[PATCH v3 ima-evm-utils 0/4] Simple EVM HMAC calculation tests

[PATCH v3 ima-evm-utils 0/4] Simple EVM HMAC calculation tests

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Add two simple tests to check whether or not the HMAC calculated by the
kernel and evmctl matches. Do one tests with a regular file, using SELinux
or Smack as active LSM (whichever is available, or with both for the UML
kernel) and another test with a directory successfully transmuted with
Smack.

Also add two bug fixes to include the filesystem UUID and the inode
generation in the HMAC calculation, and the new option --hmackey to specify
an alternate location of the HMAC key.

Changelog

v2:
- Set TST_EVM_CHANGE_MODE in Github Action workflow (suggested by Mimi)
- Add SELinux to kernel configuration option for CI
- Parameterize the check_evm_hmac() test with the LSM to test
- Skip the check_evm_hmac() test if the chosen LSM is not active
- Load the existing SELinux policy in the UML kernel environment
- Check EVM support for the additional Smack xattrs only in the
  check_evm_hmac_transmute() test (suggested by Mimi)
- Run the UML kernel twice, once with SELinux enabled and once with Smack
- Clarify in the error message why having at least one LSM active is
  necessary
- Add a justification for the --hmackey option added to evmctl (suggested
  by Mimi)

v1:
- Add documentation for --hmackey option of evmctl (suggested by Mimi)
- Update kernel configuration for CI
- Include inode generation in HMAC calculation for directories
- Specify kernel patches required for the tests (suggested by Mimi)
- Move xattr compare code to compare_xattr()
- Add new Smack-specific test to check HMAC of transmuting directory
  (suggested by Mimi)
- Check in the test that the --hmackey option is available (suggested by
  Mimi)
- Remove i_version mount option (should be default in ext4)
- Mount smackfs if the UML kernel is used

Roberto Sassu (4):
  Include the filesystem UUID in HMAC calculation
  Restore correct HMAC calculation for directories
  Add --hmackey option for evmctl
  Add simple tests to check EVM HMAC calculation

 .github/workflows/ci.yml |   1 +
 README                   |   3 +-
 kernel-configs/base      |   6 +-
 kernel-configs/integrity |   1 +
 src/evmctl.c             |  31 ++++-
 src/imaevm.h             |   1 +
 tests/Makefile.am        |   2 +-
 tests/evm_hmac.test      | 281 +++++++++++++++++++++++++++++++++++++++
 tests/functions.sh       |   6 +
 9 files changed, 326 insertions(+), 6 deletions(-)
 create mode 100755 tests/evm_hmac.test

-- 
2.25.1

[PATCH v3 ima-evm-utils 1/4] Include the filesystem UUID in HMAC calculation

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Modify calc_evm_hmac() to include, similarly to calc_evm_hash(), the
filesystem UUID in the HMAC calculation.

If the -u option is not specified in the evmctl command line, the UUID of
the filesystem the input file resides on is taken for the calculation.

If a string is specified as a value for the -u option, that string is taken
as UUID (assuming that it is formatted correctly).

If no value is specified for the -u option, the filesystem UUID is not
included in the HMAC calculation.

Not including the filesystem UUID in the digest/HMAC calculation is needed
for the case where the kernel is compiled with CONFIG_EVM_ATTR_FSUUID=n, or
the digest/HMAC is not for an EVM portable signature.

Fixes: 1d24a94bb556 ("added uuid support for EVM")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 src/evmctl.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/evmctl.c b/src/evmctl.c
index c35a28c58f4..c24261cf0e6 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1199,6 +1199,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
 	int keylen;
 	unsigned char evmkey[MAX_KEY_SIZE];
 	char list[1024];
+	char uuid[16];
 	ssize_t list_size;
 	struct h_misc_64 hmac_misc;
 	int hmac_size;
@@ -1330,6 +1331,18 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
 		log_err("EVP_DigestSignUpdate() failed\n");
 		goto out_ctx_cleanup;
 	}
+	if (!(hmac_flags & HMAC_FLAG_NO_UUID)) {
+		err = get_uuid(&st, uuid);
+		if (err)
+			goto out_ctx_cleanup;
+
+		err = EVP_DigestSignUpdate(pctx, (const unsigned char *)uuid,
+					   sizeof(uuid));
+		if (!err) {
+			log_err("EVP_DigestSignUpdate() failed\n");
+			goto out_ctx_cleanup;
+		}
+	}
 	err = EVP_DigestSignFinal(pctx, sig, &siglen);
 	if (err != 1)
 		log_err("EVP_DigestSignFinal() failed\n");
-- 
2.25.1

[PATCH v3 ima-evm-utils 2/4] Restore correct HMAC calculation for directories

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for
directory signing") removes fetching the inode generation for directories.

While directories might not be signed, EVM currently calculates the HMAC on
them, including the inode generation.

To keep user space and kernel space aligned, reenable fetching the inode
generation for directories, and add again the comment that the inode
generation cannot be obtained for special files.

Fixes: Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for directory signing")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 src/evmctl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index c24261cf0e6..7a3ffd7c823 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1229,7 +1229,11 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
 		goto out;
 	}
 
-	if (S_ISREG(st.st_mode)) {
+	if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
+		/*
+		 * We cannot at the moment get generation of special files..
+		 * kernel API does not support it.
+		 */
 		int fd = open(file, 0);
 
 		if (fd < 0) {
-- 
2.25.1

[PATCH v3 ima-evm-utils 3/4] Add --hmackey option for evmctl

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

"evmctl --hmac" was only enabled in debug mode, since the hmac key was not
exposed to userspace. It was never really used. With the ability of
creating an encrypted key based on user-provided decrypted data, verifying
the EVM hmac is now feasible.

