From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes
Date: Tue, 06 Feb 2018 08:19:19 -0500 [thread overview]
Message-ID: <1517923159.13312.14.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180126131650.GC12731@rei>
On Fri, 2018-01-26 at 14:16 +0100, Cyril Hrubis wrote:
> Hi!
> > > For the new template format measurement lists, walking the measurement
> > > list, re-calculating the PCRs and comparing them with the HW or vTPM
> > > PCRs fail. ??The ima-evm-utils package has a working version. ??Invoke
> > > "evmctl" with the "ima_measurement" option.
> > So you mean that src/ima_measure.c is broken and should be replaced by evmctl from your
> > repository on sf.net [4]? Fortunately this package is on all major distros [5] (except
> > Debian, but Ubuntu package is installable on Debian), so we don't need to include your
> > repository as submodule.
>
> Well if the package is included in major distributions we may as just
> state the dependency in the README and TCONF the test if it's not
> installed.
I've cleaned up "evmctl ima_measurement" a bit, so that there are
different levels of output. The default is to just return errors.
Verbose (-v) returns the keys used in the verification, the calculated
PCR and the HW PCR. Verbose+ (-v -v) includes the measurement list as
well.
example:
$ sudo src/evmctl ima_measurement -k "/etc/keys/ima/distro-cert-6e6c1046.der,
/etc/keys/ima/app-cert-c4e2426e.der, /etc/keys/ima/local-cert-14c2d147.der"
-v /sys/kernel/security/ima/binary_runtime_measurements
key 1: 6e6c1046 /etc/keys/ima/distro-cert-6e6c1046.der
key 2: c4e2426e /etc/keys/ima/app-cert-c4e2426e.der
key 3: 14c2d147 /etc/keys/ima/local-cert-14c2d147.der
PCRAgg 10: a19dfba0ac6eef26cb342470374b0808aea80a12
HW PCR-10: a19dfba0ac6eef26cb342470374b0808aea80a12
The patches for this version are in the next branch.
Mimi
prev parent reply other threads:[~2018-02-06 13:19 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-11 20:28 [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes Petr Vorel
2018-01-11 20:28 ` [LTP] [RFC PATCH 1/2] security/ima: " Petr Vorel
2018-01-26 13:09 ` Cyril Hrubis
2018-01-11 20:28 ` [LTP] [RFC PATCH 2/2] security/ima: Run measurements after policy Petr Vorel
2018-01-26 13:11 ` Cyril Hrubis
2018-01-26 18:03 ` Petr Vorel
2018-01-28 0:57 ` Mimi Zohar
2018-01-24 17:12 ` [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes Petr Vorel
2018-01-24 17:36 ` Mimi Zohar
2018-01-25 20:30 ` Petr Vorel
2018-01-25 20:40 ` Petr Vorel
2018-01-25 22:29 ` Mimi Zohar
2018-01-26 17:51 ` Petr Vorel
2018-01-28 0:47 ` Mimi Zohar
2018-01-29 19:58 ` Mimi Zohar
2018-01-31 15:01 ` Nayna Jain
2018-01-26 13:16 ` Cyril Hrubis
2018-01-26 18:11 ` Petr Vorel
2018-02-06 13:19 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517923159.13312.14.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox