From patchwork Tue Jul 14 18:17:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lachlan Sneff X-Patchwork-Id: 1329027 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.a=rsa-sha256 header.s=default header.b=M+21e9Oh; dkim-atps=neutral Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B5pdl6mCdz9sDX for ; Wed, 15 Jul 2020 04:17:31 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 411A73C4F78 for ; Tue, 14 Jul 2020 20:17:29 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-3.smtp.seeweb.it (in-3.smtp.seeweb.it [217.194.8.3]) by picard.linux.it (Postfix) with ESMTP id 6C77A3C286A for ; Tue, 14 Jul 2020 20:17:17 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by in-3.smtp.seeweb.it (Postfix) with ESMTP id 8167B1A00E31 for ; Tue, 14 Jul 2020 20:17:16 +0200 (CEST) Received: from localhost.localdomain (c-73-187-218-229.hsd1.pa.comcast.net [73.187.218.229]) by linux.microsoft.com (Postfix) with ESMTPSA id BA2A120B4909; Tue, 14 Jul 2020 11:17:14 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com BA2A120B4909 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1594750635; bh=fOg5ojJBtTQ67zHzWv85YTCyYaT7XT/WROlPxh6BoY8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M+21e9OhgI7oqP7PCqVUz+LzarKMH10PCBqqPnzRcu8NpcisUNiFs/2UcMTZkGRQp GClAFCTc0A9jCgGfU9rfkpHoVTeyezHdnkpOQ8ja2V8bsHnD82zQ7sRRvGAh8Sbe78 wlo/GtTIdAtngrYf8mUmHQzsx7W/3YHE9StRAdes= From: Lachlan Sneff To: zohar@linux.ibm.com, pvorel@suse.cz, ltp@lists.linux.it Date: Tue, 14 Jul 2020 14:17:02 -0400 Message-Id: <20200714181703.6374-2-t-josne@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200714181703.6374-1-t-josne@linux.microsoft.com> References: <20200714181703.6374-1-t-josne@linux.microsoft.com> MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.99.2 at in-3.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-14.9 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,SPF_HELO_PASS,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-3.smtp.seeweb.it Subject: [LTP] [PATCH v5 1/2] IMA: Add a test to verify measurment of keys X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, balajib@linux.microsoft.com Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Add a testcase that verifies that the IMA subsystem has correctly measured keys added to keyrings specified in the IMA policy file. Additionally, add support for handling a new IMA template descriptor, namely ima-buf[1], in the IMA measurement tests. [1]: https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use Signed-off-by: Lachlan Sneff --- runtest/ima | 1 + .../integrity/ima/datafiles/keycheck.policy | 1 + .../security/integrity/ima/tests/ima_keys.sh | 71 +++++++++++++++++++ .../integrity/ima/tests/ima_measurements.sh | 36 +--------- .../integrity/ima/tests/ima_policy.sh | 1 - .../security/integrity/ima/tests/ima_setup.sh | 35 +++++++++ 6 files changed, 109 insertions(+), 36 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh diff --git a/runtest/ima b/runtest/ima index f3ea88cf0..309d47420 100644 --- a/runtest/ima +++ b/runtest/ima @@ -3,4 +3,5 @@ ima_measurements ima_measurements.sh ima_policy ima_policy.sh ima_tpm ima_tpm.sh ima_violations ima_violations.sh +ima_keys ima_keys.sh evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy new file mode 100644 index 000000000..3f1934a3d --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy @@ -0,0 +1 @@ +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh new file mode 100755 index 000000000..4d53cd04f --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lachlan Sneff +# +# Verify that keys are measured correctly based on policy. + +TST_NEEDS_CMDS="grep mktemp cut sed tr" +TST_CNT=1 +TST_NEEDS_DEVICE=1 + +. ima_setup.sh + +# Based on https://lkml.org/lkml/2019/12/13/564. +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") +test1() +{ + local keyrings keycheck_lines keycheck_line templates test_file="file.txt" fail + + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" + + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" + + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" + + keycheck_lines=$(grep "func=KEY_CHECK" $IMA_POLICY) + if [ -z "$keycheck_lines" ]; then + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" + fi + + keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1) + + if [ -z "$keycheck_line" ]; then + tst_brk TCONF "ima policy does not specify a keyrings to check" + fi + + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ + sed "s/\./\\\./g" | cut -d'=' -f2) + if [ -z "$keyrings" ]; then + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" + fi + + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ + cut -d'=' -f2) + + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line + do + local digest expected_digest algorithm + + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + keyring=$(echo "$line" | cut -d' ' -f5) + + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file + + expected_digest="$(compute_digest $algorithm $test_file)" || \ + tst_brk TCONF "cannot compute digest for $algorithm" + + if [ "$digest" != "$expected_digest" ]; then + fail=1 + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" + break + fi + done + + if [ "$fail" ]; then + tst_res TPASS "specified keyrings were measured correctly" + fi +} + +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 54237d688..04d8e6353 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -28,7 +28,7 @@ setup() # parse digest index # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use case "$template" in - ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; + ima|ima-ng|ima-sig|ima-buf) DIGEST_INDEX=4 ;; *) # using ima_template_fmt kernel parameter local IFS="|" @@ -46,40 +46,6 @@ setup() "Cannot find digest index (template: '$template')" } -# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 -compute_digest() -{ - local algorithm="$1" - local file="$2" - local digest - - digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - # uncommon ciphers - local arg="$algorithm" - case "$algorithm" in - tgr192) arg="tiger" ;; - wp512) arg="whirlpool" ;; - esac - - digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - return 