| Message ID | 20250114113239.611278-1-pvorel@suse.cz |
|---|---|
| State | Rejected |
| Headers | show |
| Series | [RFC] IMA: Remove evm_overlay.sh | expand |
Hi Mimi, Ignaz, > Proof of concept, it was never fixed in the kernel. > Instead we should have some basic EVM tests. gently ping. Is evm_overlay.sh test useful for you? Otherwise I'll delete it. Kind regards, Petr > Signed-off-by: Petr Vorel <pvorel@suse.cz> > --- > runtest/ima | 1 - > .../kernel/security/integrity/ima/README.md | 64 ------------- > .../integrity/ima/tests/evm_overlay.sh | 93 ------------------- > 3 files changed, 158 deletions(-) > delete mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh > diff --git a/runtest/ima b/runtest/ima > index 01942eefa3..75e5a99e7c 100644 > --- a/runtest/ima > +++ b/runtest/ima > @@ -7,4 +7,3 @@ ima_keys ima_keys.sh > ima_kexec ima_kexec.sh > ima_selinux ima_selinux.sh > ima_conditionals ima_conditionals.sh > -evm_overlay evm_overlay.sh > diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md > index 5b261a1914..d3c3206bf2 100644 > --- a/testcases/kernel/security/integrity/ima/README.md > +++ b/testcases/kernel/security/integrity/ima/README.md > @@ -64,67 +64,3 @@ and reading the IMA policy allowed in the kernel configuration: > CONFIG_SECURITY_SELINUX=y > CONFIG_IMA_READ_POLICY=y > ``` > - > -## EVM tests > - > -`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` > -kernel parameter) which appraises the integrity of all files owned by root and EVM setup. > -Again, for simplicity ignore possibility to load requires rules via custom policy. > - > -Mandatory kernel configuration for EVM tests: > -``` > -CONFIG_INTEGRITY=y > -CONFIG_INTEGRITY_SIGNATURE=y > -CONFIG_IMA=y > -CONFIG_IMA_APPRAISE=y > -CONFIG_EVM=y > -CONFIG_KEYS=y > -CONFIG_TRUSTED_KEYS=y > -CONFIG_ENCRYPTED_KEYS=y > -``` > - > -Example of preparing environment on for EVM on openSUSE: > - > -* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters > - (for IMA measurement, IMA appraisal and EVM protection) > -* Proceed with installation until summary screen, but do not start the installation yet > -* Select package `dracut-ima` (required for early boot EVM support) for installation > - (Debian based distros already contain IMA + EVM support in `dracut` package) > -* Change to a console window and run commands to generate keys required by EVM: > -``` > -# mkdir /etc/keys > -# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u) > -# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob > -# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u) > -# keyctl pipe "$evm_key" >/etc/keys/evm.blob > -# cat <<END >/etc/sysconfig/masterkey > -MASTERKEYTYPE="user" > -MASTERKEY="/etc/keys/kmk-user.blob" > -END > -# cat <<END >/etc/sysconfig/evm > -EVMKEY="/etc/keys/evm.blob" > -END > -# mount -t securityfs security /sys/kernel/security > -# echo 1 >/sys/kernel/security/evm > -``` > - > -* Go back to the installation summary screen and start the installation > -* During the installation execute the following commands from the console: > -``` > -# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt > -# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/ > -``` > - > -This should work on any distribution using dracut. > -Loading EVM keys is also possible with initramfs-tools (Debian based distributions). > - > -Of course it's possible to install OS usual way, add keys later and fix missing xattrs with: > -``` > -evmctl -r ima_fix / > -``` > - > -or with `find` if evmctl is not available: > -``` > -find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \; > -``` > -Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters. > diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh > deleted file mode 100755 > index 12b2a28c25..0000000000 > --- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh > +++ /dev/null > @@ -1,93 +0,0 @@ > -#!