From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it
Cc: linux-integrity@vger.kernel.org
Subject: Re: [LTP] [RFC PATCH v3 00/10] Rewrite tests into new API + fixes
Date: Fri, 27 Apr 2018 07:26:52 -0400 [thread overview]
Message-ID: <1524828412.3416.31.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180427095140.y6nngyv4ldjvitc6@dell5510>
On Fri, 2018-04-27 at 11:51 +0200, Petr Vorel wrote:
[...]
> ima_cleanup()
> diff --git testcases/kernel/security/integrity/ima/tests/ima_tpm.sh testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> index 0124c338f..0ffc3c022 100755
> --- testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> +++ testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> @@ -69,7 +69,7 @@ validate_pcr()
> grep 'HW PCR-10:' | awk '{print $3}')"
> if [ -z "$aggregate_pcr" ]; then
> tst_res TFAIL "failed to get PCR-10"
> - return
> + return 1
> fi
>
> while read line; do
>
aggregate_pcr="$(evmctl -v ima_measurement
$BINARY_MEASUREMENTS 2>&1 | \
grep 'HW PCR-10:' | awk '{print $3}')"
This works properly with the "ima-ng" template and even the "ima-sig"
template, without any signatures or keys. With the "ima-sig" there
will be some informational/warning messages. Even with the warnings,
we can still validate the measurement list PCR value.
The last two records will contain the calculated aggregate PCR value
and the real HW PCR value.
example 1: evmctl without any keys
[...]
Failed to open keyfile: /etc/keys/x509_evm.der
PCRAgg 10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b
HW PCR-10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b
example 2: evmctl missing some keys
key 1: 6e6c1046 /etc/keys/ima/<additional key>
[...]
/usr/lib64/evolution/plugins/liborg-gnome-email-custom-header.so: RSA_public_decrypt() failed: -1
/usr/lib64/evolution/plugins/liborg-gnome-external-editor.so: RSA_public_decrypt() failed: -1
PCRAgg 10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b
HW PCR-10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b
example 3: evmctl with all keys ("-k" option)
key 1: 6e6c1046 /etc/keys/ima/<distro key>
key 2: c4e2426e /etc/keys/ima/<additional key>
PCRAgg 10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b
HW PCR-10: 2d1f635489a5b82fafde1ed48cfe67eabf6cba7b
Mimi
next prev parent reply other threads:[~2018-04-27 11:27 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-19 19:54 [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 01/10] security/ima: " Petr Vorel
2018-04-27 14:13 ` Mimi Zohar
2018-04-28 15:09 ` Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 02/10] security/ima: Change order of tests Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 03/10] ima/ima_policy.sh: Improve check of policy writability Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 04/10] ima/ima_policy.sh: Load whole policy with cat Petr Vorel
2018-04-19 19:54 ` [RFC PATCH v3 05/10] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 1MB Petr Vorel
2018-04-20 11:02 ` [LTP] " Cyril Hrubis
2018-04-19 19:54 ` [RFC PATCH v3 06/10] ima/tpm.sh: Use evmctl + other fixes Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 07/10] ima/ima_mmap: Reduce sleep + log it Petr Vorel
2018-04-20 11:36 ` [LTP] " Cyril Hrubis
2018-04-19 19:55 ` [RFC PATCH v3 08/10] ima/{ima_measurements,ima_violations}.sh: Avoid running on tmpfs Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 09/10] ima: CRYPTO_LIBS are needed only for ima_boot_aggregate Petr Vorel
2018-04-19 19:55 ` [RFC PATCH v3 10/10] ima/ima_mmap: Rewrite to new library Petr Vorel
2018-04-20 11:42 ` [LTP] " Cyril Hrubis
2018-04-26 16:18 ` [RFC PATCH v3 00/10] Rewrite tests into new API + fixes Mimi Zohar
2018-04-27 9:32 ` Petr Vorel
2018-04-27 9:51 ` [LTP] " Petr Vorel
2018-04-27 11:26 ` Mimi Zohar [this message]
2018-04-27 12:05 ` Mimi Zohar
2018-04-27 12:51 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1524828412.3416.31.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).