From: Mimi Zohar <zohar@linux.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys
Date: Wed, 24 Jun 2020 09:21:41 -0400 [thread overview]
Message-ID: <1593004901.27152.17.camel@linux.ibm.com> (raw)
In-Reply-To: <20200617234957.10611-2-t-josne@linux.microsoft.com>
Hi Lachian,
> +
> +# Based on https://lkml.org/lkml/2019/12/13/564.
> +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
> +test1()
> +{
> + local keyrings keycheck_line templates test_file=$(mktemp)
> +
> + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
> +
> + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY"
> +
> + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)"
> +
> + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY)
> + if [ -z "$keycheck_line" ]; then
> + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\""
> + fi
> +
> + if echo "$keycheck_line" | grep -q "*keyrings*"; then
> + tst_brk TCONF "ima policy does not specify a keyrings to check"
> + fi
> +
> + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
> + sed "s/\./\\\./g" | cut -d'=' -f2)
> + if [ -z "$keyrings" ]; then
> + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
> + fi
> +
> + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
> + cut -d'=' -f2)
> +
> + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
Probably because I have multiple KEY_CHECK rules, this is failing:
grep: Unmatched ( or \(
And then it continues merrily alongs its way.
ima_keys 1 TPASS: specified keyrings were measured correctly
ima_keys 2 TCONF: missing /etc/keys/x509_ima.der
Mimi
> + do
> + local digest expected_digest algorithm
> +
> + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2)
> + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1)
> + keyring=$(echo "$line" | cut -d' ' -f5)
> +
> + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
> +
> + expected_digest="$(compute_digest $algorithm $test_file)" || \
> + tst_brk TCONF "cannot compute digest for $algorithm"
> +
> + if [ "$digest" != "$expected_digest" ]; then
> + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
> + fi
> + done
> +
> + rm $test_file
> +
> + tst_res TPASS "specified keyrings were measured correctly"
> +}
next prev parent reply other threads:[~2020-06-24 13:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-17 23:49 [LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates Lachlan Sneff
2020-06-17 23:49 ` [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff
2020-06-18 20:28 ` Petr Vorel
2020-06-24 13:21 ` Mimi Zohar [this message]
2020-06-24 15:27 ` Mimi Zohar
2020-06-17 23:49 ` [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff
2020-06-18 20:14 ` Petr Vorel
2020-06-24 16:41 ` Mimi Zohar
2020-06-24 19:59 ` Lachlan Sneff
2020-06-24 20:02 ` Mimi Zohar
2020-07-14 12:10 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1593004901.27152.17.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.