/bin/sh > -# SPDX-License-Identifier: GPL-2.0-or-later > -# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz> > -# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de> > -# Reproducer for not upstreamed patchset [1] and previous report [2]. > -# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html > -# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html > - > -TST_SETUP="setup" > -TST_CLEANUP="cleanup" > -TST_CNT=4 > - > -setup() > -{ > - EVM_FILE="/sys/kernel/security/evm" > - > - [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel" > - [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot" > - > - require_ima_policy_cmdline "appraise_tcb" > - > - lower="$TST_MNTPOINT/lower" > - upper="$TST_MNTPOINT/upper" > - work="$TST_MNTPOINT/work" > - merged="$TST_MNTPOINT/merged" > - mkdir -p $lower $upper $work $merged > - > - device_backup="$TST_DEVICE" > - TST_DEVICE="overlay" > - > - fs_type_backup="$TST_FS_TYPE" > - TST_FS_TYPE="overlay" > - > - mntpoint_backup="$TST_MNTPOINT" > - TST_MNTPOINT="$PWD/$merged" > - > - params_backup="$TST_MNT_PARAMS" > - TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work" > - > - tst_mount > - mounted=1 > -} > - > -test1() > -{ > - local file="foo1.txt" > - > - tst_res TINFO "overwrite file in overlay" > - EXPECT_PASS echo lower \> $lower/$file > - EXPECT_PASS echo overlay \> $merged/$file > -} > - > -test2() > -{ > - local file="foo2.txt" > - > - tst_res TINFO "append file in overlay" > - EXPECT_PASS echo lower \> $lower/$file > - EXPECT_PASS echo overlay \>\> $merged/$file > -} > - > -test3() > -{ > - local file="foo3.txt" > - > - tst_res TINFO "create a new file in overlay" > - EXPECT_PASS echo overlay \> $merged/$file > -} > - > -test4() > -{ > - local f > - > - tst_res TINFO "read all created files" > - for f in $(find $TST_MNTPOINT -type f); do > - EXPECT_PASS cat $f \> /dev/null 2\> /dev/null > - done > -} > - > -cleanup() > -{ > - [ -n "$mounted" ] || return 0 > - > - tst_umount $TST_MNTPOINT > - > - TST_DEVICE="$device_backup" > - TST_FS_TYPE="$fs_type_backup" > - TST_MNTPOINT="$mntpoint_backup" > - TST_MNT_PARAMS="$params_backup" > -} > - > -. ima_setup.sh > -tst_run
On Fri, 2025-03-07 at 11:24 +0100, Petr Vorel wrote: > Hi Mimi, Ignaz, > > > Proof of concept, it was never fixed in the kernel. > > Instead we should have some basic EVM tests. > > gently ping. Is evm_overlay.sh test useful for you? > Otherwise I'll delete it. Requiring the "ima_policy=appraise_tcb" default policy to run the tests limits its usefulness. Perhaps REQUIRED_POLICY_CONTENT could be defined. I'll let you know. For now, please don't remove the test. thanks, Mimi
Hi Mimi, Ignaz, > On Fri, 2025-03-07 at 11:24 +0100, Petr Vorel wrote: > > Hi Mimi, Ignaz, > > > Proof of concept, it was never fixed in the kernel. > > > Instead we should have some basic EVM tests. > > gently ping. Is evm_overlay.sh test useful for you? > > Otherwise I'll delete it. > Requiring the "ima_policy=appraise_tcb" default policy to run the tests limits > its usefulness. Perhaps REQUIRED_POLICY_CONTENT could be defined. I'll let you > know. For now, please don't remove the test. Sure, I'll keep the test if you want. Also adding REQUIRED_POLICY_CONTENT would help. But the reason why I wanted to delete the test is the fact, that it's a proof of concept that 1) It's a reproducer for patchset which haven't been fixed. 2) It requires test setup first "ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix". [2] 3) I'm not sure if the test even work as expected. But I try to test it again and test if it will work with REQUIRED_POLICY_CONTENT. Kind regards, Petr [1] https://lore.kernel.org/linux-integrity/20190211165323.9369-1-iforster@suse.com/ [2] https://github.com/linux-test-project/ltp/tree/master/testcases/kernel/security/integrity/ima#evm-tests > thanks, > Mimi
diff --git a/runtest/ima b/runtest/ima index 01942eefa3..75e5a99e7c 100644 --- a/runtest/ima +++ b/runtest/ima @@ -7,4 +7,3 @@ ima_keys ima_keys.sh ima_kexec ima_kexec.sh ima_selinux ima_selinux.sh ima_conditionals ima_conditionals.sh -evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 5b261a1914..d3c3206bf2 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -64,67 +64,3 @@ and reading the IMA policy allowed in the kernel configuration: CONFIG_SECURITY_SELINUX=y CONFIG_IMA_READ_POLICY=y ``` - -## EVM tests - -`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` -kernel parameter) which appraises the integrity of all files owned by root and EVM setup. -Again, for simplicity ignore possibility to load requires rules via custom policy. - -Mandatory kernel configuration for EVM tests: -``` -CONFIG_INTEGRITY=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_IMA=y -CONFIG_IMA_APPRAISE=y -CONFIG_EVM=y -CONFIG_KEYS=y -CONFIG_TRUSTED_KEYS=y -CONFIG_ENCRYPTED_KEYS=y -``` - -Example of preparing environment on for EVM on openSUSE: - -* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters - (for IMA measurement, IMA appraisal and EVM protection) -* Proceed with installation until summary screen, but do not start the installation yet -* Select package `dracut-ima` (required for early boot EVM support) for installation - (Debian based distros already contain IMA + EVM support in `dracut` package) -* Change to a console window and run commands to generate keys required by EVM: -``` -# mkdir /etc/keys -# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u) -# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob -# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u) -# keyctl pipe "$evm_key" >/etc/keys/evm.blob -# cat <<END >/etc/sysconfig/masterkey -MASTERKEYTYPE="user" -MASTERKEY="/etc/keys/kmk-user.blob" -END -# cat <<END >/etc/sysconfig/evm -EVMKEY="/etc/keys/evm.blob" -END -# mount -t securityfs security /sys/kernel/security -# echo 1 >/sys/kernel/security/evm -``` - -* Go back to the installation summary screen and start the installation -* During the installation execute the following commands from the console: -``` -# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt -# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/ -``` - -This should work on any distribution using dracut. -Loading EVM keys is also possible with initramfs-tools (Debian based distributions). - -Of course it's possible to install OS usual way, add keys later and fix missing xattrs with: -``` -evmctl -r ima_fix / -``` - -or with `find` if evmctl is not available: -``` -find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \; -``` -Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters. diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh deleted file mode 100755 index 12b2a28c25..0000000000 --- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-2.0-or-later -# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz> -# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de> -# Reproducer for not upstreamed patchset [1] and previous report [2]. -# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html -# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html - -TST_SETUP="setup" -TST_CLEANUP="cleanup" -TST_CNT=4 - -setup() -{ - EVM_FILE="/sys/kernel/security/evm" - - [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel" - [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot" - - require_ima_policy_cmdline "appraise_tcb" - - lower="$TST_MNTPOINT/lower" - upper="$TST_MNTPOINT/upper" - work="$TST_MNTPOINT/work" - merged="$TST_MNTPOINT/merged" - mkdir -p $lower $upper $work $merged - - device_backup="$TST_DEVICE" - TST_DEVICE="overlay" - - fs_type_backup="$TST_FS_TYPE" - TST_FS_TYPE="overlay" - - mntpoint_backup="$TST_MNTPOINT" - TST_MNTPOINT="$PWD/$merged" - - params_backup="$TST_MNT_PARAMS" - TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work" - - tst_mount - mounted=1 -} - -test1() -{ - local file="foo1.txt" - - tst_res TINFO "overwrite file in overlay" - EXPECT_PASS echo lower \> $lower/$file - EXPECT_PASS echo overlay \> $merged/$file -} - -test2() -{ - local file="foo2.txt" - - tst_res TINFO "append file in overlay" - EXPECT_PASS echo lower \> $lower/$file - EXPECT_PASS echo overlay \>\> $merged/$file -} - -test3() -{ - local file="foo3.txt" - - tst_res TINFO "create a new file in overlay" - EXPECT_PASS echo overlay \> $merged/$file -} - -test4() -{ - local f - - tst_res TINFO "read all created files" - for f in $(find $TST_MNTPOINT -type f); do - EXPECT_PASS cat $f \> /dev/null 2\> /dev/null - done -} - -cleanup() -{ - [ -n "$mounted" ] || return 0 - - tst_umount $TST_MNTPOINT - - TST_DEVICE="$device_backup" - TST_FS_TYPE="$fs_type_backup" - TST_MNTPOINT="$mntpoint_backup" - TST_MNT_PARAMS="$params_backup" -} - -. ima_setup.sh -tst_run
Proof of concept, it was never fixed in the kernel. Instead we should have some basic EVM tests. Signed-off-by: Petr Vorel <pvorel@suse.cz> --- runtest/ima | 1 - .../kernel/security/integrity/ima/README.md | 64 ------------- .../integrity/ima/tests/evm_overlay.sh | 93 ------------------- 3 files changed, 158 deletions(-) delete mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh