Message ID | 20200612143842.3993-3-t-josne@linux.microsoft.com |
---|---|
State | Superseded |
Headers | show |
Series | IMA: Key Measurement + Certificate Measurement Tests | expand |
Hi Lachlan, few details (all can be fixed by me before merge, no need to repost). Reviewed-by: Petr Vorel <pvorel@suse.cz> ... > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > @@ -5,10 +5,12 @@ > # Verify that keys are measured correctly based on policy. > -TST_NEEDS_CMDS="awk cut xxd" > -TST_CNT=1 > +TST_NEEDS_CMDS="awk cut xxd keyctl evmctl openssl cmp" TST_NEEDS_CMDS="awk cmp cut evmctl keyctl openssl sed xxd" (I ignore tail, if there is cut, sed and openssl it should be there, the same rule as for grep). > +TST_CNT=2 > TST_NEEDS_DEVICE=1 > +CERT_FILE="${CERT_FILE:-}/etc/keys/x509_ima.der" I'm sorry, I was wrong, this must be: CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" > + > . ima_setup.sh > # Based on https://lkml.org/lkml/2019/12/13/564. > @@ -62,4 +64,43 @@ test1() > tst_res TPASS "specified keyrings were measured correctly" > } > + > +# Test that a cert can be imported into the ".ima" keyring correctly. > +test2() { > + local keyring_id key_id test_file="$PWD/test.txt" nit: Can test_file use relative path? local test_file="test.txt" Kind regards, Petr
> Add an IMA measurement test that verifies that an x509 certificate > can be imported into the .ima keyring and measured correctly. > Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> > --- > .../security/integrity/ima/tests/ima_keys.sh | 45 ++++++++++++++++++- > 1 file changed, 43 insertions(+), 2 deletions(-) > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > index f9c60a6fc..1eabb3e2e 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > @@ -5,10 +5,12 @@ > # Verify that keys are measured correctly based on policy. > -TST_NEEDS_CMDS="awk cut xxd" > -TST_CNT=1 > +TST_NEEDS_CMDS="awk cut xxd keyctl evmctl openssl cmp" > +TST_CNT=2 > TST_NEEDS_DEVICE=1 > +CERT_FILE="${CERT_FILE:-}/etc/keys/x509_ima.der" Key setup is something what I'd like to be either set automatically (ideally, but maybe too hard) or documented in testcases/kernel/security/integrity/ima/README.md. ima_keys 1 TINFO: verifying key measurement for keyrings and templates specified in IMA policy file ima_keys 1 TPASS: specified keyrings were measured correctly ima_keys 2 TCONF: missing /etc/keys/x509_ima.der => many uses will TCONF, which is not what we want. Running these scripts from examples/ in ima-evm-utils repository: ./ima-gen-local-ca.sh && ./ima-genkey-self.sh && ./ima-genkey.sh is obviously not enough: ima_keys 1 TINFO: verifying key measurement for keyrings and templates specified in IMA policy file ima_keys 1 TPASS: specified keyrings were measured correctly ima_keys 2 TINFO: adding a cert to the .ima keyring (/etc/keys/x509_ima.der) add_key failed errno: Required key not available (126) ima_keys 2 TCONF: unable to import a cert into the .ima keyring Does it make sense to copy these scripts into LTP (most distros ship them in development packages, but we cannot depend on it) and run them in the test setup? If not, we should really document that. + feel free to add anything relevant to README.md :) Kind regards, Petr
On 6/16/20 11:55 AM, Petr Vorel wrote: >> Add an IMA measurement test that verifies that an x509 certificate >> can be imported into the .ima keyring and measured correctly. >> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> >> --- >> .../security/integrity/ima/tests/ima_keys.sh | 45 ++++++++++++++++++- >> 1 file changed, 43 insertions(+), 2 deletions(-) >> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh >> index f9c60a6fc..1eabb3e2e 100755 >> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh >> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh >> @@ -5,10 +5,12 @@ >> # Verify that keys are measured correctly based on policy. >> -TST_NEEDS_CMDS="awk cut xxd" >> -TST_CNT=1 >> +TST_NEEDS_CMDS="awk cut xxd keyctl evmctl openssl cmp" >> +TST_CNT=2 >> TST_NEEDS_DEVICE=1 >> +CERT_FILE="${CERT_FILE:-}/etc/keys/x509_ima.der" > Key setup is something what I'd like to be either