From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org, Ignaz Forster <iforster@suse.de>
Subject: Re: [RFC PATCH] IMA: Remove evm_overlay.sh
Date: Fri, 7 Mar 2025 11:24:29 +0100 [thread overview]
Message-ID: <20250307102429.GA272497@pevik> (raw)
In-Reply-To: <20250114113239.611278-1-pvorel@suse.cz>
Hi Mimi, Ignaz,
> Proof of concept, it was never fixed in the kernel.
> Instead we should have some basic EVM tests.
gently ping. Is evm_overlay.sh test useful for you?
Otherwise I'll delete it.
Kind regards,
Petr
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> runtest/ima | 1 -
> .../kernel/security/integrity/ima/README.md | 64 -------------
> .../integrity/ima/tests/evm_overlay.sh | 93 -------------------
> 3 files changed, 158 deletions(-)
> delete mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> diff --git a/runtest/ima b/runtest/ima
> index 01942eefa3..75e5a99e7c 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -7,4 +7,3 @@ ima_keys ima_keys.sh
> ima_kexec ima_kexec.sh
> ima_selinux ima_selinux.sh
> ima_conditionals ima_conditionals.sh
> -evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 5b261a1914..d3c3206bf2 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -64,67 +64,3 @@ and reading the IMA policy allowed in the kernel configuration:
> CONFIG_SECURITY_SELINUX=y
> CONFIG_IMA_READ_POLICY=y
> ```
> -
> -## EVM tests
> -
> -`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
> -kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> -Again, for simplicity ignore possibility to load requires rules via custom policy.
> -
> -Mandatory kernel configuration for EVM tests:
> -```
> -CONFIG_INTEGRITY=y
> -CONFIG_INTEGRITY_SIGNATURE=y
> -CONFIG_IMA=y
> -CONFIG_IMA_APPRAISE=y
> -CONFIG_EVM=y
> -CONFIG_KEYS=y
> -CONFIG_TRUSTED_KEYS=y
> -CONFIG_ENCRYPTED_KEYS=y
> -```
> -
> -Example of preparing environment on for EVM on openSUSE:
> -
> -* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
> - (for IMA measurement, IMA appraisal and EVM protection)
> -* Proceed with installation until summary screen, but do not start the installation yet
> -* Select package `dracut-ima` (required for early boot EVM support) for installation
> - (Debian based distros already contain IMA + EVM support in `dracut` package)
> -* Change to a console window and run commands to generate keys required by EVM:
> -```
> -# mkdir /etc/keys
> -# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
> -# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
> -# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
> -# keyctl pipe "$evm_key" >/etc/keys/evm.blob
> -# cat <<END >/etc/sysconfig/masterkey
> -MASTERKEYTYPE="user"
> -MASTERKEY="/etc/keys/kmk-user.blob"
> -END
> -# cat <<END >/etc/sysconfig/evm
> -EVMKEY="/etc/keys/evm.blob"
> -END
> -# mount -t securityfs security /sys/kernel/security
> -# echo 1 >/sys/kernel/security/evm
> -```
> -
> -* Go back to the installation summary screen and start the installation
> -* During the installation execute the following commands from the console:
> -```
> -# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
> -# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
> -```
> -
> -This should work on any distribution using dracut.
> -Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
> -
> -Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
> -```
> -evmctl -r ima_fix /
> -```
> -
> -or with `find` if evmctl is not available:
> -```
> -find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
> -```
> -Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
> diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> deleted file mode 100755
> index 12b2a28c25..0000000000
> --- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> +++ /dev/null
> @@ -1,93 +0,0 @@
> -#!/bin/sh
> -# SPDX-License-Identifier: GPL-2.0-or-later
> -# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
> -# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
> -# Reproducer for not upstreamed patchset [1] and previous report [2].
