From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_2 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 925AFC433E1 for ; Wed, 15 Jul 2020 01:42:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7A50620674 for ; Wed, 15 Jul 2020 01:42:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727798AbgGOBmB (ORCPT ); Tue, 14 Jul 2020 21:42:01 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:58138 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726929AbgGOBmA (ORCPT ); Tue, 14 Jul 2020 21:42:00 -0400 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06F1fQQS139902; Tue, 14 Jul 2020 21:41:54 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 327u1j4b6a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 14 Jul 2020 21:41:54 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06F1ZifU009636; Wed, 15 Jul 2020 01:41:52 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma04ams.nl.ibm.com with ESMTP id 329nmyg3s0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Jul 2020 01:41:52 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06F1foHU29360444 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 15 Jul 2020 01:41:50 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4313CAE045; Wed, 15 Jul 2020 01:41:50 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 80736AE04D; Wed, 15 Jul 2020 01:41:49 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.155.184]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 15 Jul 2020 01:41:49 +0000 (GMT) Message-ID: <1594777309.12900.237.camel@linux.ibm.com> Subject: Re: [PATCH 2/2] IMA: Verify IMA buffer passing through the kexec barrier From: Mimi Zohar To: Lachlan Sneff , pvorel@suse.cz, ltp@lists.linux.it Cc: nramas@linux.microsoft.com, balajib@linux.microsoft.com, linux-integrity@vger.kernel.org Date: Tue, 14 Jul 2020 21:41:49 -0400 In-Reply-To: <20200702153545.3126-3-t-josne@linux.microsoft.com> References: <20200702153545.3126-1-t-josne@linux.microsoft.com> <20200702153545.3126-3-t-josne@linux.microsoft.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-14_10:2020-07-14,2020-07-14 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 malwarescore=0 spamscore=0 priorityscore=1501 clxscore=1015 mlxlogscore=999 suspectscore=0 phishscore=0 bulkscore=0 impostorscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007150011 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Thu, 2020-07-02 at 11:35 -0400, Lachlan Sneff wrote: > Add a testcase that verifies that kexec correctly passes > the IMA buffer through the soft reboot. > > This test must be run standalone, since it runs kexec. > > Signed-off-by: Lachlan Sneff Depending on the policy, the measurement list could be exactly the same from one boot to the next.  This test simply checks that the first N number of measurements are the same.  It doesn't verify that there are additional measurements, nor does it check that there is an additional "boot_aggregate" after the kexec.  At minimum the test should verify the existence of multiple "boot_aggregate" values in the measurement list. A more complete test would walk the measurement list, re-calculating the PCR digests, and then compare the recalculated PCRS against the TPM PCRs.  If all the measurements were properly carried across the kexec, the PCR digests should match. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Date: Tue, 14 Jul 2020 21:41:49 -0400 Subject: [LTP] [PATCH 2/2] IMA: Verify IMA buffer passing through the kexec barrier In-Reply-To: <20200702153545.3126-3-t-josne@linux.microsoft.com> References: <20200702153545.3126-1-t-josne@linux.microsoft.com> <20200702153545.3126-3-t-josne@linux.microsoft.com> Message-ID: <1594777309.12900.237.camel@linux.ibm.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: ltp@lists.linux.it On Thu, 2020-07-02 at 11:35 -0400, Lachlan Sneff wrote: > Add a testcase that verifies that kexec correctly passes > the IMA buffer through the soft reboot. > > This test must be run standalone, since it runs kexec. > > Signed-off-by: Lachlan Sneff Depending on the policy, the measurement list could be exactly the same from one boot to the next. ?This test simply checks that the first N number of measurements are the same. ?It doesn't verify that there are additional measurements, nor does it check that there is an additional "boot_aggregate" after the kexec. ?At minimum the test should verify the existence of multiple "boot_aggregate" values in the measurement list. A more complete test would walk the measurement list, re-calculating the PCR digests, and then compare the recalculated PCRS against the TPM PCRs. ?If all the measurements were properly carried across the kexec, the PCR digests should match. Mimi