diff for duplicates of <1516815417.3686.55.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 46612dc..8921f71 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -10,24 +10,24 @@ On Thu, 2018-01-11 at 21:28 +0100, Petr Vorel wrote: > > Comments are welcomed. -The LTP tests are quite dated, and need some major rework. I really -appreciate your addressing some of the issues. Below are some +The LTP tests are quite dated, and need some major rework. I really +appreciate your addressing some of the issues. Below are some additional ones. Tests "ima02 ima_measurement.sh" and "ima04 ima_violations.sh" assume -files are created on a filesystem in policy. The "measure.policy" -excludes tmpfs, yet TMPDIR defaults to a tmpfs filesystem. There are +files are created on a filesystem in policy. The "measure.policy" +excludes tmpfs, yet TMPDIR defaults to a tmpfs filesystem. There are a couple of ways of resolving this problem (eg. removing tmpfs from the "measure.policy", use a RAM block device instead of tmpfs, etc). - Since the builtin "ima_policy=tcb" also excludes tmpfs, not using a + Since the builtin "ima_policy=tcb" also excludes tmpfs, not using a tmpfs filesystem would be preferable. Originally IMA allowed a builtin policy to be replaced with a custom policy, by simply cat'ing a file into the securityfs IMA policy file. Currently, if new rules can be added to the custom policy (Kconfig -IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly, +IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly, if the builtin "secure-boot" policy is defined on the boot command -line, the custom policy must be signed. Test "ima01 ima_policy.sh" +line, the custom policy must be signed. Test "ima01 ima_policy.sh" should first detect if the policy must be signed, before running the tests. @@ -35,14 +35,14 @@ ima_boot_aggregate.c defines the BIOS MAX_EVENT_SIZE BIOS size as 500, but I'm currently seeing BIOS events larger than 4k. Since these tests were first written, Roberto's IMA templates and -Dmitry's support for larger digests were upstreamed. With the new +Dmitry's support for larger digests were upstreamed. With the new template format, the file hash is prefixed with the hash algorithm. - Before comparing the calculated boot aggregate with the value in the + Before comparing the calculated boot aggregate with the value in the IMA measurement list, the hash algorithm needs to be removed. - + For the new template format measurement lists, walking the measurement list, re-calculating the PCRs and comparing them with the HW or vTPM -PCRs fail. The ima-evm-utils package has a working version. Invoke +PCRs fail. The ima-evm-utils package has a working version. Invoke "evmctl" with the "ima_mesaurement" option. thanks, diff --git a/a/content_digest b/N1/content_digest index 4ee1576..76effd4 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,12 +1,8 @@ "ref\020180111202821.31639-1-pvorel@suse.cz\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes\0" + "Subject\0[LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes\0" "Date\0Wed, 24 Jan 2018 12:36:57 -0500\0" - "To\0Petr Vorel <pvorel@suse.cz>" - " ltp@lists.linux.it\0" - "Cc\0Dmitry Kasatkin <dmitry.kasatkin@huawei.com>" - linux-integrity@vger.kernel.org - " Roberto Sassu <roberto.sassu@polito.it>\0" + "To\0ltp@lists.linux.it\0" "\00:1\0" "b\0" "Hi Petr,\n" @@ -21,24 +17,24 @@ "> \n" "> Comments are welcomed.\n" "\n" - "The LTP tests are quite dated, and need some major rework. I really\n" - "appreciate your addressing some of the issues. Below are some\n" + "The LTP tests are quite dated, and need some major rework. \302\240I really\n" + "appreciate your addressing some of the issues. \302\240Below are some\n" "additional ones.\n" "\n" "Tests \"ima02 ima_measurement.sh\" and \"ima04 ima_violations.sh\" assume\n" - "files are created on a filesystem in policy. The \"measure.policy\"\n" - "excludes tmpfs, yet TMPDIR defaults to a tmpfs filesystem. There are\n" + "files are created on a filesystem in policy. \302\240The \"measure.policy\"\n" + "excludes tmpfs, yet TMPDIR defaults to a tmpfs filesystem. \302\240There are\n" "a couple of ways of resolving this problem (eg. removing tmpfs from\n" "the \"measure.policy\", use a RAM block device instead of tmpfs, etc).\n" - " Since the builtin \"ima_policy=tcb\" also excludes tmpfs, not using a\n" + "\302\240Since the builtin \"ima_policy=tcb\" also excludes tmpfs, not using a\n" "tmpfs filesystem would be preferable.\n" "\n" "Originally IMA allowed a builtin policy to be replaced with a custom\n" "policy, by simply cat'ing a file into the securityfs IMA policy file.\n" "Currently, if new rules can be added to the custom policy (Kconfig\n" - "IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly,\n" + "IMA_WRITE_POLICY enabled), the policy file must be signed. \302\240Similarly,\n" "if the builtin \"secure-boot\" policy is defined on the boot command\n" - "line, the custom policy must be signed. Test \"ima01 ima_policy.sh\"\n" + "line, the custom policy must be signed. \302\240Test \"ima01 ima_policy.sh\"\n" "should first detect if the policy must be signed, before running the\n" "tests.\n" "\n" @@ -46,18 +42,18 @@ "but I'm currently seeing BIOS events larger than 4k.\n" "\n" "Since these tests were first written, Roberto's IMA templates and\n" - "Dmitry's support for larger digests were upstreamed. With the new\n" + "Dmitry's support for larger digests were upstreamed. \302\240With the new\n" "template format, the file hash is prefixed with the hash algorithm.\n" - " Before comparing the calculated boot aggregate with the value in the\n" + "\302\240Before comparing the calculated boot aggregate with the value in the\n" "IMA measurement list, the hash algorithm needs to be removed.\n" - " \n" + "\302\240\n" "For the new template format measurement lists, walking the measurement\n" "list, re-calculating the PCRs and comparing them with the HW or vTPM\n" - "PCRs fail. The ima-evm-utils package has a working version. Invoke\n" + "PCRs fail. \302\240The ima-evm-utils package has a working version. \302\240Invoke\n" "\"evmctl\" with the \"ima_mesaurement\" option.\n" "\n" "thanks,\n" "\n" Mimi -b2db5f69605cdf212adc6c212a9a816da05c2ff277e564ed39f945bd4dbb6393 +393c416b3c40e8e49138f49deee17d4028bb96a6bdcd1b6e419e13b68341d445
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.