> -# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> -# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> -
> -TST_SETUP="setup"
> -TST_CLEANUP="cleanup"
> -TST_CNT=4
> -
> -setup()
> -{
> - EVM_FILE="/sys/kernel/security/evm"
> -
> - [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
> - [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
> -
> - require_ima_policy_cmdline "appraise_tcb"
> -
> - lower="$TST_MNTPOINT/lower"
> - upper="$TST_MNTPOINT/upper"
> - work="$TST_MNTPOINT/work"
> - merged="$TST_MNTPOINT/merged"
> - mkdir -p $lower $upper $work $merged
> -
> - device_backup="$TST_DEVICE"
> - TST_DEVICE="overlay"
> -
> - fs_type_backup="$TST_FS_TYPE"
> - TST_FS_TYPE="overlay"
> -
> - mntpoint_backup="$TST_MNTPOINT"
> - TST_MNTPOINT="$PWD/$merged"
> -
> - params_backup="$TST_MNT_PARAMS"
> - TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
> -
> - tst_mount
> - mounted=1
> -}
> -
> -test1()
> -{
> - local file="foo1.txt"
> -
> - tst_res TINFO "overwrite file in overlay"
> - EXPECT_PASS echo lower \> $lower/$file
> - EXPECT_PASS echo overlay \> $merged/$file
> -}
> -
> -test2()
> -{
> - local file="foo2.txt"
> -
> - tst_res TINFO "append file in overlay"
> - EXPECT_PASS echo lower \> $lower/$file
> - EXPECT_PASS echo overlay \>\> $merged/$file
> -}
> -
> -test3()
> -{
> - local file="foo3.txt"
> -
> - tst_res TINFO "create a new file in overlay"
> - EXPECT_PASS echo overlay \> $merged/$file
> -}
> -
> -test4()
> -{
> - local f
> -
> - tst_res TINFO "read all created files"
> - for f in $(find $TST_MNTPOINT -type f); do
> - EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
> - done
> -}
> -
> -cleanup()
> -{
> - [ -n "$mounted" ] || return 0
> -
> - tst_umount $TST_MNTPOINT
> -
> - TST_DEVICE="$device_backup"
> - TST_FS_TYPE="$fs_type_backup"
> - TST_MNTPOINT="$mntpoint_backup"
> - TST_MNT_PARAMS="$params_backup"
> -}
> -
> -. ima_setup.sh
> -tst_run
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Ignaz Forster <iforster@suse.de>, linux-integrity@vger.kernel.org
Subject: Re: [LTP] [RFC PATCH] IMA: Remove evm_overlay.sh
Date: Fri, 7 Mar 2025 11:24:29 +0100 [thread overview]
Message-ID: <20250307102429.GA272497@pevik> (raw)
In-Reply-To: <20250114113239.611278-1-pvorel@suse.cz>
Hi Mimi, Ignaz,
> Proof of concept, it was never fixed in the kernel.
> Instead we should have some basic EVM tests.
gently ping. Is evm_overlay.sh test useful for you?
Otherwise I'll delete it.
Kind regards,
Petr
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> runtest/ima | 1 -
> .../kernel/security/integrity/ima/README.md | 64 -------------
> .../integrity/ima/tests/evm_overlay.sh | 93 -------------------
> 3 files changed, 158 deletions(-)
> delete mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> diff --git a/runtest/ima b/runtest/ima
> index 01942eefa3..75e5a99e7c 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -7,4 +7,3 @@ ima_keys ima_keys.sh
> ima_kexec ima_kexec.sh
> ima_selinux ima_selinux.sh
> ima_conditionals ima_conditionals.sh
> -evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 5b261a1914..d3c3206bf2 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -64,67 +64,3 @@ and reading the IMA policy allowed in the kernel configuration:
> CONFIG_SECURITY_SELINUX=y
> CONFIG_IMA_READ_POLICY=y
> ```
> -
> -## EVM tests
> -
> -`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
> -kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> -Again, for simplicity ignore possibility to load requires rules via custom policy.
> -
> -Mandatory kernel configuration for EVM tests:
> -```
> -CONFIG_INTEGRITY=y
> -CONFIG_INTEGRITY_SIGNATURE=y
> -CONFIG_IMA=y
> -CONFIG_IMA_APPRAISE=y
> -CONFIG_EVM=y
> -CONFIG_KEYS=y
> -CONFIG_TRUSTED_KEYS=y
> -CONFIG_ENCRYPTED_KEYS=y
> -```
> -
> -Example of preparing environment on for EVM on openSUSE:
> -
> -* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
> - (for IMA measurement, IMA appraisal and EVM protection)
> -* Proceed with installation until summary screen, but do not start the installation yet
> -* Select package `dracut-ima` (required for early boot EVM support) for installation
> - (Debian based distros already contain IMA + EVM support in `dracut` package)
> -* Change to a console window and run commands to generate keys required by EVM:
> -```
> -# mkdir /etc/keys
> -# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
> -# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
> -# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
> -# keyctl pipe "$evm_key" >/etc/keys/evm.blob
> -# cat <<END >/etc/sysconfig/masterkey
> -MASTERKEYTYPE="user"
> -MASTERKEY="/etc/keys/kmk-user.blob"
> -END
> -# cat <<END >/etc/sysconfig/evm
> -EVMKEY="/etc/keys/evm.blob"
> -END
> -# mount -t securityfs security /sys/kernel/security
> -# echo 1 >/sys/kernel/security/evm
> -```
> -
> -* Go back to the installation summary screen and start the installation
> -* During the installation execute the following commands from the console:
> -```
> -# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
> -# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
> -```
> -
> -This should work on any distribution using dracut.
> -Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
> -
> -Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
> -```
> -evmctl -r ima_fix /
> -```
> -
> -or with `find` if evmctl is not available:
> -```
> -find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
> -```
> -Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
> diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> deleted file mode 100755
> index 12b2a28c25..0000000000
> --- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> +++ /dev/null
> @@ -1,93 +0,0 @@
> -#!/bin/sh
> -# SPDX-License-Identifier: GPL-2.0-or-later
> -# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
> -# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
> -# Reproducer for not upstreamed patchset [1] and previous report [2].
> -# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> -# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> -
> -TST_SETUP="setup"
> -TST_CLEANUP="cleanup"
> -TST_CNT=4
> -
> -setup()
> -{
> - EVM_FILE="/sys/kernel/security/evm"
> -
> - [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
> - [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
> -
> - require_ima_policy_cmdline "appraise_tcb"
> -
> - lower="$TST_MNTPOINT/lower"
> - upper="$TST_MNTPOINT/upper"
> - work="$TST_MNTPOINT/work"
> - merged="$TST_MNTPOINT/merged"
> - mkdir -p $lower $upper $work $merged
> -
> - device_backup="$TST_DEVICE"
> - TST_DEVICE="overlay"
> -
> - fs_type_backup="$TST_FS_TYPE"
> - TST_FS_TYPE="overlay"
> -
> - mntpoint_backup="$TST_MNTPOINT"
> - TST_MNTPOINT="$PWD/$merged"
> -
> - params_backup="$TST_MNT_PARAMS"
> - TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
> -
> - tst_mount
> - mounted=1
> -}
> -
> -test1()
> -{
> - local file="foo1.txt"
> -
> - tst_res TINFO "overwrite file in overlay"
> - EXPECT_PASS echo lower \> $lower/$file
> - EXPECT_PASS echo overlay \> $merged/$file
> -}
> -
> -test2()
> -{
> - local file="foo2.txt"
> -
> - tst_res TINFO "append file in overlay"
> - EXPECT_PASS echo lower \> $lower/$file
> - EXPECT_PASS echo overlay \>\> $merged/$file
> -}
> -
> -test3()
> -{
> - local file="foo3.txt"
> -
> - tst_res TINFO "create a new file in overlay"
> - EXPECT_PASS echo overlay \> $merged/$file
> -}
> -
> -test4()
> -{
> - local f
> -
> - tst_res TINFO "read all created files"
> - for f in $(find $TST_MNTPOINT -type f); do
> - EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
> - done
> -}
> -
> -cleanup()
> -{
> - [ -n "$mounted" ] || return 0
> -
> - tst_umount $TST_MNTPOINT
> -
> - TST_DEVICE="$device_backup"
> - TST_FS_TYPE="$fs_type_backup"
> - TST_MNTPOINT="$mntpoint_backup"
> - TST_MNT_PARAMS="$params_backup"
> -}
> -
> -. ima_setup.sh
> -tst_run
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2025-03-07 10:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-14 11:32 [RFC PATCH] IMA: Remove evm_overlay.sh Petr Vorel
2025-01-14 11:32 ` [LTP] " Petr Vorel
2025-03-07 10:24 ` Petr Vorel [this message]
2025-03-07 10:24 ` Petr Vorel
2025-03-10 15:33 ` Mimi Zohar
2025-03-10 15:33 ` [LTP] " Mimi Zohar
2025-03-12 15:20 ` Petr Vorel
2025-03-12 15:20 ` [LTP] " Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250307102429.GA272497@pevik \
--to=pvorel@suse.cz \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.