Make "evmctl --hmac" more configurable by adding the --hmackey option, to
specify an alternate path for the file containing the HMAC key. By default
evmctl looks in /etc/keys/evm-key-plain.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 README       |  3 ++-
 src/evmctl.c | 12 ++++++++++--
 src/imaevm.h |  1 +
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/README b/README
index 40a61f94315..7239dda257e 100644
--- a/README
+++ b/README
@@ -40,7 +40,7 @@ COMMANDS
  ima_fix [-t fdsxm] path
  ima_clear [-t fdsxm] path
  sign_hash [--veritysig] [--key key] [--pass=<password>]
- hmac [--imahash | --imasig ] file
+ hmac [--imahash | --imasig] [--hmackey key] file
 
 
 OPTIONS
@@ -82,6 +82,7 @@ OPTIONS
       --ignore-violations ignore ToMToU measurement violations
       --verify-sig   verify the file signature based on the file hash, both
                      stored in the template data.
+      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
   -v                 increase verbosity level
   -h, --help         display this help and exit
 
diff --git a/src/evmctl.c b/src/evmctl.c
index 7a3ffd7c823..8caf9bd83fb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
 			return err;
 	}
 
-	return hmac_evm(file, "/etc/keys/evm-key-plain");
+	return hmac_evm(file, imaevm_params.hmackeyfile ? :
+			"/etc/keys/evm-key-plain");
 }
 
 static int ima_fix(const char *path)
@@ -2873,6 +2874,9 @@ static void usage(void)
 		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
 #endif
 		"      --ignore-violations ignore ToMToU measurement violations\n"
+#ifdef DEBUG
+		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
+#endif
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n"
@@ -2902,7 +2906,7 @@ struct command cmds[] = {
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
 	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
 #ifdef DEBUG
-	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
+	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
 #endif
 	{0, 0, 0, NULL}
 };
@@ -2944,6 +2948,7 @@ static struct option opts[] = {
 	{"keyid-from-cert", 1, 0, 145},
 	{"veritysig", 0, 0, 146},
 	{"hwtpm", 0, 0, 147},
+	{"hmackey", 1, 0, 148},
 	{}
 
 };
@@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
 		case 147:
 			hwtpm = 1;
 			break;
+		case 148:
+			imaevm_params.hmackeyfile = optarg;
+			break;
 		case '?':
 			exit(1);
 			break;
diff --git a/src/imaevm.h b/src/imaevm.h
index 78e7ed5e89d..18d7b0e447e 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -221,6 +221,7 @@ struct libimaevm_params {
 	const char *keypass;
 	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
 	ENGINE *eng;
+	const char *hmackeyfile;
 };
 
 struct RSA_ASN1_template {
-- 
2.25.1

[PATCH v3 ima-evm-utils 4/4] Add simple tests to check EVM HMAC calculation

[Roberto Sassu]

From: Roberto Sassu <roberto.sassu@huawei.com>

Add a simple test to ensure that the kernel and evmctl provide the same
result for the HMAC calculation. Do it with SELinux or Smack, whichever is
available (if the UML kernel is used, the test is done with both LSMs).

Also add another test to evaluate the HMAC on a directory for which Smack
added the SMACK64TRANSMUTE xattr.

The second test fails without the kernel patch 'smack: Set the
SMACK64TRANSMUTE xattr in smack_inode_init_security()', as Smack uses
__vfs_setxattr() to set SMACK64TRANSMUTE, which does not go through EVM,
and makes the HMAC invalid.

Require (unless the UML kernel is used) that the TST_EVM_CHANGE_MODE
environment variable is set to 1, so that users acknowledge that they are
initializing EVM with a well-known HMAC key, which can introduce obvious
security concerns.

Finally, enable SELinux, the EVM additional xattrs, and encrypted keys with
user-decrypted data in the kernel configuration for CI, and set
TST_EVM_CHANGE_MODE to 1 in the Github Action workflow.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 .github/workflows/ci.yml |   1 +
 kernel-configs/base      |   6 +-
 kernel-configs/integrity |   1 +
 tests/Makefile.am        |   2 +-
 tests/evm_hmac.test      | 281 +++++++++++++++++++++++++++++++++++++++
 tests/functions.sh       |   6 +
 6 files changed, 295 insertions(+), 2 deletions(-)
 create mode 100755 tests/evm_hmac.test

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e3dcf3dbc0a..54dbca5e5d7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -152,6 +152,7 @@ jobs:
               TSS: ibmtss
               TST_ENV: um
               TST_KERNEL: ../linux
+              TST_EVM_CHANGE_MODE: 1
 
           - container: "centos:7"
             env:
diff --git a/kernel-configs/base b/kernel-configs/base
index 7acbd5b3b2a..a3cec34bc58 100644
--- a/kernel-configs/base
+++ b/kernel-configs/base
@@ -46,11 +46,13 @@ CONFIG_TMPFS_XATTR=y
 CONFIG_CONFIGFS_FS=y
 CONFIG_KEYS=y
 CONFIG_ENCRYPTED_KEYS=y
+CONFIG_USER_DECRYPTED_DATA=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_PATH=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_SECURITY_SMACK=y
+CONFIG_LSM="lockdown,yama,loadpin,safesetid,selinux,smack,bpf"
 CONFIG_CRYPTO_AEAD2=y
 CONFIG_CRYPTO_SKCIPHER=y
 CONFIG_CRYPTO_SKCIPHER2=y
@@ -211,3 +213,5 @@ CONFIG_9P_FS_POSIX_ACL=y
 CONFIG_9P_FS_SECURITY=y
 CONFIG_ETHERNET=n
 CONFIG_WLAN=n
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
diff --git a/kernel-configs/integrity b/kernel-configs/integrity
index a7e01e19466..2e104d205ba 100644
--- a/kernel-configs/integrity
+++ b/kernel-configs/integrity
@@ -27,3 +27,4 @@ CONFIG_EVM_ATTR_FSUUID=y
 CONFIG_EVM_ADD_XATTRS=y
 CONFIG_EVM_LOAD_X509=y
 CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 03aa5b76088..a28f671398f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -3,7 +3,7 @@ TESTS = $(check_SCRIPTS)
 
 check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
 		 fsverity.test portable_signatures.test ima_policy_check.test \
-		 mmap_check.test
+		 mmap_check.test evm_hmac.test
 
 check_PROGRAMS := test_mmap
 
diff --git a/tests/evm_hmac.test b/tests/evm_hmac.test
new file mode 100755
index 00000000000..fe0ee218dd0
--- /dev/null
+++ b/tests/evm_hmac.test
@@ -0,0 +1,281 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2023 Roberto Sassu <roberto.sassu@huawei.com>
+#
+# Check if the kernel and evmctl provide the same result for HMAC calculation.
+
+trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM SIGSEGV EXIT
+
+# Base VERBOSE on the environment variable, if set.
+VERBOSE="${VERBOSE:-0}"
+TST_EVM_CHANGE_MODE="${TST_EVM_CHANGE_MODE:-0}"
+IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26f"
+
+PATCHES=(
+'KEYS: encrypted: fix key instantiation with user-provided data'
+'KEYS: encrypted: Instantiate key with user-provided decrypted data'
+'smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security()'
+)
+
+# From security/integrity/evm/evm.h in kernel source directory
+(( EVM_INIT_HMAC=0x0001 ))
+
+cd "$(dirname "$0")" || exit 1
+export PATH=$PWD/../src:$PATH
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+. ./functions.sh
+_require evmctl
+
+cleanup() {
+	if [ "$g_loop_mounted" = "1" ]; then
+		popd > /dev/null || exit "$FAIL"
+		umount "$g_mountpoint"
+	fi
+
+	if [ -n "$g_dev" ]; then
+		losetup -d "$g_dev"
+	fi
+
+	if [ -n "$g_image" ]; then
+		rm -f "$g_image"
+	fi
+
+	if [ -n "$g_mountpoint" ]; then
+		rm -Rf "$g_mountpoint"
+	fi
+}
+
+get_xattr() {
+	local format="hex"
+
+	if [ "$1" = "security.selinux" ]; then
+		format="text"
+	fi
+
+	getfattr -n "$1" -e "$format" -d "$2" 2> /dev/null | awk -F "=" '$1 == "'"$1"'" {if ("'"$format"'" == "hex") v=substr($2, 3); else { split($2, temp, "\""); v=temp[2] }; print v}'
+}
+
+# Compare HMAC calculated by the kernel with that calculated by evmctl.
+compare_xattr() {
+	local algo=$1
+	local path=$2
+	local evm_xattr evm_xattr_evmctl true_digest
+
+	evm_xattr="$(get_xattr security.evm "$path")"
+	true_digest=$("$algo"sum /bin/true | awk '{print $1}')
+	# evm_xattr has an extra byte at the beginning for the xattr type.
+	if [ "${#evm_xattr}" != $(( ${#true_digest} + 2 )) ]; then
+		echo "${RED}Unexpected size of security.evm for $path${NORM}"
+		return "$FAIL"
+	fi
+
+	evm_xattr_evmctl="$(evmctl hmac --smack -v -n "$path" --uuid="$IMA_UUID" -a "$algo" --hmackey "$g_hmackey" 2>&1 | awk -F " " '$1 == "hmac:" {print $2}')"
+	if [ "$evm_xattr" != "02$evm_xattr_evmctl" ]; then
+		echo "${RED}$path security.evm mismatch between the kernel and evmctl${NORM}"
+		return "$FAIL"
+	fi
+
+	return "$OK"
+}
+
+# The purpose of this test is to verify if the kernel and evmctl produce the
+# same HMAC.
+check_evm_hmac() {
+	echo "Test: ${FUNCNAME[0]} (evm_hash: $1, evm_value: $g_evm_value, algo: $1, fs: $2, lsm: $3)"
+
+	if ! grep -q "$3" < /sys/kernel/security/lsm; then
+		echo "${CYAN}$3 LSM not active${NORM}"
+		return "$SKIP"
+	fi
+
+	if [ "$3" = "selinux" ] && [ -n "$TST_ENV" ]; then
+		if [ -z "$(command -v load_policy 2> /dev/null)" ]; then
+			echo "${CYAN}Cannot find load_policy${NORM}"
+			return "$SKIP"
+		fi
+
+		if ! load_policy -i; then
+			echo "${RED}SELinux policy loading failed${NORM}"
+			return "$FAIL"
+		else
+			# Undo selinuxfs mount done by load_policy (sysfs cannot be mounted twice, procfs works but causes umount warning)
+			umount /sys/fs/selinux
+		fi
+	fi
+
+	if ! touch test-file; then
+		echo "${RED}Cannot create test-file${NORM}"
+		return "$FAIL"
+	fi
+
+	compare_xattr "$1" test-file
+	return $?
+}
+
+cleanup_evm_hmac() {
+	rm -f test-file
+}
+
+# The purpose of this test is to verify that SMACK64TRANSMUTE is successfully
+# set on a newly created directory, and that the HMAC on that directory is valid.
+check_evm_hmac_transmute() {
+	echo "Test: ${FUNCNAME[0]} (evm_hash: $1, evm_value: $g_evm_value, algo: $1, fs: $2, lsm: $3)"
+
+	if ! grep -q "$3" < /sys/kernel/security/lsm; then
+		echo "${CYAN}$3 LSM not active${NORM}"
+		return "$SKIP"
+	fi
+
+	if [ ! -f /sys/kernel/security/integrity/evm/evm_xattrs ] ||
+	   ! grep -q SMACK64TRANSMUTE < /sys/kernel/security/integrity/evm/evm_xattrs; then
+		echo "${CYAN}Set CONFIG_EVM_ADD_XATTRS=y and CONFIG_EVM_EXTRA_SMACK_XATTRS=y in the kernel configuration${NORM}"
+		exit "$SKIP"
+	fi
+
+	# Add a Smack rule for transmuting of test-dir/test-dir2
