[RFC PATCH] IMA: Remove evm_overlay.sh

[RFC PATCH] IMA: Remove evm_overlay.sh

[Petr Vorel]

Proof of concept, it was never fixed in the kernel.
Instead we should have some basic EVM tests.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 runtest/ima                                   |  1 -
 .../kernel/security/integrity/ima/README.md   | 64 -------------
 .../integrity/ima/tests/evm_overlay.sh        | 93 -------------------
 3 files changed, 158 deletions(-)
 delete mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh

diff --git a/runtest/ima b/runtest/ima
index 01942eefa3..75e5a99e7c 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -7,4 +7,3 @@ ima_keys ima_keys.sh
 ima_kexec ima_kexec.sh
 ima_selinux ima_selinux.sh
 ima_conditionals ima_conditionals.sh
-evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 5b261a1914..d3c3206bf2 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -64,67 +64,3 @@ and reading the IMA policy allowed in the kernel configuration:
 CONFIG_SECURITY_SELINUX=y
 CONFIG_IMA_READ_POLICY=y
 ```
-
-## EVM tests
-
-`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
-kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
-Again, for simplicity ignore possibility to load requires rules via custom policy.
-
-Mandatory kernel configuration for EVM tests:
-```
-CONFIG_INTEGRITY=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_IMA=y
-CONFIG_IMA_APPRAISE=y
-CONFIG_EVM=y
-CONFIG_KEYS=y
-CONFIG_TRUSTED_KEYS=y
-CONFIG_ENCRYPTED_KEYS=y
-```
-
-Example of preparing environment on for EVM on openSUSE:
-
-* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
-  (for IMA measurement, IMA appraisal and EVM protection)
-* Proceed with installation until summary screen, but do not start the installation yet
-* Select package `dracut-ima` (required for early boot EVM support) for installation
-  (Debian based distros already contain IMA + EVM support in `dracut` package)
-* Change to a console window and run commands to generate keys required by EVM:
-```
-# mkdir /etc/keys
-# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
-# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
-# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
-# keyctl pipe "$evm_key" >/etc/keys/evm.blob
-# cat <<END >/etc/sysconfig/masterkey
-MASTERKEYTYPE="user"
-MASTERKEY="/etc/keys/kmk-user.blob"
-END
-# cat <<END >/etc/sysconfig/evm
-EVMKEY="/etc/keys/evm.blob"
-END
-# mount -t securityfs security /sys/kernel/security
-# echo 1 >/sys/kernel/security/evm
-```
-
-* Go back to the installation summary screen and start the installation
-* During the installation execute the following commands from the console:
-```
-# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
-# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
-```
-
-This should work on any distribution using dracut.
-Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
-
-Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
-```
-evmctl -r ima_fix /
-```
-
-or with `find` if evmctl is not available:
-```
-find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
-```
-Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
deleted file mode 100755
index 12b2a28c25..0000000000
--- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
+++ /dev/null
@@ -1,93 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: GPL-2.0-or-later
-# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
-# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
-# Reproducer for not upstreamed patchset [1] and previous report [2].
-# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
-# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
-
-TST_SETUP="setup"
-TST_CLEANUP="cleanup"
-TST_CNT=4
-
-setup()
-{
-	EVM_FILE="/sys/kernel/security/evm"
-
-	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
-	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
-
-	require_ima_policy_cmdline "appraise_tcb"
-
-	lower="$TST_MNTPOINT/lower"
-	upper="$TST_MNTPOINT/upper"
-	work="$TST_MNTPOINT/work"
-	merged="$TST_MNTPOINT/merged"
-	mkdir -p $lower $upper $work $merged
-
-	device_backup="$TST_DEVICE"
-	TST_DEVICE="overlay"
-
-	fs_type_backup="$TST_FS_TYPE"
-	TST_FS_TYPE="overlay"
-
-	mntpoint_backup="$TST_MNTPOINT"
-	TST_MNTPOINT="$PWD/$merged"
-
-	params_backup="$TST_MNT_PARAMS"
-	TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
-
-	tst_mount
-	mounted=1
-}
-
-test1()
-{
-	local file="foo1.txt"
-
-	tst_res TINFO "overwrite file in overlay"
-	EXPECT_PASS echo lower \> $lower/$file
-	EXPECT_PASS echo overlay \> $merged/$file
-}
-
-test2()
-{
-	local file="foo2.txt"
-
-	tst_res TINFO "append file in overlay"
-	EXPECT_PASS echo lower \> $lower/$file
-	EXPECT_PASS echo overlay \>\> $merged/$file
-}
-
-test3()
-{
-	local file="foo3.txt"
-
-	tst_res TINFO "create a new file in overlay"
-	EXPECT_PASS echo overlay \> $merged/$file
-}
-
-test4()
-{
-	local f
-
-	tst_res TINFO "read all created files"
-	for f in $(find $TST_MNTPOINT -type f); do
-		EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
-	done
-}
-
-cleanup()
-{
-	[ -n "$mounted" ] || return 0
-
-	tst_umount $TST_MNTPOINT
-
-	TST_DEVICE="$device_backup"
-	TST_FS_TYPE="$fs_type_backup"
-	TST_MNTPOINT="$mntpoint_backup"
-	TST_MNT_PARAMS="$params_backup"
-}
-
-. ima_setup.sh
-tst_run
-- 
2.47.1

Re: [RFC PATCH] IMA: Remove evm_overlay.sh

[Petr Vorel]

Hi Mimi, Ignaz,

> Proof of concept, it was never fixed in the kernel.
