From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes
Date: Wed, 24 Jan 2018 12:36:57 -0500 [thread overview]
Message-ID: <1516815417.3686.55.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180111202821.31639-1-pvorel@suse.cz>
Hi Petr,
[Cc'ing Roberto]
On Thu, 2018-01-11 at 21:28 +0100, Petr Vorel wrote:
> Hi,
>
> I rewrote IMA tests to use new API + add small fixes.
> I haven't tested ima_tpm.sh as I have no TPM :-(.
>
> Comments are welcomed.
The LTP tests are quite dated, and need some major rework. I really
appreciate your addressing some of the issues. Below are some
additional ones.
Tests "ima02 ima_measurement.sh" and "ima04 ima_violations.sh" assume
files are created on a filesystem in policy. The "measure.policy"
excludes tmpfs, yet TMPDIR defaults to a tmpfs filesystem. There are
a couple of ways of resolving this problem (eg. removing tmpfs from
the "measure.policy", use a RAM block device instead of tmpfs, etc).
Since the builtin "ima_policy=tcb" also excludes tmpfs, not using a
tmpfs filesystem would be preferable.
Originally IMA allowed a builtin policy to be replaced with a custom
policy, by simply cat'ing a file into the securityfs IMA policy file.
Currently, if new rules can be added to the custom policy (Kconfig
IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly,
if the builtin "secure-boot" policy is defined on the boot command
line, the custom policy must be signed. Test "ima01 ima_policy.sh"
should first detect if the policy must be signed, before running the
tests.
ima_boot_aggregate.c defines the BIOS MAX_EVENT_SIZE BIOS size as 500,
but I'm currently seeing BIOS events larger than 4k.
Since these tests were first written, Roberto's IMA templates and
Dmitry's support for larger digests were upstreamed. With the new
template format, the file hash is prefixed with the hash algorithm.
Before comparing the calculated boot aggregate with the value in the
IMA measurement list, the hash algorithm needs to be removed.
For the new template format measurement lists, walking the measurement
list, re-calculating the PCRs and comparing them with the HW or vTPM
PCRs fail. The ima-evm-utils package has a working version. Invoke
"evmctl" with the "ima_mesaurement" option.
thanks,
Mimi
next prev parent reply other threads:[~2018-01-24 17:36 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-11 20:28 [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes Petr Vorel
2018-01-11 20:28 ` [LTP] [RFC PATCH 1/2] security/ima: " Petr Vorel
2018-01-26 13:09 ` Cyril Hrubis
2018-01-11 20:28 ` [LTP] [RFC PATCH 2/2] security/ima: Run measurements after policy Petr Vorel
2018-01-26 13:11 ` Cyril Hrubis
2018-01-26 18:03 ` Petr Vorel
2018-01-28 0:57 ` Mimi Zohar
2018-01-24 17:12 ` [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes Petr Vorel
2018-01-24 17:36 ` Mimi Zohar [this message]
2018-01-25 20:30 ` Petr Vorel
2018-01-25 20:40 ` Petr Vorel
2018-01-25 22:29 ` Mimi Zohar
2018-01-26 17:51 ` Petr Vorel
2018-01-28 0:47 ` Mimi Zohar
2018-01-29 19:58 ` Mimi Zohar
2018-01-31 15:01 ` Nayna Jain
2018-01-26 13:16 ` Cyril Hrubis
2018-01-26 18:11 ` Petr Vorel
2018-02-06 13:19 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1516815417.3686.55.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox