From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it
Cc: linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH v3 00/10] Rewrite tests into new API + fixes
Date: Thu, 26 Apr 2018 12:18:24 -0400 [thread overview]
Message-ID: <1524759504.3647.12.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180419195503.7194-1-pvorel@suse.cz>
On Thu, 2018-04-19 at 21:54 +0200, Petr Vorel wrote:
> Hi,
>
> changes v2->v3:
> * Fixed some of errors caused by test order.
>
> * ima_boot_aggregate
> - max event size is now 1MB according to spec
>
> * ima_mmap
> - reduce sleep + log it
> - rewritten into new API
>
> * ima_measurements.sh
> - don't require iversion for kernel >= 4.16
> - avoid using tmpfs
This is working nicely!
>
> * ima_policy.sh
> - improved detection of policy writability
> - merge test2 and test3
>
> * ima_violations.sh
> - avoid using tmpfs
> - improved grepping logs (no sleep is needed)
>
> * ima_tpm.sh
> - Improve error messages
>
> TODO:
> * fix problems with violations tests (see patch 02/10).
> * detect whether policy must be signed (currently tests assume the
> policy does not need to be signed):
> https://lists.linux.it/pipermail/ltp/2018-April/007702.html
> http://lists.linux.it/pipermail/ltp/2018-January/006970.html
test: cmdline="ima_policy.sh"
contacts=""
analysis=exit
<<<test_output>>>
ima_policy 1 TINFO: verify that invalid policy isn't loaded
ima_policy 1 TPASS: didn't load invalid policy
ima_policy 2 TINFO: verify that policy file is not opened concurrently
and able to loaded multiple times
ima_policy 2 TFAIL: problem with loading policy (policy should be able
to load multiple times)
For now, could we change "problem with loading policy (policy should
be able to load multiple times)" to say, "problem loading or extending
policy (may require policy to be signed)"?
I'm also seeing,
test: ima_tpm
<<<test_output>>>
ima_tpm 1 TINFO: verify boot aggregate
ima_tpm 1 TPASS: bios aggregate matches IMA boot aggregate
ima_tpm 2 TINFO: verify PCR values
ima_tpm 2 TINFO: evmctl version: evmctl 1.0
ima_tpm 2 TINFO: new PCRS path, evmctl >= 1.1 required
ima_tpm 2 TINFO: verify PCR (Process Control Register)
ima_tpm 2 TFAIL: failed to get PCR-10
ima_tpm 2 TPASS: aggregate PCR value matches real PCR value
It's unclear how the script could fail to get PCR-10, but pass the
following test.
Mimi
next prev parent reply other threads:[~2018-04-26 16:18 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-19 19:54 [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 01/10] security/ima: " Petr Vorel
2018-04-27 14:13 ` Mimi Zohar
2018-04-28 15:09 ` Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 02/10] security/ima: Change order of tests Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 03/10] ima/ima_policy.sh: Improve check of policy writability Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 04/10] ima/ima_policy.sh: Load whole policy with cat Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 05/10] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 1MB Petr Vorel
2018-04-20 11:02 ` [LTP] " Cyril Hrubis
2018-04-19 19:54 ` [RFC PATCH v3 06/10] ima/tpm.sh: Use evmctl + other fixes Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 07/10] ima/ima_mmap: Reduce sleep + log it Petr Vorel
2018-04-20 11:36 ` [LTP] " Cyril Hrubis
2018-04-19 19:55 ` [RFC PATCH v3 08/10] ima/{ima_measurements,ima_violations}.sh: Avoid running on tmpfs Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 09/10] ima: CRYPTO_LIBS are needed only for ima_boot_aggregate Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 10/10] ima/ima_mmap: Rewrite to new library Petr Vorel
2018-04-20 11:42 ` [LTP] " Cyril Hrubis
2018-04-26 16:18 ` Mimi Zohar [this message]
2018-04-27 9:32 ` [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Petr Vorel
2018-04-27 9:51 ` [LTP] " Petr Vorel
2018-04-27 11:26 ` Mimi Zohar
2018-04-27 12:05 ` Mimi Zohar
2018-04-27 12:51 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1524759504.3647.12.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).