> Instead we should have some basic EVM tests.

gently ping. Is evm_overlay.sh test useful for you?
Otherwise I'll delete it.

Kind regards,
Petr

> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>  runtest/ima                                   |  1 -
>  .../kernel/security/integrity/ima/README.md   | 64 -------------
>  .../integrity/ima/tests/evm_overlay.sh        | 93 -------------------
>  3 files changed, 158 deletions(-)
>  delete mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh

> diff --git a/runtest/ima b/runtest/ima
> index 01942eefa3..75e5a99e7c 100644
> --- a/runtest/ima
> +++ b/runtest/ima
> @@ -7,4 +7,3 @@ ima_keys ima_keys.sh
>  ima_kexec ima_kexec.sh
>  ima_selinux ima_selinux.sh
>  ima_conditionals ima_conditionals.sh
> -evm_overlay evm_overlay.sh
> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
> index 5b261a1914..d3c3206bf2 100644
> --- a/testcases/kernel/security/integrity/ima/README.md
> +++ b/testcases/kernel/security/integrity/ima/README.md
> @@ -64,67 +64,3 @@ and reading the IMA policy allowed in the kernel configuration:
>  CONFIG_SECURITY_SELINUX=y
>  CONFIG_IMA_READ_POLICY=y
>  ```
> -
> -## EVM tests
> -
> -`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
> -kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
> -Again, for simplicity ignore possibility to load requires rules via custom policy.
> -
> -Mandatory kernel configuration for EVM tests:
> -```
> -CONFIG_INTEGRITY=y
> -CONFIG_INTEGRITY_SIGNATURE=y
> -CONFIG_IMA=y
> -CONFIG_IMA_APPRAISE=y
> -CONFIG_EVM=y
> -CONFIG_KEYS=y
> -CONFIG_TRUSTED_KEYS=y
> -CONFIG_ENCRYPTED_KEYS=y
> -```
> -
> -Example of preparing environment on for EVM on openSUSE:
> -
> -* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
> -  (for IMA measurement, IMA appraisal and EVM protection)
> -* Proceed with installation until summary screen, but do not start the installation yet
> -* Select package `dracut-ima` (required for early boot EVM support) for installation
> -  (Debian based distros already contain IMA + EVM support in `dracut` package)
> -* Change to a console window and run commands to generate keys required by EVM:
> -```
> -# mkdir /etc/keys
> -# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
> -# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
> -# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
> -# keyctl pipe "$evm_key" >/etc/keys/evm.blob
> -# cat <<END >/etc/sysconfig/masterkey
> -MASTERKEYTYPE="user"
> -MASTERKEY="/etc/keys/kmk-user.blob"
> -END
> -# cat <<END >/etc/sysconfig/evm
> -EVMKEY="/etc/keys/evm.blob"
> -END
> -# mount -t securityfs security /sys/kernel/security
> -# echo 1 >/sys/kernel/security/evm
> -```
> -
> -* Go back to the installation summary screen and start the installation
> -* During the installation execute the following commands from the console:
> -```
> -# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
> -# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
> -```
> -
> -This should work on any distribution using dracut.
> -Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
> -
> -Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
> -```
> -evmctl -r ima_fix /
> -```
> -
> -or with `find` if evmctl is not available:
> -```
> -find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
> -```
> -Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
> diff --git a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh b/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> deleted file mode 100755
> index 12b2a28c25..0000000000
> --- a/testcases/kernel/security/integrity/ima/tests/evm_overlay.sh
> +++ /dev/null
> @@ -1,93 +0,0 @@
> -#!/bin/sh
> -# SPDX-License-Identifier: GPL-2.0-or-later
> -# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
> -# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
> -# Reproducer for not upstreamed patchset [1] and previous report [2].