1 -} - ima_check() { local delimiter=':' diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 6286277b4..244cf081d 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -23,7 +23,6 @@ check_policy_writable() setup() { - IMA_POLICY="$IMA_DIR/policy" check_policy_writable VALID_POLICY="$TST_DATAROOT/measure.policy" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 58a12eda3..8ae477c1c 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -20,6 +20,40 @@ SYSFS="/sys" UMOUNT= TST_FS_TYPE="ext3" +# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 +compute_digest() +{ + local algorithm="$1" + local file="$2" + local digest + + digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + # uncommon ciphers + local arg="$algorithm" + case "$algorithm" in + tgr192) arg="tiger" ;; + wp512) arg="whirlpool" ;; + esac + + digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + return 1 +} + check_ima_policy() { local policy="$1" @@ -85,6 +119,7 @@ ima_setup() [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" + IMA_POLICY="$IMA_DIR/policy" print_ima_config From patchwork Tue Jul 14 18:17:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lachlan Sneff X-Patchwork-Id: 1329028 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.a=rsa-sha256 header.s=default header.b=kIUbruTB; dkim-atps=neutral Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B5pdx1Yklz9sR4 for ; Wed, 15 Jul 2020 04:17:41 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 78A453C4F6D for ; Tue, 14 Jul 2020 20:17:38 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) by picard.linux.it (Postfix) with ESMTP id 1D1DF3C4F77 for ; Tue, 14 Jul 2020 20:17:19 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by in-7.smtp.seeweb.it (Postfix) with ESMTP id 5D5BB200911 for ; Tue, 14 Jul 2020 20:17:18 +0200 (CEST) Received: from localhost.localdomain (c-73-187-218-229.hsd1.pa.comcast.net [73.187.218.229]) by linux.microsoft.com (Postfix) with ESMTPSA id ECA8B20B490A; Tue, 14 Jul 2020 11:17:15 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com ECA8B20B490A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1594750636; bh=eCk7szO70aHIl8QR28yX9xAMF9C0bOdAZP5iZN94a5M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kIUbruTBse3xCgdshieOemNlDe72NlmnDX0dUfTuZKdWJAiI7MOB/h2tzDkf+rUs4 aVPn8xnHP6mhSoLp8acLtGat6VRmx2gi388uIPuCHEs2ZEQhrkJgA2J09kTK/pQTWw 4ucpMKyv/FBci7XRSvITr1zR/qyY09jClFf1SmjM= From: Lachlan Sneff To: zohar@linux.ibm.com, pvorel@suse.cz, ltp@lists.linux.it Date: Tue, 14 Jul 2020 14:17:03 -0400 Message-Id: <20200714181703.6374-3-t-josne@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200714181703.6374-1-t-josne@linux.microsoft.com> References: <20200714181703.6374-1-t-josne@linux.microsoft.com> MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.99.2 at in-7.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-14.9 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,SPF_HELO_PASS,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-7.smtp.seeweb.it Subject: [LTP] [PATCH v5 2/2] IMA: Add a test to verify importing a certificate into keyring X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, balajib@linux.microsoft.com Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Add an IMA measurement test that verifies that an x509 certificate can be imported into the .ima keyring and measured correctly. Signed-off-by: Lachlan Sneff --- .../kernel/security/integrity/ima/README.md | 22 ++++++++++ .../security/integrity/ima/tests/ima_keys.sh | 44 ++++++++++++++++++- 2 files changed, 64 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 16a1f48c3..9e6790306 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -16,6 +16,28 @@ CONFIG_INTEGRITY=y CONFIG_IMA=y ``` +IMA Key Import test +------------- +`ima_keys.sh` requires an x509 certificate to be signed by a key on one +of the trusted keyrings. The x509 certificate must be placed at +`/etc/keys/x509_ima.der` for this test or the path must be passed in +the CERT_FILE env var. + +The x509 public key key must be signed by the private key you generate. +Follow these instructions: +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys. + +The test cannot be set-up automatically because the x509 public key must be +built into the kernel and loaded onto a trusted keyring. + +As well as what's required for the IMA tests, the following are also required +in the kernel configuration: +``` +CONFIG_IMA_READ_POLICY=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" +``` + EVM tests --------- diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 4d53cd04f..c10427481 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -5,10 +5,12 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="grep mktemp cut sed tr" -TST_CNT=1 +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp" +TST_CNT=2 TST_NEEDS_DEVICE=1 +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" + . ima_setup.sh # Based on https://lkml.org/lkml/2019/12/13/564. @@ -68,4 +70,42 @@ test1() fi } + +# Test that a cert can be imported into the ".ima" keyring correctly. +test2() { + local keyring_id key_id test_file="file.txt" + + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" + + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" + fi + + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" + + keyring_id=$(keyctl describe %:.ima | cut -d' ' -f2 | tr -d ':') || \ + tst_btk TCONF "unable to retrieve .ima keyring id" + + if ! tst_is_num "$keyring_id"; then + tst_brk TCONF "unable to parse keyring id from keyring" + fi + + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ + tst_brk TCONF "unable to import a cert into the .ima keyring" + + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ + xxd -r -p > $test_file || \ + tst_brk TCONF "cert not found in ascii_runtime_measurements log" + + if ! openssl x509 -in $test_file -inform der > /dev/null; then + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" + fi + + if cmp -s "$test_file" $CERT_FILE; then + tst_res TPASS "logged cert matches original cert" + else + tst_res TFAIL "logged cert does not match original cert" + fi +} + tst_run