From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Petr Vorel <pvorel@suse.cz>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH 1/4] IMA: Move get_algorithm_digest(), set_digest_index() to ima_setup.sh
Date: Fri, 25 Sep 2020 19:44:36 +0200 [thread overview]
Message-ID: <20200925174439.9534-2-pvorel@suse.cz> (raw)
In-Reply-To: <20200925174439.9534-1-pvorel@suse.cz>
To be reusable by more tests (preparation for next commit).
Call set_digest_index() inside get_algorithm_digest() if needed
instead of expecting get_algorithm_digest() caller to call
set_digest_index() before.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../integrity/ima/tests/ima_measurements.sh | 62 ++--------------
.../security/integrity/ima/tests/ima_setup.sh | 70 +++++++++++++++++++
2 files changed, 76 insertions(+), 56 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 9a7500c76..1927e937c 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -6,7 +6,7 @@
#
# Verify that measurements are added to the measurement list based on policy.
-TST_NEEDS_CMDS="awk cut"
+TST_NEEDS_CMDS="awk cut sed"
TST_SETUP="setup"
TST_CNT=3
TST_NEEDS_DEVICE=1
@@ -20,72 +20,22 @@ setup()
TEST_FILE="$PWD/test.txt"
POLICY="$IMA_DIR/policy"
[ -f "$POLICY" ] || tst_res TINFO "not using default policy"
- DIGEST_INDEX=
-
- local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
- local i
-
- # parse digest index
- # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
- case "$template" in
- ima|ima-ng|ima-sig|ima-buf) DIGEST_INDEX=4 ;;
- *)
- # using ima_template_fmt kernel parameter
- local IFS="|"
- i=4
- for word in $template; do
- if [ "$word" = 'd' -o "$word" = 'd-ng' ]; then
- DIGEST_INDEX=$i
- break
- fi
- i=$((i+1))
- done
- esac
-
- [ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
- "Cannot find digest index (template: '$template')"
}
ima_check()
{
- local delimiter=':'
- local algorithm digest expected_digest line
+ local algorithm digest expected_digest line tmp
# need to read file to get updated $ASCII_MEASUREMENTS
cat $TEST_FILE > /dev/null
line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)"
- if [ -z "$line" ]; then
- tst_res TFAIL "cannot find measurement record for '$TEST_FILE'"
- return
- fi
- tst_res TINFO "measurement record: '$line'"
- digest=$(echo "$line" | cut -d' ' -f $DIGEST_INDEX)
- if [ -z "$digest" ]; then
- tst_res TFAIL "cannot find digest (index: $DIGEST_INDEX)"
- return
- fi
-
- if [ "${digest#*$delimiter}" != "$digest" ]; then
- algorithm=$(echo "$digest" | cut -d $delimiter -f 1)
- digest=$(echo "$digest" | cut -d $delimiter -f 2)
+ if tmp=$(get_algorithm_digest "$line"); then
+ algorithm=$(echo "$tmp" | cut -d'|' -f1)
+ digest=$(echo "$tmp" | cut -d'|' -f2)
else
- case "${#digest}" in
- 32) algorithm="md5" ;;
- 40) algorithm="sha1" ;;
- *)
- tst_res TFAIL "algorithm must be either md5 or sha1 (digest: '$digest')"
- return ;;
- esac
- fi
- if [ -z "$algorithm" ]; then
- tst_res TFAIL "cannot find algorithm"
- return
- fi
- if [ -z "$digest" ]; then
- tst_res TFAIL "cannot find digest"
- return
+ tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp"
fi
tst_res TINFO "computing digest for $algorithm algorithm"
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 1f17aa707..83ea62d4f 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -191,6 +191,76 @@ ima_cleanup()
fi
}
+set_digest_index()
+{
+ DIGEST_INDEX=
+
+ local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)"
+ local i word
+
+ # parse digest index
+ # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use
+ case "$template" in
+ ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;;
+ *)
+ # using ima_template_fmt kernel parameter
+ local IFS="|"
+ i=4
+ for word in $template; do
+ if [ "$word" = 'd' -o "$word" = 'd-ng' ]; then
+ DIGEST_INDEX=$i
+ break
+ fi
+ i=$((i+1))
+ done
+ esac
+
+ [ -z "$DIGEST_INDEX" ] && tst_brk TCONF \
+ "Cannot find digest index (template: '$template')"
+}
+
+get_algorithm_digest()
+{
+ local line="$1"
+ local delimiter=':'
+ local algorithm digest
+
+ if [ -z "$line" ]; then
+ echo "measurement record not found"
+ return 1
+ fi
+
+ [ -z "$DIGEST_INDEX" ] && set_digest_index
+ digest=$(echo "$line" | cut -d' ' -f $DIGEST_INDEX)
+ if [ -z "$digest" ]; then
+ echo "digest not found (index: $DIGEST_INDEX, line: '$line')"
+ return 1
+ fi
+
+ if [ "${digest#*$delimiter}" != "$digest" ]; then
+ algorithm=$(echo "$digest" | cut -d $delimiter -f 1)
+ digest=$(echo "$digest" | cut -d $delimiter -f 2)
+ else
+ case "${#digest}" in
+ 32) algorithm="md5" ;;
+ 40) algorithm="sha1" ;;
+ *)
+ echo "algorithm must be either md5 or sha1 (digest: '$digest')"
+ return 1 ;;
+ esac
+ fi
+ if [ -z "$algorithm" ]; then
+ echo "algorithm not found"
+ return 1
+ fi
+ if [ -z "$digest" ]; then
+ echo "digest not found"
+ return 1
+ fi
+
+ echo "$algorithm|$digest"
+}
+
# loop device is needed to use only for tmpfs
TMPDIR="${TMPDIR:-/tmp}"
if [ "$(df -T $TMPDIR | tail -1 | awk '{print $2}')" != "tmpfs" -a -n "$TST_NEEDS_DEVICE" ]; then
--
2.28.0
next prev parent reply other threads:[~2020-09-25 17:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-25 17:44 [PATCH 0/4] TPM 2.0 fixes in IMA tests Petr Vorel
2020-09-25 17:44 ` Petr Vorel [this message]
2020-09-25 17:44 ` [PATCH 2/4] IMA: Rewrite ima_boot_aggregate.c to new API Petr Vorel
2020-09-25 17:44 ` [PATCH 3/4] ima_tpm.sh: Fix calculating boot aggregate Petr Vorel
2020-09-25 18:30 ` Petr Vorel
2020-09-25 17:44 ` [PATCH 4/4] ima_tpm.sh: Fix calculating PCR aggregate Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200925174439.9534-2-pvorel@suse.cz \
--to=pvorel@suse.cz \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox