios aggregate does not match IMA boot aggregate" fi fi } @@ -74,64 +67,53 @@ test01() # the PCR values from /sys/devices. validate_pcr() { - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements - aggregate_pcr=$(ima_measure $ima_measurements --validate) - dev_pcrs=$1 - RC=0 + tst_res TINFO "verify PCR (Process Control Register)" - while read line ; do + local ima_measurements="$BINARY_MEASUREMENTS" + local aggregate_pcr="$(ima_measure $ima_measurements --validate)" + local dev_pcrs="$1" + local ret=0 + + while read line; do pcr=$(expr substr "${line}" 1 6) if [ "${pcr}" = "PCR-10" ]; then aggr=$(expr substr "${aggregate_pcr}" 26 59) pcr=$(expr substr "${line}" 9 59) - [ "${pcr}" = "${aggr}" ] || RC=$? + [ "${pcr}" = "${aggr}" ] || ret=$? fi done < $dev_pcrs - return $RC + return $ret } -# Function: test02 -# Description - Verify ima calculated aggregate PCR values matches -# actual PCR value. -test02() +test2() { + tst_res TINFO "verify PCR values" - # Would be nice to know where the PCRs are located. Is this safe? - PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs) + # Would be nice to know where the PCRs are located. Is this safe? + local pcrs_path="$(find $SYSFS/devices/ | grep pcrs)" if [ $? -eq 0 ]; then - validate_pcr $PCRS_PATH + validate_pcr $pcrs_path if [ $? -eq 0 ]; then - tst_resm TPASS "aggregate PCR value matches real PCR value." + tst_res TPASS "aggregate PCR value matches real PCR value" else - tst_resm TFAIL "aggregate PCR value does not match real PCR value." + tst_res TFAIL "aggregate PCR value does not match real PCR value" fi else - tst_resm TFAIL "TPM not enabled, no PCR value to validate" + tst_res TFAIL "TPM not enabled, no PCR value to validate" fi } -# Function: test03 -# Description - Verify template hash value for IMA entry is correct. -test03() +test3() { + tst_res TINFO "verify template hash value" - ima_measurements=$SECURITYFS/ima/binary_runtime_measurements - aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null + local ima_measurements="$BINARY_MEASUREMENTS" + ima_measure $ima_measurements --verify --validate if [ $? -eq 0 ]; then - tst_resm TPASS "verified IMA template hash values." + tst_res TPASS "verified IMA template hash values" else - tst_resm TFAIL "error verifing IMA template hash values." + tst_res TFAIL "error verifing IMA template hash values" fi } -. ima_setup.sh - -setup -TST_CLEANUP=cleanup - -init -test01 -test02 -test03 - -tst_exit +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh index 1b86b5f1a..879b6e949 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_violations.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_violations.sh @@ -1,44 +1,49 @@ #!/bin/sh -################################################################################ -## ## -## Copyright (C) 2009 IBM Corporation ## -## ## -## This program is free software; you can redistribute it and#or modify ## -## it under the terms of the GNU General Public License as published by ## -## the Free Software Foundation; either version 2 of the License, or ## -## (at your option) any later version. ## -## ## -## This program is distributed in the hope that it will be useful, but ## -## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## -## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## -## for more details. ## -## ## -## You should have received a copy of the GNU General Public License ## -## along with this program; if not, write to the Free Software ## -## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## -## ## -################################################################################ +# Copyright (c) 2009 IBM Corporation +# Copyright (c) 2018 Petr Vorel # -# File : ima_violations.sh +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. # -# Description: This file tests ToMToU and open_writer violations invalidate -# the PCR and are logged. +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . # -# Return - zero on success -# - non zero on failure. return value from commands ($RC) -################################################################################ +# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com +# +# Test whether ToMToU and open_writer violations invalidatethe PCR and are logged. -export TST_TOTAL=3 -export TCID="ima_violations" +TST_TESTFUNC="test" +TST_SETUP="init" +TST_CNT=3 -open_file_read() +. ima_setup.sh + +. daemonlib.sh + +FILE="test.txt" +IMA_VIOLATIONS="$SECURITYFS/ima/violations" + +init() { - exec 3< $1 - if [ $? -ne 0 ]; then - exit 1 + LOG="/var/log/messages" + SLEEP="1s" + if status_daemon auditd; then + LOG="/var/log/audit/audit.log" + SLEEP= fi + tst_res TINFO "using log $LOG" +} + +open_file_read() +{ + exec 3< $FILE || exit 1 } close_file_read() @@ -48,11 +53,8 @@ close_file_read() open_file_write() { - exec 4> $1 - if [ $? -ne 0 ]; then - exit 1 - echo 'testing, testing, ' >&4 - fi + exec 4> $FILE || exit 1 + echo 'test writing' >&4 } close_file_write() @@ -60,103 +62,88 @@ close_file_write() exec 4>&- } -init() +get_count() { - service auditd status > /dev/null 2>&1 - if [ $? -ne 0 ]; then - log=/var/log/messages - else - log=/var/log/audit/audit.log - tst_resm TINFO "requires integrity auditd patch" - fi - - ima_violations=$SECURITYFS/ima/violations + local search="$1" + echo $(grep -c "${search}.*${FILE}" $LOG) } -# Function: test01 -# Description - Verify open writers violation -test01() +validate() { - read num_violations < $ima_violations - - TMPFN=test.txt - open_file_write $TMPFN - open_file_read $TMPFN - close_file_read - close_file_write - read num_violations_new < $ima_violations - num=$(($(expr $num_violations_new - $num_violations))) - if [ $num -gt 0 ]; then - tail $log | grep test.txt | grep -q 'open_writers' - if [ $? -eq 0 ]; then - tst_resm TPASS "open_writers violation added(test.txt)" + local num_violations="$1" + local count="$2" + local search="$3" + local count2="$(get_count $search)" + local num_violations_new + + [ -n "$SLEEP" ] && tst_sleep $SLEEP + + read num_violations_new < $IMA_VIOLATIONS + if [ $(($num_violations_new - $num_violations)) -gt 0 ]; then + if [ $count2 -gt $count ]; then + tst_res TPASS "$search violation added" else - tst_resm TFAIL "(message ratelimiting?)" + tst_res TFAIL "$search not found in $LOG" fi else - tst_resm TFAIL "open_writers violation not added(test.txt)" + tst_res TFAIL "$search violation not added" fi } -# Function: test02 -# Description - Verify ToMToU violation -test02() +test1() { - read num_violations < $ima_violations + tst_res TINFO "verify open writers violation" - TMPFN=test.txt - open_file_read $TMPFN - open_file_write $TMPFN - close_file_write + local search="open_writers" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_write + open_file_read close_file_read - read num_violations_new < $ima_violations - num=$(($(expr $num_violations_new - $num_violations))) - if [ $num -gt 0 ]; then - tail $log | grep test.txt | grep -q 'ToMToU' - if [ $? -eq 0 ]; then - tst_resm TPASS "ToMToU violation added(test.txt)" - else - tst_resm TFAIL "(message ratelimiting?)" - fi - else - tst_resm TFAIL "ToMToU violation not added(test.txt)" - fi + close_file_write + + validate $num_violations $count $search } -# Function: test03 -# Description - verify open_writers using mmapped files -test03() +test2() { - read num_violations < $ima_violations - - TMPFN=test.txtb - echo 'testing testing ' > $TMPFN - ima_mmap $TMPFN & p1=$! - sleep 1 # got to wait for ima_mmap to mmap the file - open_file_read $TMPFN - read num_violations_new < $ima_violations - num=$(($(expr $num_violations_new - $num_violations))) - if [ $num -gt 0 ]; then - tail $log | grep test.txtb | grep -q 'open_writers' - if [ $? -eq 0 ]; then - tst_resm TPASS "mmapped open_writers violation added(test.txtb)" - else - tst_resm TFAIL "(message ratelimiting?)" - fi - else - tst_resm TFAIL "mmapped open_writers violation not added(test.txtb)" - fi + tst_res TINFO "verify ToMToU violation" + + local search="ToMToU" + local count num_violations + + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + open_file_read + open_file_write + close_file_write close_file_read + + validate $num_violations $count $search } -. ima_setup.sh +test3() +{ + tst_res TINFO "verify open_writers using mmapped files" -setup -TST_CLEANUP=cleanup + local search="open_writers" + local count num_violations -init -test01 -test02 -test03 + read num_violations < $IMA_VIOLATIONS + count="$(get_count $search)" + + echo 'testing testing ' > $FILE + ima_mmap $FILE & + tst_sleep 1s + + open_file_read + close_file_read + + validate $num_violations $count $search +} -tst_exit +tst_run From patchwork Wed Mar 14 15:57:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 885875 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 401bwN1Fhgz9sVV for ; Thu, 15 Mar 2018 02:57:55 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 550773E76D7 for ; Wed, 14 Mar 2018 16:57:53 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) by picard.linux.it (Postfix) with ESMTP id 1D53B3E76E0 for ; Wed, 14 Mar 2018 16:57:51 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id A0685200BA5 for ; Wed, 14 Mar 2018 16:57:50 +0100 (CET) Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 4E077AED3; Wed, 14 Mar 2018 15:57:50 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Date: Wed, 14 Mar 2018 16:57:29 +0100 Message-Id: <20180314155731.5943-3-pvorel@suse.cz> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180314155731.5943-1-pvorel@suse.cz> References: <20180314155731.5943-1-pvorel@suse.cz> X-Virus-Scanned: clamav-milter 0.99.2 at in-7.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-7.smtp.seeweb.it Cc: linux-integrity@vger.kernel.org, Mimi Zohar Subject: [LTP] [RFC PATCH v2 2/4] security/ima: Run measurements after policy X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" This fixes failing policy tests when no IMA is configured on SUT. Signed-off-by: Petr Vorel --- Mimi suggested in [1]: The current ordering of the tests assume that the system was booted with the builtin "ima_tcb" policy enabled on the boot command line. Assuming that the kernel doesn't require policies to be signed, changing the order of the tests is fine. Or simply test whether the system was booted with either "ima_tcb" or "ima_policy=tcb" boot command line options. Mimi, do I understand it correctly that ima_policy.sh should be called first when using ima_tcb (original order) and second otherwise? That would be problematic, as we need a fixed order of tests in runtest file. [1] http://lists.linux.it/pipermail/ltp/2018-January/007025.html --- runtest/ima | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runtest/ima b/runtest/ima index bcae16bb7..06bfd7720 100644 --- a/runtest/ima +++ b/runtest/ima @@ -1,5 +1,5 @@ #DESCRIPTION:Integrity Measurement Architecture (IMA) -ima_measurements ima_measurements.sh ima_policy ima_policy.sh +ima_measurements ima_measurements.sh ima_tpm ima_tpm.sh ima_violations ima_violations.sh From patchwork Wed Mar 14 15:57:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 885877 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 401bwW49D1z9sVV for ; Thu, 15 Mar 2018 02:58:03 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 0CA933E76DA for ; Wed, 14 Mar 2018 16:58:01 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [217.194.8.2]) by picard.linux.it (Postfix) with ESMTP id DBBF13E780E for ; Wed, 14 Mar 2018 16:57:52 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 7EFC6600C10 for ; Wed, 14 Mar 2018 16:57:52 +0100 (CET) Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 9600BAE89; Wed, 14 Mar 2018 15:57:51 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Date: Wed, 14 Mar 2018 16:57:30 +0100 Message-Id: <20180314155731.5943-4-pvorel@suse.cz> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180314155731.5943-1-pvorel@suse.cz> References: <20180314155731.5943-1-pvorel@suse.cz> X-Virus-Scanned: clamav-milter 0.99.2 at in-2.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-2.smtp.seeweb.it Cc: linux-integrity@vger.kernel.org, Mimi Zohar Subject: [LTP] [RFC PATCH v2 3/4] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 8k X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" This is needed as according IMA developers there are BIOS events larger than 4k [1]. Actual size for TPM 1.2 is undefined, TPM 2.0 specifies: "For software parsing the event log, the parser can choose an arbitrary maximum size, but this specification recommends a maximum value for the TCG_PCR_EVENT2.eventSize field of 1MB." [2]. So hope 8k is enough. [1] http://lists.linux.it/pipermail/ltp/2018-January/006970.html [2] http://lists.linux.it/pipermail/ltp/2018-January/007002.html Signed-off-by: Petr Vorel Acked-by: Mimi Zohar --- testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c index f7ae77cb1..c52cea4c9 100644 --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c @@ -30,7 +30,7 @@ char *TCID = "ima_boot_aggregate"; #if HAVE_LIBCRYPTO #include -#define MAX_EVENT_SIZE 500 +#define MAX_EVENT_SIZE 8192 #define EVENT_HEADER_SIZE 32 #define MAX_EVENT_DATA_SIZE (MAX_EVENT_SIZE - EVENT_HEADER_SIZE) #define NUM_PCRS 8 /* PCR registers 0-7 in boot aggregate */ From patchwork Wed Mar 14 15:57:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 885878 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 401bwZ67bwz9sVQ for ; Thu, 15 Mar 2018 02:58:06 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id B81493E7956 for ; Wed, 14 Mar 2018 16:58:03 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-3.smtp.seeweb.it (in-3.smtp.seeweb.it [IPv6:2001:4b78:1:20::3]) by picard.linux.it (Postfix) with ESMTP id C48FB3E78C6 for ; Wed, 14 Mar 2018 16:57:58 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-3.smtp.seeweb.it (Postfix) with ESMTPS id 538201A00EAB for ; Wed, 14 Mar 2018 16:57:53 +0100 (CET) Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E8273AEB8; Wed, 14 Mar 2018 15:57:52 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Date: Wed, 14 Mar 2018 16:57:31 +0100 Message-Id: <20180314155731.5943-5-pvorel@suse.cz> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180314155731.5943-1-pvorel@suse.cz> References: <20180314155731.5943-1-pvorel@suse.cz> X-Virus-Scanned: clamav-milter 0.99.2 at in-3.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-3.smtp.seeweb.it Cc: linux-integrity@vger.kernel.org, Mimi Zohar Subject: [LTP] [RFC PATCH v2 4/4] ima/tpm: Various fixes X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" test1 * Fix reading boot_aggregate for ima-ng test2 * Fix pcrs paths * Drop ima_measure binary, use upstream tool evmctl from ima-evm-utils instead https://git.code.sf.net/p/linux-ima/ima-evm-utils test3 * Dropped, as evmctl has no 'ima_measure --validate` equivalent Signed-off-by: Petr Vorel --- testcases/kernel/security/integrity/.gitignore | 1 - .../security/integrity/ima/src/ima_measure.c | 219 --------------------- .../kernel/security/integrity/ima/tests/ima_tpm.sh | 58 +++--- 3 files changed, 26 insertions(+), 252 deletions(-) delete mode 100644 testcases/kernel/security/integrity/ima/src/ima_measure.c diff --git a/testcases/kernel/security/integrity/.gitignore b/testcases/kernel/security/integrity/.gitignore index 1759bc98b..184aa78ce 100644 --- a/testcases/kernel/security/integrity/.gitignore +++ b/testcases/kernel/security/integrity/.gitignore @@ -1,3 +1,2 @@ /ima/src/ima_boot_aggregate -/ima/src/ima_measure /ima/src/ima_mmap diff --git a/testcases/kernel/security/integrity/ima/src/ima_measure.c b/testcases/kernel/security/integrity/ima/src/ima_measure.c deleted file mode 100644 index 3aa56490f..000000000 --- a/testcases/kernel/security/integrity/ima/src/ima_measure.c +++ /dev/null @@ -1,219 +0,0 @@ -/* - * Copyright (c) International Business Machines Corp., 2008 - * - * Authors: - * Reiner Sailer - * Mimi Zohar - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * File: ima_measure.c - * - * Calculate the SHA1 aggregate-pcr value based on the IMA runtime - * binary measurements. - */ -#include -#include -#include -#include -#include -#include -#include - -#include "config.h" -#include "test.h" - -char *TCID = "ima_measure"; - -#if HAVE_LIBCRYPTO -#include - -#define TCG_EVENT_NAME_LEN_MAX 255 - -int TST_TOTAL = 