> -# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
> -# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
> -
> -TST_SETUP="setup"
> -TST_CLEANUP="cleanup"
> -TST_CNT=4
> -
> -setup()
> -{
> -	EVM_FILE="/sys/kernel/security/evm"
> -
> -	[ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
> -	[ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
> -
> -	require_ima_policy_cmdline "appraise_tcb"
> -
> -	lower="$TST_MNTPOINT/lower"
> -	upper="$TST_MNTPOINT/upper"
> -	work="$TST_MNTPOINT/work"
> -	merged="$TST_MNTPOINT/merged"
> -	mkdir -p $lower $upper $work $merged
> -
> -	device_backup="$TST_DEVICE"
> -	TST_DEVICE="overlay"
> -
> -	fs_type_backup="$TST_FS_TYPE"
> -	TST_FS_TYPE="overlay"
> -
> -	mntpoint_backup="$TST_MNTPOINT"
> -	TST_MNTPOINT="$PWD/$merged"
> -
> -	params_backup="$TST_MNT_PARAMS"
> -	TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
> -
> -	tst_mount
> -	mounted=1
> -}
> -
> -test1()
> -{
> -	local file="foo1.txt"
> -
> -	tst_res TINFO "overwrite file in overlay"
> -	EXPECT_PASS echo lower \> $lower/$file
> -	EXPECT_PASS echo overlay \> $merged/$file
> -}
> -
> -test2()
> -{
> -	local file="foo2.txt"
> -
> -	tst_res TINFO "append file in overlay"
> -	EXPECT_PASS echo lower \> $lower/$file
> -	EXPECT_PASS echo overlay \>\> $merged/$file
> -}
> -
> -test3()
> -{
> -	local file="foo3.txt"
> -
> -	tst_res TINFO "create a new file in overlay"
> -	EXPECT_PASS echo overlay \> $merged/$file
> -}
> -
> -test4()
> -{
> -	local f
> -
> -	tst_res TINFO "read all created files"
> -	for f in $(find $TST_MNTPOINT -type f); do
> -		EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
> -	done
> -}
> -
> -cleanup()
> -{
> -	[ -n "$mounted" ] || return 0
> -
> -	tst_umount $TST_MNTPOINT
> -
> -	TST_DEVICE="$device_backup"
> -	TST_FS_TYPE="$fs_type_backup"
> -	TST_MNTPOINT="$mntpoint_backup"
> -	TST_MNT_PARAMS="$params_backup"
> -}
> -
> -. ima_setup.sh
> -tst_run

Re: [RFC PATCH] IMA: Remove evm_overlay.sh

[Mimi Zohar]

On Fri, 2025-03-07 at 11:24 +0100, Petr Vorel wrote:
> Hi Mimi, Ignaz,
> 
> > Proof of concept, it was never fixed in the kernel.
> > Instead we should have some basic EVM tests.
> 
> gently ping. Is evm_overlay.sh test useful for you?
> Otherwise I'll delete it.

Requiring the "ima_policy=appraise_tcb" default policy to run the tests limits
its usefulness.  Perhaps REQUIRED_POLICY_CONTENT could be defined.  I'll let you
know. For now, please don't remove the test.

thanks,

Mimi

Re: [RFC PATCH] IMA: Remove evm_overlay.sh

[Petr Vorel]

Hi Mimi, Ignaz,

> On Fri, 2025-03-07 at 11:24 +0100, Petr Vorel wrote:
> > Hi Mimi, Ignaz,

> > > Proof of concept, it was never fixed in the kernel.
> > > Instead we should have some basic EVM tests.

> > gently ping. Is evm_overlay.sh test useful for you?
> > Otherwise I'll delete it.

> Requiring the "ima_policy=appraise_tcb" default policy to run the tests limits
> its usefulness.  Perhaps REQUIRED_POLICY_CONTENT could be defined.  I'll let you
> know. For now, please don't remove the test.

Sure, I'll keep the test if you want. Also adding REQUIRED_POLICY_CONTENT would
help. But the reason why I wanted to delete the test is the fact, that it's a
proof of concept that

1) It's a reproducer for patchset which haven't been fixed.
2) It requires test setup first "ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix". [2]
3) I'm not sure if the test even work as expected.

But I try to test it again and test if it will work with
REQUIRED_POLICY_CONTENT.

Kind regards,
Petr

[1] https://lore.kernel.org/linux-integrity/20190211165323.9369-1-iforster@suse.com/
[2] https://github.com/linux-test-project/ltp/tree/master/testcases/kernel/security/integrity/ima#evm-tests

> thanks,

> Mimi