set automatically > (ideally, but maybe too hard) or documented in > testcases/kernel/security/integrity/ima/README.md. > > ima_keys 1 TINFO: verifying key measurement for keyrings and templates specified in IMA policy file > ima_keys 1 TPASS: specified keyrings were measured correctly > ima_keys 2 TCONF: missing /etc/keys/x509_ima.der > => many uses will TCONF, which is not what we want. > > Running these scripts from examples/ in ima-evm-utils repository: > ./ima-gen-local-ca.sh && ./ima-genkey-self.sh && ./ima-genkey.sh > > is obviously not enough: > > ima_keys 1 TINFO: verifying key measurement for keyrings and templates specified in IMA policy file > ima_keys 1 TPASS: specified keyrings were measured correctly > ima_keys 2 TINFO: adding a cert to the .ima keyring (/etc/keys/x509_ima.der) > add_key failed > errno: Required key not available (126) > ima_keys 2 TCONF: unable to import a cert into the .ima keyring > > Does it make sense to copy these scripts into LTP (most distros ship them in > development packages, but we cannot depend on it) and run them in the test > setup? If not, we should really document that. > + feel free to add anything relevant to README.md :) > > Kind regards, > Petr Hi Petr, I'll look into whether it's doable to automatically generate keys. I suspect that including the scripts to generate the key is the best way forward with this, as well as noting in the README how to generate your own key and use that instead. Expect a further patch in the next few days. Thank you reviewing this further! Lachlan
Hi Lachlan, Just a 2 nit changes for second test: > +test2() { > + local keyring_id key_id test_file="$PWD/test.txt" local keyring_id key_id local test_file="test.txt" > + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" [ -f $CERT_FILE ] || tst_brk TCONF "missing x509 certificate ($CERT_FILE)" ... plus removing rm $test_file It's in my branch https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh.v3.fixes/ Can you please have a look, so I can push it? BTW could you please send me your IMA files (ascii_runtime_measurements should be enough)? Kind regards, Petr
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index f9c60a6fc..1eabb3e2e 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -5,10 +5,12 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="awk cut xxd" -TST_CNT=1 +TST_NEEDS_CMDS="awk cut xxd keyctl evmctl openssl cmp" +TST_CNT=2 TST_NEEDS_DEVICE=1 +CERT_FILE="${CERT_FILE:-}/etc/keys/x509_ima.der" + . ima_setup.sh # Based on https://lkml.org/lkml/2019/12/13/564. @@ -62,4 +64,43 @@ test1() tst_res TPASS "specified keyrings were measured correctly" } + +# Test that a cert can be imported into the ".ima" keyring correctly. +test2() { + local keyring_id key_id test_file="$PWD/test.txt" + + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" + + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" + fi + + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" + + keyring_id=$(keyctl show %:.ima | sed -n 2p | \ + sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \ + tst_btk TCONF "unable to retrieve .ima keyring id" + + if ! tst_is_num "$keyring_id"; then + tst_brk TCONF "unable to parse keyring id from keyring" + fi + + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ + tst_brk TCONF "unable to import a cert into the .ima keyring" + + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ + xxd -r -p > $test_file || \ + tst_brk TCONF "cert not found in ascii_runtime_measurements log" + + if ! openssl x509 -in $test_file -inform der > /dev/null; then + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" + fi + + if cmp -s "$test_file" $CERT_FILE; then + tst_res TPASS "logged cert matches original cert" + else + tst_res TFAIL "logged cert does not match original cert" + fi +} + tst_run
Add an IMA measurement test that verifies that an x509 certificate can be imported into the .ima keyring and measured correctly. Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> --- .../security/integrity/ima/tests/ima_keys.sh | 45 ++++++++++++++++++- 1 file changed, 43 insertions(+), 2 deletions(-)