1; - -static int verbose; - -#define print_info(format, arg...) \ - if (verbose) \ - printf(format, ##arg) - -static u_int8_t zero[SHA_DIGEST_LENGTH]; -static u_int8_t fox[SHA_DIGEST_LENGTH]; - -struct event { - struct { - u_int32_t pcr; - u_int8_t digest[SHA_DIGEST_LENGTH]; - u_int32_t name_len; - } header; - char name[TCG_EVENT_NAME_LEN_MAX + 1]; - struct { - u_int8_t digest[SHA_DIGEST_LENGTH]; - char filename[TCG_EVENT_NAME_LEN_MAX + 1]; - } ima_data; - int filename_len; -}; - -static void display_sha1_digest(u_int8_t * digest) -{ - int i; - - for (i = 0; i < 20; i++) - print_info(" %02X", (*(digest + i) & 0xff)); -} - -/* - * Calculate the sha1 hash of data - */ -static void calc_digest(u_int8_t * digest, int len, void *data) -{ - SHA_CTX c; - - /* Calc template hash for an ima entry */ - memset(digest, 0, sizeof *digest); - SHA1_Init(&c); - SHA1_Update(&c, data, len); - SHA1_Final(digest, &c); -} - -static int verify_template_hash(struct event *template) -{ - int rc; - - rc = memcmp(fox, template->header.digest, sizeof fox); - if (rc != 0) { - u_int8_t digest[SHA_DIGEST_LENGTH]; - - memset(digest, 0, sizeof digest); - calc_digest(digest, sizeof template->ima_data, - &template->ima_data); - rc = memcmp(digest, template->header.digest, sizeof digest); - return rc != 0 ? 1 : 0; - } - return 0; -} - -/* - * ima_measurements.c - calculate the SHA1 aggregate-pcr value based - * on the IMA runtime binary measurements. - * - * format: ima_measurement [--validate] [--verify] [--verbose] - * - * --validate: forces validation of the aggregrate pcr value - * for an invalidated PCR. Replace all entries in the - * runtime binary measurement list with 0x00 hash values, - * which indicate the PCR was invalidated, either for - * "a time of measure, time of use"(ToMToU) error, or a - * file open for read was already open for write, with - * 0xFF's hash value, when calculating the aggregate - * pcr value. - * - * --verify: for all IMA template entries in the runtime binary - * measurement list, calculate the template hash value - * and compare it with the actual template hash value. - * Return the number of incorrect hash measurements. - * - * --verbose: For all entries in the runtime binary measurement - * list, display the template information. - * - * template info: list #, PCR-register #, template hash, template name - * IMA info: IMA hash, filename hint - * - * Ouput: displays the aggregate-pcr value - * Return code: if verification enabled, returns number of verification - * errors. - */ -int main(int argc, char *argv[]) -{ - FILE *fp; - struct event template; - u_int8_t pcr[SHA_DIGEST_LENGTH]; - int i, count = 0; - - int validate = 0; - int verify = 0; - - if (argc < 2) { - printf("format: %s binary_runtime_measurements" - " [--validate] [--verbose] [--verify]\n", argv[0]); - return 1; - } - - for (i = 2; i < argc; i++) { - if (strncmp(argv[i], "--validate", 8) == 0) - validate = 1; - if (strncmp(argv[i], "--verbose", 7) == 0) - verbose = 1; - if (strncmp(argv[i], "--verify", 6) == 0) - verify = 1; - } - - fp = fopen(argv[1], "r"); - if (!fp) { - printf("fn: %s\n", argv[1]); - perror("Unable to open file\n"); - return 1; - } - memset(pcr, 0, SHA_DIGEST_LENGTH); /* initial PCR content 0..0 */ - memset(zero, 0, SHA_DIGEST_LENGTH); - memset(fox, 0xff, SHA_DIGEST_LENGTH); - - print_info("### PCR HASH " - "TEMPLATE-NAME\n"); - while (fread(&template.header, sizeof template.header, 1, fp)) { - SHA_CTX c; - - /* Extend simulated PCR with new template digest */ - SHA1_Init(&c); - SHA1_Update(&c, pcr, SHA_DIGEST_LENGTH); - if (validate) { - if (memcmp(template.header.digest, zero, 20) == 0) - memset(template.header.digest, 0xFF, 20); - } - SHA1_Update(&c, template.header.digest, 20); - SHA1_Final(pcr, &c); - - print_info("%3d %03u ", count++, template.header.pcr); - display_sha1_digest(template.header.digest); - if (template.header.name_len > TCG_EVENT_NAME_LEN_MAX) { - printf("%d ERROR: event name too long!