+	if ! echo "_ system rwxatl" > /sys/fs/smackfs/load2; then
+		echo "${RED}Cannot set Smack policy${NORM}"
+		return "$FAIL"
+	fi
+
+	# Smack adds security.SMACK64=_.
+	if ! mkdir test-dir; then
+		echo "${RED}Cannot create test-dir${NORM}"
+		return "$FAIL"
+	fi
+
+	# Change the directory label so that transmuting happens.
+	if ! setfattr -n security.SMACK64 -v system test-dir; then
+		echo "${RED}Cannot set security.SMACK64 on test-dir${NORM}"
+		return "$FAIL"
+	fi
+
+	# Add the transmute xattr so that transmuting happens.
+	if ! setfattr -n security.SMACK64TRANSMUTE -v TRUE test-dir; then
+		echo "${RED}Cannot set security.SMACK64TRANSMUTE on test-dir${NORM}"
+		return "$FAIL"
+	fi
+
+	compare_xattr "$1" test-dir
+	result=$?
+
+	if [ "$result" -ne "$OK" ]; then
+		return "$result"
+	fi
+
+	# Smack adds security.SMACK64=system and security.SMACK64TRANSMUTE=TRUE.
+	if ! mkdir test-dir/test-dir2; then
+		echo "${RED}Cannot create test-dir/test-dir2${NORM}"
+		return "$FAIL"
+	fi
+
+	compare_xattr "$1" test-dir/test-dir2
+	return $?
+}
+
+cleanup_evm_hmac_transmute() {
+	rm -Rf test-dir
+}
+
+if [ $$ -ne 1 ]; then
+	# Run in the new environment if TST_ENV is set.
+
+	# SElinux enabled
+	_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_LIST=check_evm_hmac security=selinux enforcing=0"
+
+	# Smack enabled
+	_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE security=smack"
+
+	# Exit from the creator of the new environment.
+	_exit_env "$TST_KERNEL"
+fi
+
+# Mount filesystems in the new environment.
+_init_env
+
+# Assume that the EVM mode can be changed in a new environment.
+if [ -z "$TST_ENV" ] && [ "$TST_EVM_CHANGE_MODE" -eq 0 ]; then
+	echo "${CYAN}TST_EVM_CHANGE_MODE env variable must be set to 1${NORM}"
+	exit "$SKIP"
+fi
+
+g_lsm_init_xattr=$(awk '$1 ~ /(smack|selinux)/' < /sys/kernel/security/lsm)
+if [ -z "$g_lsm_init_xattr" ]; then
+	echo "${CYAN}Either Smack or SELinux must be active in the system for security.evm to be set${NORM}"
+	exit "$SKIP"
+fi
+
+g_mountpoint="$(mktemp -d)"
+g_image="$(mktemp)"
+
+if [ -z "$g_mountpoint" ]; then
+	echo "${RED}Mountpoint directory not created${NORM}"
+	exit "$FAIL"
+fi
+
+if [ "$(whoami)" != "root" ]; then
+	echo "${CYAN}This script must be executed as root${NORM}"
+	exit "$SKIP"
+fi
+
+if ! evmctl -h | grep -q hmackey; then
+	echo "${CYAN}Missing HMAC support, run: ./configure --enable-debug${NORM}"
+	exit "$SKIP"
+fi
+
+if ! dd if=/dev/zero of="$g_image" bs=1M count=10 &> /dev/null; then
+	echo "${RED}Cannot create test image${NORM}"
+	exit "$FAIL"
+fi
+
+g_dev="$(losetup -f "$g_image" --show)"
+if [ -z "$g_dev" ]; then
+	echo "${RED}Cannot create loop device${NORM}"
+	exit "$FAIL"
+fi
+
+if ! mkfs.ext4 -U $IMA_UUID -b 4096 "$g_dev" &> /dev/null; then
+	echo "${RED}Cannot format $g_dev${NORM}"
+	exit "$FAIL"
+fi
+
+if ! mount "$g_dev" "$g_mountpoint"; then
+	echo "${RED}Cannot mount loop device${NORM}"
+	exit "$FAIL"
+fi
+
+g_loop_mounted=1
+chmod 777 "$g_mountpoint"
+pushd "$g_mountpoint" > /dev/null || exit "$FAIL"
+
+if [ -f /sys/kernel/security/evm ]; then
+	g_evm_value=$(cat /sys/kernel/security/evm)
+fi
+
+g_hmackey_data="abcdefABCDEF1234567890aaaaaaaaaaabcdefABCDEF1234567890aaaaaaaaaa"
+
+g_hmackey="$(mktemp)"
+echo $g_hmackey_data | xxd -r -p > "$g_hmackey"
+
+if [ -n "$g_evm_value" ] && [ $((g_evm_value & EVM_INIT_HMAC)) -ne $EVM_INIT_HMAC ]; then
+	g_evm_id="$(keyctl add encrypted evm-key "new enc32 user:kmk 32 $g_hmackey_data" @u)"
+	if ! echo "$EVM_INIT_HMAC" | tee /sys/kernel/security/evm &> /dev/null; then
+		# Retry with sudo -i, to force search in the root user keyring.
+		if ! echo "$EVM_INIT_HMAC" | sudo -i tee /sys/kernel/security/evm &> /dev/null; then
+			keyctl unlink "$g_evm_id"
+			echo "${RED}Failed to initialize EVM${NORM}"
+			exit "$FAIL"
+		fi
+	fi
+
+	g_evm_value=$(cat /sys/kernel/security/evm)
+fi
+
+expect_pass_if '0 1' check_evm_hmac sha1 ext4 selinux
+cleanup_evm_hmac
+expect_pass_if '0 1' check_evm_hmac sha1 ext4 smack
+cleanup_evm_hmac
+
+expect_pass_if '2' check_evm_hmac_transmute sha1 ext4 smack
+cleanup_evm_hmac_transmute
diff --git a/tests/functions.sh b/tests/functions.sh
index ed06040b394..35e925cc963 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh
@@ -434,6 +434,9 @@ _init_env() {
   mount -t proc proc /proc
   mount -t sysfs sysfs /sys
   mount -t securityfs securityfs /sys/kernel/security
+  if grep -q smack < /sys/kernel/security/lsm; then
+    mount -t smackfs smackfs /sys/fs/smackfs
+  fi
 
   if [ -n "$(command -v haveged 2> /dev/null)" ]; then
     $(command -v haveged) -w 1024 &> /dev/null
@@ -455,6 +458,9 @@ _cleanup_env() {
 
   $1
 
+  if grep -q smack < /sys/kernel/security/lsm; then
+    umount /sys/fs/smackfs
+  fi
   umount /sys/kernel/security
   umount /sys
   umount /proc
-- 
2.25.1

Re: [PATCH v3 ima-evm-utils 1/4] Include the filesystem UUID in HMAC calculation

[Stefan Berger]

On 6/16/23 15:23, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Modify calc_evm_hmac() to include, similarly to calc_evm_hash(), the
> filesystem UUID in the HMAC calculation.
> 
> If the -u option is not specified in the evmctl command line, the UUID of
> the filesystem the input file resides on is taken for the calculation.
> 
> If a string is specified as a value for the -u option, that string is taken
> as UUID (assuming that it is formatted correctly).
> 
> If no value is specified for the -u option, the filesystem UUID is not
> included in the HMAC calculation.
> 
> Not including the filesystem UUID in the digest/HMAC calculation is needed
> for the case where the kernel is compiled with CONFIG_EVM_ATTR_FSUUID=n, or
> the digest/HMAC is not for an EVM portable signature.
> 
> Fixes: 1d24a94bb556 ("added uuid support for EVM")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   src/evmctl.c | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index c35a28c58f4..c24261cf0e6 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1199,6 +1199,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
>   	int keylen;
>   	unsigned char evmkey[MAX_KEY_SIZE];
>   	char list[1024];
> +	char uuid[16];
>   	ssize_t list_size;
>   	struct h_misc_64 hmac_misc;
>   	int hmac_size;
> @@ -1330,6 +1331,18 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
>   		log_err("EVP_DigestSignUpdate() failed\n");
>   		goto out_ctx_cleanup;
>   	}
> +	if (!(hmac_flags & HMAC_FLAG_NO_UUID)) {
> +		err = get_uuid(&st, uuid);
> +		if (err)
> +			goto out_ctx_cleanup;
> +
> +		err = EVP_DigestSignUpdate(pctx, (const unsigned char *)uuid,
> +					   sizeof(uuid));
> +		if (!err) {
> +			log_err("EVP_DigestSignUpdate() failed\n");
> +			goto out_ctx_cleanup;
> +		}
> +	}
>   	err = EVP_DigestSignFinal(pctx, sig, &siglen);
>   	if (err != 1)
>   		log_err("EVP_DigestSignFinal() failed\n");

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Re: [PATCH v3 ima-evm-utils 2/4] Restore correct HMAC calculation for directories

[Stefan Berger]

On 6/16/23 15:23, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for
> directory signing") removes fetching the inode generation for directories.
> 
> While directories might not be signed, EVM currently calculates the HMAC on
> them, including the inode generation.

> 
> To keep user space and kernel space aligned, reenable fetching the inode
> generation for directories, and add again the comment that the inode
> generation cannot be obtained for special files.

The user wouldn't notice anything, right?

> 
> Fixes: Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for directory signing")
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   src/evmctl.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index c24261cf0e6..7a3ffd7c823 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1229,7 +1229,11 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
>   		goto out;
>   	}
>   
> -	if (S_ISREG(st.st_mode)) {
> +	if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
> +		/*
> +		 * We cannot at the moment get generation of special files..
> +		 * kernel API does not support it.
> +		 */
>   		int fd = open(file, 0);
>   
>   		if (fd < 0) {

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Re: [PATCH v3 ima-evm-utils 3/4] Add --hmackey option for evmctl

[Stefan Berger]

