From: Lachlan Sneff <t-josne@linux.microsoft.com>
To: Petr Vorel <pvorel@suse.cz>
Cc: zohar@linux.ibm.com, ltp@lists.linux.it,
nramas@linux.microsoft.com, balajib@linux.microsoft.com,
linux-integrity@vger.kernel.org, tyhicks@linux.microsoft.com,
yaneurabeya@gmail.com, zhang.jia@linux.alibaba.com
Subject: Re: [PATCH 1/3] IMA: Update key test documentation
Date: Tue, 4 Aug 2020 12:42:33 -0400 [thread overview]
Message-ID: <1ccacc7c-392c-ad45-2806-048177953acf@linux.microsoft.com> (raw)
In-Reply-To: <20200804043504.GA76360@x230>
Hi Petr,
Thanks for updating the readme. Should I send a new patch with
the changes you have proposed?
Thanks,
Lachlan
On 8/4/20 12:35 AM, Petr Vorel wrote:
> Hi Lachlan,
>
>> The current documentation for the existing IMA key test was
>> left in by accident by a previous merge. It does not apply
>> to the test that is currently included in the LTP.
>> Update the documentation for the IMA key test.
> Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
> Thanks for fixing this, I propose this changes:
>
> Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys")
>
>> ---
>> .../kernel/security/integrity/ima/README.md | 22 +++++--------------
>> 1 file changed, 5 insertions(+), 17 deletions(-)
>> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
>> index d4644ba39..2956ac7fd 100644
>> --- a/testcases/kernel/security/integrity/ima/README.md
>> +++ b/testcases/kernel/security/integrity/ima/README.md
>> @@ -15,27 +15,15 @@ Although a custom policy, loaded via dracut, systemd or manually from user
>> space, may contain equivalent measurement tcb rules, detecting them would
>> require `IMA_READ_POLICY=y` therefore ignore this option.
>> -### IMA key import test
>> -`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der`
>> -(defined in `CONFIG_IMA_X509_PATH` kernel config option).
>> -The key must be signed by the private key you generate. Follow these instructions:
>> -https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys
>> -
>> -The test cannot be set-up automatically because the x509 public key must be
>> -built into the kernel and loaded onto a trusted keyring
>> -(e.g. `.builtin_trusted_keys`, `.secondary_trusted_keyring`).
>> -
>> -As well as what's required for the IMA tests, the following are also required
>> -in the kernel configuration:
>> +### IMA key test
>> +`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
>> +with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
>> +
>> +Mandatory kernel configuration for IMA:
> This "Mandatory kernel configuration for IMA:" would be in docs twice. The above
> one (CONFIG_INTEGRITY=y, CONFIG_IMA=y) is required for all tests.
> Take it that "### IMA key test" is header 3, but ## IMA tests
> is header 2 (upper level).
>
>> ```
>> CONFIG_IMA_READ_POLICY=y
>> -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
>> -CONFIG_SYSTEM_TRUSTED_KEYRING=y
>> -CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
>> ```
>> -Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
>> -
>> ### IMA kexec test
>> `ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
> I also removed "IMA" from EVM tests header.
>
> Kind regards,
> Petr
>
> diff --git testcases/kernel/security/integrity/ima/README.md testcases/kernel/security/integrity/ima/README.md
> index 2956ac7fd..392e1e868 100644
> --- testcases/kernel/security/integrity/ima/README.md
> +++ testcases/kernel/security/integrity/ima/README.md
> @@ -19,7 +19,8 @@ require `IMA_READ_POLICY=y` therefore ignore this option.
> `ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
> with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
>
> -Mandatory kernel configuration for IMA:
> +As well as what's required for the IMA tests, the following are also required
> +-in the kernel configuration:
> ```
> CONFIG_IMA_READ_POLICY=y
> ```
> @@ -38,7 +39,7 @@ To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
> kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> Again, for simplicity ignore possibility to load requires rules via custom policy.
>
> -Mandatory kernel configuration for IMA & EVM:
> +Mandatory kernel configuration for EVM tests:
> ```
> CONFIG_INTEGRITY=y
> CONFIG_INTEGRITY_SIGNATURE=y
> @@ -50,7 +51,7 @@ CONFIG_TRUSTED_KEYS=y
> CONFIG_ENCRYPTED_KEYS=y
> ```
>
> -Example of installing IMA + EVM on openSUSE:
> +Example of preparing environment on for EVM on openSUSE:
>
> * Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
> (for IMA measurement, IMA appraisal and EVM protection)
next prev parent reply other threads:[~2020-08-04 16:42 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 18:47 [PATCH v1 0/3] Verify measurement of certificate imported into a keyring Lachlan Sneff
2020-08-03 18:47 ` [PATCH 1/3] IMA: Update key test documentation Lachlan Sneff
2020-08-04 4:35 ` Petr Vorel
2020-08-04 16:42 ` Lachlan Sneff [this message]
2020-08-05 8:36 ` Petr Vorel
2020-08-05 8:44 ` Petr Vorel
2020-08-03 18:47 ` [PATCH 2/3] IMA: Refactor datafiles directory Lachlan Sneff
2020-08-07 7:17 ` Petr Vorel
2020-08-07 9:01 ` Petr Vorel
2020-08-07 12:27 ` Petr Vorel
2020-08-03 18:47 ` [PATCH 3/3] IMA: Add a test to verify measurement of certificate imported into a keyring Lachlan Sneff
-- strict thread matches above, loose matches on Subject: below --
2020-08-03 17:59 [PATCH v1 0/3] Verify " Lachlan Sneff
2020-08-03 17:59 ` [PATCH 1/3] IMA: Update key test documentation Lachlan Sneff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ccacc7c-392c-ad45-2806-048177953acf@linux.microsoft.com \
--to=t-josne@linux.microsoft.com \
--cc=balajib@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=pvorel@suse.cz \
--cc=tyhicks@linux.microsoft.com \
--cc=yaneurabeya@gmail.com \
--cc=zhang.jia@linux.alibaba.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).