\n", - template.header.name_len); - exit(1); - } - memset(template.name, 0, sizeof template.name); - fread(template.name, template.header.name_len, 1, fp); - print_info(" %s ", template.name); - - memset(&template.ima_data, 0, sizeof template.ima_data); - fread(&template.ima_data.digest, - sizeof template.ima_data.digest, 1, fp); - display_sha1_digest(template.ima_data.digest); - - fread(&template.filename_len, - sizeof template.filename_len, 1, fp); - fread(template.ima_data.filename, template.filename_len, 1, fp); - print_info(" %s\n", template.ima_data.filename); - - if (verify) - if (verify_template_hash(&template) != 0) { - tst_resm(TFAIL, "Hash failed"); - } - } - fclose(fp); - - verbose = 1; - print_info("PCRAggr (re-calculated):"); - display_sha1_digest(pcr); - tst_exit(); -} - -#else -int main(void) -{ - tst_brkm(TCONF, NULL, "test requires libcrypto and openssl development packages"); -} -#endif diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh index e78926165..ced1383a1 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh @@ -21,13 +21,13 @@ TST_TESTFUNC="test" TST_SETUP="init" -TST_CNT=3 +TST_CNT=2 . ima_setup.sh init() { - tst_check_cmds ima_boot_aggregate ima_measure + tst_check_cmds awk cut evmctl ima_boot_aggregate } test1() @@ -37,24 +37,23 @@ test1() local zero="0000000000000000000000000000000000000000" local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements" local ima_measurements="$ASCII_MEASUREMENTS" - local boot_aggregate boot_hash ima_hash line + local boot_aggregate boot_hash line # IMA boot aggregate read line < $ima_measurements - ima_hash=$(expr substr "${line}" 49 40) + boot_hash=$(echo $line | awk '{print $(NF-1)}' | cut -d':' -f2) if [ ! -f "$tpm_bios" ]; then tst_res TINFO "TPM not builtin kernel, or TPM not enabled" - if [ "${ima_hash}" = "${zero}" ]; then + if [ "${boot_hash}" = "${zero}" ]; then tst_res TPASS "bios boot aggregate is 0" else tst_res TFAIL "bios boot aggregate is not 0" fi else - boot_aggregate=$(ima_boot_aggregate $tpm_bios) - boot_hash=$(expr substr $boot_aggregate 16 40) - if [ "${ima_hash}" = "${boot_hash}" ]; then + boot_aggregate=$(ima_boot_aggregate $tpm_bios | grep "boot_aggregate:" | cut -d':' -f2) + if [ "${boot_hash}" = "${boot_aggregate}" ]; then tst_res TPASS "bios aggregate matches IMA boot aggregate" else tst_res TFAIL "bios aggregate does not match IMA boot aggregate" @@ -69,29 +68,37 @@ validate_pcr() { tst_res TINFO "verify PCR (Process Control Register)" - local ima_measurements="$BINARY_MEASUREMENTS" - local aggregate_pcr="$(ima_measure $ima_measurements --validate)" local dev_pcrs="$1" - local ret=0 + local pcr hash aggregate_pcr + + aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \ + grep 'HW PCR-10:' | awk '{print $3}')" + [ -e "$aggregate_pcr" ] || tst_res TFAIL "failed to get PCR-10" while read line; do - pcr=$(expr substr "${line}" 1 6) + pcr="$(echo $line | cut -d':' -f1)" if [ "${pcr}" = "PCR-10" ]; then - aggr=$(expr substr "${aggregate_pcr}" 26 59) - pcr=$(expr substr "${line}" 9 59) - [ "${pcr}" = "${aggr}" ] || ret=$? + hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')" + [ "${hash}" = "${aggregate_pcr}" ] + return $? fi done < $dev_pcrs - return $ret + return 1 } test2() { tst_res TINFO "verify PCR values" + tst_res TINFO "evmctl version: $(evmctl --version)" - # Would be nice to know where the PCRs are located. Is this safe? - local pcrs_path="$(find $SYSFS/devices/ | grep pcrs)" - if [ $? -eq 0 ]; then + local pcrs_path="/sys/class/tpm/tpm0/device/pcrs" + if [ -f "$pcrs_path" ]; then + tst_res TINFO "new PCRS path, evmctl >= 1.1 required" + else + pcrs_path="/sys/class/misc/tpm0/device/pcrs" + fi + + if [ -f "$pcrs_path" ]; then validate_pcr $pcrs_path if [ $? -eq 0 ]; then tst_res TPASS "aggregate PCR value matches real PCR value" @@ -103,17 +110,4 @@ test2() fi } -test3() -{ - tst_res TINFO "verify template hash value" - - local ima_measurements="$BINARY_MEASUREMENTS" - ima_measure $ima_measurements --verify --validate - if [ $? -eq 0 ]; then - tst_res TPASS "verified IMA template hash values" - else - tst_res TFAIL "error verifing IMA template hash values" - fi -} - tst_run