On 6/16/23 15:23, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> "evmctl --hmac" was only enabled in debug mode, since the hmac key was not
> exposed to userspace. It was never really used. With the ability of
> creating an encrypted key based on user-provided decrypted data, verifying
> the EVM hmac is now feasible.
> 
> Make "evmctl --hmac" more configurable by adding the --hmackey option, to
> specify an alternate path for the file containing the HMAC key. By default
> evmctl looks in /etc/keys/evm-key-plain.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   README       |  3 ++-
>   src/evmctl.c | 12 ++++++++++--
>   src/imaevm.h |  1 +
>   3 files changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/README b/README
> index 40a61f94315..7239dda257e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,7 @@ COMMANDS
>    ima_fix [-t fdsxm] path
>    ima_clear [-t fdsxm] path
>    sign_hash [--veritysig] [--key key] [--pass=<password>]
> - hmac [--imahash | --imasig ] file
> + hmac [--imahash | --imasig] [--hmackey key] file
>   
>   
>   OPTIONS
> @@ -82,6 +82,7 @@ OPTIONS
>         --ignore-violations ignore ToMToU measurement violations
>         --verify-sig   verify the file signature based on the file hash, both
>                        stored in the template data.
> +      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
>     -v                 increase verbosity level
>     -h, --help         display this help and exit
>   
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7a3ffd7c823..8caf9bd83fb 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
>   			return err;
>   	}
>   
> -	return hmac_evm(file, "/etc/keys/evm-key-plain");
> +	return hmac_evm(file, imaevm_params.hmackeyfile ? :
> +			"/etc/keys/evm-key-plain");
>   }
>   
>   static int ima_fix(const char *path)
> @@ -2873,6 +2874,9 @@ static void usage(void)
>   		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
>   #endif
>   		"      --ignore-violations ignore ToMToU measurement violations\n"
> +#ifdef DEBUG
> +		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
> +#endif
>   		"  -v                 increase verbosity level\n"
>   		"  -h, --help         display this help and exit\n"
>   		"\n"
> @@ -2902,7 +2906,7 @@ struct command cmds[] = {
>   	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
>   	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
>   #ifdef DEBUG
> -	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
> +	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
>   #endif
>   	{0, 0, 0, NULL}
>   };
> @@ -2944,6 +2948,7 @@ static struct option opts[] = {
>   	{"keyid-from-cert", 1, 0, 145},
>   	{"veritysig", 0, 0, 146},
>   	{"hwtpm", 0, 0, 147},
> +	{"hmackey", 1, 0, 148},
>   	{}
>   
>   };
> @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
>   		case 147:
>   			hwtpm = 1;
>   			break;
> +		case 148:
> +			imaevm_params.hmackeyfile = optarg;
> +			break;
>   		case '?':
>   			exit(1);
>   			break;
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 78e7ed5e89d..18d7b0e447e 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -221,6 +221,7 @@ struct libimaevm_params {
>   	const char *keypass;
>   	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
>   	ENGINE *eng;
> +	const char *hmackeyfile;
>   };
>   
>   struct RSA_ASN1_template {

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Re: [PATCH v3 ima-evm-utils 2/4] Restore correct HMAC calculation for directories

[Roberto Sassu]

On Mon, 2023-06-19 at 11:54 -0400, Stefan Berger wrote:
> 
> On 6/16/23 15:23, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for
> > directory signing") removes fetching the inode generation for directories.
> > 
> > While directories might not be signed, EVM currently calculates the HMAC on
> > them, including the inode generation.
> > To keep user space and kernel space aligned, reenable fetching the inode
> > generation for directories, and add again the comment that the inode
> > generation cannot be obtained for special files.
> 
> The user wouldn't notice anything, right?

Probably not. This is just to verify that the HMAC is correct on
directories.

If it is possible to set the HMAC, that would mean that the HMAC on
directories is invalid. But 'evmctl hmac' is just for debugging
purposes.

Thanks

Roberto

> > Fixes: Commit 6ecb88352886 ("evmctl: Remove left-over check S_ISDIR() for directory signing")
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> >   src/evmctl.c | 6 +++++-
> >   1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/evmctl.c b/src/evmctl.c
> > index c24261cf0e6..7a3ffd7c823 100644
> > --- a/src/evmctl.c
> > +++ b/src/evmctl.c
> > @@ -1229,7 +1229,11 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
> >   		goto out;
> >   	}
> >   
> > -	if (S_ISREG(st.st_mode)) {
> > +	if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
> > +		/*
> > +		 * We cannot at the moment get generation of special files..
> > +		 * kernel API does not support it.
> > +		 */
> >   		int fd = open(file, 0);
> >   
> >   		if (fd < 0) {
> 
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Re: [PATCH v3 ima-evm-utils 4/4] Add simple tests to check EVM HMAC calculation

[Mimi Zohar]

Hi Roberto,

On Fri, 2023-06-16 at 21:23 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Add a simple test to ensure that the kernel and evmctl provide the same
> result for the HMAC calculation. Do it with SELinux or Smack, whichever is
> available (if the UML kernel is used, the test is done with both LSMs).
> 
> Also add another test to evaluate the HMAC on a directory for which Smack
> added the SMACK64TRANSMUTE xattr.
> 
> The second test fails without the kernel patch 'smack: Set the
> SMACK64TRANSMUTE xattr in smack_inode_init_security()', as Smack uses
> __vfs_setxattr() to set SMACK64TRANSMUTE, which does not go through EVM,
> and makes the HMAC invalid.
> 
> Require (unless the UML kernel is used) that the TST_EVM_CHANGE_MODE
> environment variable is set to 1, so that users acknowledge that they are
> initializing EVM with a well-known HMAC key, which can introduce obvious
> security concerns.
> 
> Finally, enable SELinux, the EVM additional xattrs, and encrypted keys with
> user-decrypted data in the kernel configuration for CI, and set
> TST_EVM_CHANGE_MODE to 1 in the Github Action workflow.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

The simple SELinux and Smack tests are working properly without kernel
changes.  Even the Smack transmute test is working is proplery
returning an error message, but is followed by a kernel panic.

Possibly missing patches:
 - smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security

   14.620000][    T1] Kernel panic - not syncing: Attempted to kill
init! exitcode=0x00000100
[   14.620000][    T1] CPU: 0 PID: 1 Comm: evm_hmac.test Not tainted
6.4.0-rc2-dont-use-g95526d13038c #1
[   14.620000][    T1] Stack:
[   14.620000][    T1]  60900a17 e1803be0 e1803c20 606f7598
[   14.620000][    T1]  63240701 60043a50 60900a17 00000000
[   14.620000][    T1]  60dfc308 00000000 e1803c60 60762e4b
[   14.620000][    T1] Call Trace:
[   14.620000][    T1]  [<6072ad82>] ? _printk+0x0/0x98
[   14.620000][    T1]  [<6072274d>] show_stack.cold+0x9d/0xf4
[   14.620000][    T1]  [<606f7598>] ? dump_stack_print_info+0xd8/0xf0
[   14.620000][    T1]  [<60043a50>] ? um_set_signals+0x0/0x60
[   14.620000][    T1]  [<60762e4b>] dump_stack_lvl+0x66/0x9a
[   14.620000][    T1]  [<607715d0>] ? _raw_spin_unlock_irq+0x0/0x60
[   14.620000][    T1]  [<60762e9d>] dump_stack+0x1e/0x20
[   14.620000][    T1]  [<6072429d>] panic+0x1a6/0x3a6
[   14.620000][    T1]  [<607240f7>] ? panic+0x0/0x3a6
[   14.620000][    T1]  [<600aec6a>] ? lock_release+0xca/0x180
[   14.620000][    T1]  [<60043a50>] ? um_set_signals+0x0/0x60
[   14.620000][    T1]  [<60764fe0>] ?
debug_lockdep_rcu_enabled+0x0/0x50
[   14.620000][    T1]  [<60043a9f>] ? um_set_signals+0x4f/0x60
[   14.620000][    T1]  [<60764fe0>] ?
debug_lockdep_rcu_enabled+0x0/0x50
[   14.620000][    T1]  [<60043a50>] ? um_set_signals+0x0/0x60
[   14.620000][    T1]  [<60064d79>] ? exit_signals+0x139/0x500
[   14.620000][    T1]  [<60771210>] ? _raw_spin_lock_irq+0x0/0xd0
[   14.620000][    T1]  [<607715d0>] ? _raw_spin_unlock_irq+0x0/0x60
[   14.620000][    T1]  [<607249c0>] make_task_dead.cold+0x0/0x9d
[   14.620000][    T1]  [<600557e7>] do_group_exit+0x47/0xe0
[   14.620000][    T1]  [<6004a0f0>] ? get_fp_registers+0x0/0x80
[   14.620000][    T1]  [<6005589a>] sys_exit_group+0x1a/0x20
[   14.620000][    T1]  [<600302a0>] handle_syscall+0xa0/0xd0
[   14.620000][    T1]  [<60046969>] handle_trap+0xe9/0x1a0
[   14.620000][    T1]  [<6004a0f0>] ? get_fp_registers+0x0/0x80
[   14.620000][    T1]  [<6004709f>] userspace+0x29f/0x530
[   14.620000][    T1]  [<6002c374>] new_thread_handler+0xb4/0xc0
./functions.sh: line 72:  8546 Aborted                 (core dumped)
"$@"
=================================
 Run with FAILEARLY=1 ./evm_hmac.test _cleanup_env cleanup
 To stop after first failure

-- 
thanks,

Mimi

Re: [PATCH v3 ima-evm-utils 4/4] Add simple tests to check EVM HMAC calculation

[Roberto Sassu]

On Fri, 2023-06-23 at 07:42 -0400, Mimi Zohar wrote:
> Hi Roberto,
> 
> On Fri, 2023-06-16 at 21:23 +0200, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > Add a simple test to ensure that the kernel and evmctl provide the same
> > result for the HMAC calculation. Do it with SELinux or Smack, whichever is
> > available (if the UML kernel is used, the test is done with both LSMs).
> > 
> > Also add another test to evaluate the HMAC on a directory for which Smack
> > added the SMACK64TRANSMUTE xattr.
> > 
> > The second test fails without the kernel patch 'smack: Set the
> > SMACK64TRANSMUTE xattr in smack_inode_init_security()', as Smack uses
> > __vfs_setxattr() to set SMACK64TRANSMUTE, which does not go through EVM,
> > and makes the HMAC invalid.
> > 
> > Require (unless the UML kernel is used) that the TST_EVM_CHANGE_MODE
> > environment variable is set to 1, so that users acknowledge that they are
> > initializing EVM with a well-known HMAC key, which can introduce obvious
> > security concerns.
> > 
> > Finally, enable SELinux, the EVM additional xattrs, and encrypted keys with
> > user-decrypted data in the kernel configuration for CI, and set
> > TST_EVM_CHANGE_MODE to 1 in the Github Action workflow.
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> 
> The simple SELinux and Smack tests are working properly without kernel
> changes.  Even the Smack transmute test is working is proplery
> returning an error message, but is followed by a kernel panic.
> 
> Possibly missing patches:
>  - smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security

Hi Mimi

that means that the test is failing.

A UML kernel panic is used to signal to the caller that a test in that
environment failed.

It is expected that the test fails, Smack updates its xattr with
__vfs_setxattr() which does not involve EVM checking and updating the
HMAC.

Thanks

Roberto

>    14.620000][    T1] Kernel panic - not syncing: Attempted to kill
> init! exitcode=0x00000100
> [   14.620000][    T1] CPU: 0 PID: 1 Comm: evm_hmac.test Not tainted
> 6.4.0-rc2-dont-use-g95526d13038c #1
> [   14.620000][    T1] Stack:
> [   14.620000][    T1]  60900a17 e1803be0 e1803c20 606f7598
> [   14.620000][    T1]  63240701 60043a50 60900a17 00000000
> [   14.620000][    T1]  60dfc308 00000000 e1803c60 60762e4b
> [   14.620000][    T1] Call Trace:
> [   14.620000][    T1]  [<6072ad82>] ? _printk+0x0/0x98
> [   14.620000][    T1]  [<6072274d>] show_stack.cold+0x9d/0xf4
> [   14.620000][    T1]  [<606f7598>] ? dump_stack_print_info+0xd8/0xf0
> [   14.620000][    T1]  [<60043a50>] ? um_set_signals+0x0/0x60
> [   14.620000][    T1]  [<60762e4b>] dump_stack_lvl+0x66/0x9a
> [   14.620000][    T1]  [<607715d0>] ? _raw_spin_unlock_irq+0x0/0x60
> [   14.620000][    T1]  [<60762e9d>] dump_stack+0x1e/0x20
> [   14.620000][    T1]  [<6072429d>] panic+0x1a6/0x3a6
> [   14.620000][    T1]  [<607240f7>] ? panic+0x0/0x3a6
> [   14.620000][    T1]  [<600aec6a>] ? lock_release+0xca/0x180
> [   14.620000][    T1]  [<60043a50>] ? um_set_signals+0x0/0x60
> [   14.620000][    T1]  [<60764fe0>] ?
> debug_lockdep_rcu_enabled+0x0/0x50
> [   14.620000][    T1]  [<60043a9f>] ? um_set_signals+0x4f/0x60
> [   14.620000][    T1]  [<60764fe0>] ?
> debug_lockdep_rcu_enabled+0x0/0x50
> [   14.620000][    T1]  [<60043a50>] ? um_set_signals+0x0/0x60
> [   14.620000][    T1]  [<60064d79>] ? exit_signals+0x139/0x500
> [   14.620000][    T1]  [<60771210>] ? _raw_spin_lock_irq+0x0/0xd0
> [   14.620000][    T1]  [<607715d0>] ? _raw_spin_unlock_irq+0x0/0x60
> [   14.620000][    T1]  [<607249c0>] make_task_dead.cold+0x0/0x9d
> [   14.620000][    T1]  [<600557e7>] do_group_exit+0x47/0xe0
> [   14.620000][    T1]  [<6004a0f0>] ? get_fp_registers+0x0/0x80
> [   14.620000][    T1]  [<6005589a>] sys_exit_group+0x1a/0x20
> [   14.620000][    T1]  [<600302a0>] handle_syscall+0xa0/0xd0
> [   14.620000][    T1]  [<60046969>] handle_trap+0xe9/0x1a0
> [   14.620000][    T1]  [<6004a0f0>] ? get_fp_registers+0x0/0x80
> [   14.620000][    T1]  [<6004709f>] userspace+0x29f/0x530
> [   14.620000][    T1]  [<6002c374>] new_thread_handler+0xb4/0xc0
> ./functions.sh: line 72:  8546 Aborted                 (core dumped)
> "$@"
> =================================
>  Run with FAILEARLY=1 ./evm_hmac.test _cleanup_env cleanup
>  To stop after first failure
> 

Re: [PATCH v3 ima-evm-utils 4/4] Add simple tests to check EVM HMAC calculation

[Mimi Zohar]

On Fri, 2023-06-23 at 13:45 +0200, Roberto Sassu wrote:
> On Fri, 2023-06-23 at 07:42 -0400, Mimi Zohar wrote:
> > Hi Roberto,
> > 
> > On Fri, 2023-06-16 at 21:23 +0200, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@huawei.com>
> > > 
> > > Add a simple test to ensure that the kernel and evmctl provide the same
> > > result for the HMAC calculation. Do it with SELinux or Smack, whichever is
> > > available (if the UML kernel is used, the test is done with both LSMs).
> > > 
> > > Also add another test to evaluate the HMAC on a directory for which Smack
> > > added the SMACK64TRANSMUTE xattr.
> > > 
> > > The second test fails without the kernel patch 'smack: Set the
> > > SMACK64TRANSMUTE xattr in smack_inode_init_security()', as Smack uses
> > > __vfs_setxattr() to set SMACK64TRANSMUTE, which does not go through EVM,
> > > and makes the HMAC invalid.
> > > 
> > > Require (unless the UML kernel is used) that the TST_EVM_CHANGE_MODE
> > > environment variable is set to 1, so that users acknowledge that they are
> > > initializing EVM with a well-known HMAC key, which can introduce obvious
> > > security concerns.
> > > 
> > > Finally, enable SELinux, the EVM additional xattrs, and encrypted keys with
> > > user-decrypted data in the kernel configuration for CI, and set
> > > TST_EVM_CHANGE_MODE to 1 in the Github Action workflow.
> > > 
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > 
> > The simple SELinux and Smack tests are working properly without kernel
> > changes.  Even the Smack transmute test is working is proplery
> > returning an error message, but is followed by a kernel panic.
> > 
> > Possibly missing patches:
> >  - smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security
> 
> Hi Mimi
> 
> that means that the test is failing.
> 
> A UML kernel panic is used to signal to the caller that a test in that
> environment failed.

Thank you for the clarification.  That explains why I couldn't
reproduce it locally.  Including a traceback like this though is kind
of ugly.

-- 
thanks,

Mimi