* [LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates @ 2020-06-17 23:49 Lachlan Sneff 2020-06-17 23:49 ` [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff 2020-06-17 23:49 ` [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff 0 siblings, 2 replies; 11+ messages in thread From: Lachlan Sneff @ 2020-06-17 23:49 UTC (permalink / raw) To: ltp The IMA subsystem is capable of importing and measuring certificates. This set of patches adds tests for verifying that keys are imported and measured correctly. Changelog: v3 - Document requirements for running the ima key tests and provide resources for generating keys. v2 - Un-linebreak a few strings - Enforce that some commands are available before running - Move compute_digest function to ima_setup.sh - Fix file permissions on ima_key.sh - Move IMA_POLICY variable to ima_setup.sh - Add keycheck.policy datafile v1 - The following patchsets should be applied in that order. - Add tests that verify measurement of keys and importing certificates. Lachlan Sneff (2): IMA: Add a test to verify measurment of keys IMA: Add a test to verify importing a certificate into keyring runtest/ima | 1 + .../kernel/security/integrity/ima/README.md | 21 ++++ .../integrity/ima/datafiles/keycheck.policy | 1 + .../security/integrity/ima/tests/ima_keys.sh | 110 ++++++++++++++++++ .../integrity/ima/tests/ima_measurements.sh | 36 +----- .../integrity/ima/tests/ima_policy.sh | 1 - .../security/integrity/ima/tests/ima_setup.sh | 35 ++++++ 7 files changed, 169 insertions(+), 36 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh -- 2.25.1 ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys 2020-06-17 23:49 [LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates Lachlan Sneff @ 2020-06-17 23:49 ` Lachlan Sneff 2020-06-18 20:28 ` Petr Vorel 2020-06-24 13:21 ` Mimi Zohar 2020-06-17 23:49 ` [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff 1 sibling, 2 replies; 11+ messages in thread From: Lachlan Sneff @ 2020-06-17 23:49 UTC (permalink / raw) To: ltp Add a testcase that verifies that the IMA subsystem has correctly measured keys added to keyrings specified in the IMA policy file. Additionally, add support for handling a new IMA template descriptor, namely ima-buf[1], in the IMA measurement tests. [1]: https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> --- runtest/ima | 1 + .../integrity/ima/datafiles/keycheck.policy | 1 + .../security/integrity/ima/tests/ima_keys.sh | 67 +++++++++++++++++++ .../integrity/ima/tests/ima_measurements.sh | 36 +--------- .../integrity/ima/tests/ima_policy.sh | 1 - .../security/integrity/ima/tests/ima_setup.sh | 35 ++++++++++ 6 files changed, 105 insertions(+), 36 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keycheck.policy create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_keys.sh diff --git a/runtest/ima b/runtest/ima index f3ea88cf0..309d47420 100644 --- a/runtest/ima +++ b/runtest/ima @@ -3,4 +3,5 @@ ima_measurements ima_measurements.sh ima_policy ima_policy.sh ima_tpm ima_tpm.sh ima_violations ima_violations.sh +ima_keys ima_keys.sh evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy new file mode 100644 index 000000000..3f1934a3d --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy @@ -0,0 +1 @@ +measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh new file mode 100755 index 000000000..2b5324dbf --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lachlan Sneff <t-josne@linux.microsoft.com> +# +# Verify that keys are measured correctly based on policy. + +TST_NEEDS_CMDS="grep mktemp cut sed tr" +TST_CNT=1 +TST_NEEDS_DEVICE=1 + +. ima_setup.sh + +# Based on https://lkml.org/lkml/2019/12/13/564. +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") +test1() +{ + local keyrings keycheck_line templates test_file=$(mktemp) + + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" + + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" + + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" + + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY) + if [ -z "$keycheck_line" ]; then + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" + fi + + if echo "$keycheck_line" | grep -q "*keyrings*"; then + tst_brk TCONF "ima policy does not specify a keyrings to check" + fi + + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ + sed "s/\./\\\./g" | cut -d'=' -f2) + if [ -z "$keyrings" ]; then + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" + fi + + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ + cut -d'=' -f2) + + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line + do + local digest expected_digest algorithm + + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + keyring=$(echo "$line" | cut -d' ' -f5) + + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file + + expected_digest="$(compute_digest $algorithm $test_file)" || \ + tst_brk TCONF "cannot compute digest for $algorithm" + + if [ "$digest" != "$expected_digest" ]; then + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" + fi + done + + rm $test_file + + tst_res TPASS "specified keyrings were measured correctly" +} + +tst_run diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 54237d688..04d8e6353 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -28,7 +28,7 @@ setup() # parse digest index # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use case "$template" in - ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; + ima|ima-ng|ima-sig|ima-buf) DIGEST_INDEX=4 ;; *) # using ima_template_fmt kernel parameter local IFS="|" @@ -46,40 +46,6 @@ setup() "Cannot find digest index (template: '$template')" } -# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 -compute_digest() -{ - local algorithm="$1" - local file="$2" - local digest - - digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - - # uncommon ciphers - local arg="$algorithm" - case "$algorithm" in - tgr192) arg="tiger" ;; - wp512) arg="whirlpool" ;; - esac - - digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" - if [ -n "$digest" ]; then - echo "$digest" - return 0 - fi - return 1 -} - ima_check() { local delimiter=':' diff --git a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh index 6286277b4..244cf081d 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_policy.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_policy.sh @@ -23,7 +23,6 @@ check_policy_writable() setup() { - IMA_POLICY="$IMA_DIR/policy" check_policy_writable VALID_POLICY="$TST_DATAROOT/measure.policy" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 58a12eda3..8ae477c1c 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -20,6 +20,40 @@ SYSFS="/sys" UMOUNT= TST_FS_TYPE="ext3" +# TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 +compute_digest() +{ + local algorithm="$1" + local file="$2" + local digest + + digest="$(${algorithm}sum $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + digest="$(openssl $algorithm $file 2>/dev/null | cut -f2 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + + # uncommon ciphers + local arg="$algorithm" + case "$algorithm" in + tgr192) arg="tiger" ;; + wp512) arg="whirlpool" ;; + esac + + digest="$(rdigest --$arg $file 2>/dev/null | cut -f1 -d ' ')" + if [ -n "$digest" ]; then + echo "$digest" + return 0 + fi + return 1 +} + check_ima_policy() { local policy="$1" @@ -85,6 +119,7 @@ ima_setup() [ -d "$IMA_DIR" ] || tst_brk TCONF "IMA not enabled in kernel" ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" + IMA_POLICY="$IMA_DIR/policy" print_ima_config -- 2.25.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys 2020-06-17 23:49 ` [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff @ 2020-06-18 20:28 ` Petr Vorel 2020-06-24 13:21 ` Mimi Zohar 1 sibling, 0 replies; 11+ messages in thread From: Petr Vorel @ 2020-06-18 20:28 UTC (permalink / raw) To: ltp Hi Lachlan, Reviewed-by: Petr Vorel <pvorel@suse.cz> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > @@ -0,0 +1,67 @@ > +#!/bin/sh > +# SPDX-License-Identifier: GPL-2.0-or-later > +# Copyright (c) 2020 Microsoft Corporation > +# Author: Lachlan Sneff <t-josne@linux.microsoft.com> > +# > +# Verify that keys are measured correctly based on policy. > + > +TST_NEEDS_CMDS="grep mktemp cut sed tr" This is already a dependency for tst_test.sh, but it does not harm to have it here (in case we remove the dependency from tst_test.sh). > +TST_CNT=1 > +TST_NEEDS_DEVICE=1 > + > +. ima_setup.sh > + > +# Based on https://lkml.org/lkml/2019/12/13/564. > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") > +test1() > +{ > + local keyrings keycheck_line templates test_file=$(mktemp) Do we need mktemp? Can't it be just: local keyrings keycheck_line templates test_file="file.txt" ... > + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file Because you later just overwrite the file (simplicity). I also try to keep shell dependencies low so it's possible to run it with in dracut initramfs with rapido [1] without too many dependencies (although mktemp is already tst_test.sh dependency). > + > + expected_digest="$(compute_digest $algorithm $test_file)" || \ > + tst_brk TCONF "cannot compute digest for $algorithm" > + > + if [ "$digest" != "$expected_digest" ]; then > + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" > + fi > + done > + > + rm $test_file Again, IMHO no need to delete the file. [1] https://github.com/rapido-linux/rapido > + > + tst_res TPASS "specified keyrings were measured correctly" This TPASS will be called even if there is previous TFAIL "incorrect digest was found for the ($keyring) keyring". We should either exit testing with return, or have variable to detect failure and not call this (not sure what makes more sense). Kind regards, Petr ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys 2020-06-17 23:49 ` [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff 2020-06-18 20:28 ` Petr Vorel @ 2020-06-24 13:21 ` Mimi Zohar 2020-06-24 15:27 ` Mimi Zohar 1 sibling, 1 reply; 11+ messages in thread From: Mimi Zohar @ 2020-06-24 13:21 UTC (permalink / raw) To: ltp Hi Lachian, > + > +# Based on https://lkml.org/lkml/2019/12/13/564. > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") > +test1() > +{ > + local keyrings keycheck_line templates test_file=$(mktemp) > + > + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" > + > + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" > + > + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" > + > + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY) > + if [ -z "$keycheck_line" ]; then > + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" > + fi > + > + if echo "$keycheck_line" | grep -q "*keyrings*"; then > + tst_brk TCONF "ima policy does not specify a keyrings to check" > + fi > + > + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ > + sed "s/\./\\\./g" | cut -d'=' -f2) > + if [ -z "$keyrings" ]; then > + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" > + fi > + > + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ > + cut -d'=' -f2) > + > + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line Probably because I have multiple KEY_CHECK rules, this is failing: grep: Unmatched ( or \( And then it continues merrily alongs its way. ima_keys 1 TPASS: specified keyrings were measured correctly ima_keys 2 TCONF: missing /etc/keys/x509_ima.der Mimi > + do > + local digest expected_digest algorithm > + > + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) > + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) > + keyring=$(echo "$line" | cut -d' ' -f5) > + > + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file > + > + expected_digest="$(compute_digest $algorithm $test_file)" || \ > + tst_brk TCONF "cannot compute digest for $algorithm" > + > + if [ "$digest" != "$expected_digest" ]; then > + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" > + fi > + done > + > + rm $test_file > + > + tst_res TPASS "specified keyrings were measured correctly" > +} ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys 2020-06-24 13:21 ` Mimi Zohar @ 2020-06-24 15:27 ` Mimi Zohar 0 siblings, 0 replies; 11+ messages in thread From: Mimi Zohar @ 2020-06-24 15:27 UTC (permalink / raw) To: ltp [Resending due to mailer issues] On Wed, 2020-06-24 at 09:21 -0400, Mimi Zohar wrote: > Hi Lachian, > > > + > > +# Based on https://lkml.org/lkml/2019/12/13/564. > > +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") > > +test1() > > +{ > > + local keyrings keycheck_line templates test_file=$(mktemp) > > + > > + tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file" > > + > > + [ -f $IMA_POLICY ] || tst_brk TCONF "missing $IMA_POLICY" > > + > > + [ -r $IMA_POLICY ] || tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required)" > > + > > + keycheck_line=$(grep "func=KEY_CHECK" $IMA_POLICY) > > + if [ -z "$keycheck_line" ]; then > > + tst_brk TCONF "ima policy does not specify \"func=KEY_CHECK\"" > > + fi > > + > > + if echo "$keycheck_line" | grep -q "*keyrings*"; then > > + tst_brk TCONF "ima policy does not specify a keyrings to check" > > + fi > > + > > + keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \ > > + sed "s/\./\\\./g" | cut -d'=' -f2) > > + if [ -z "$keyrings" ]; then > > + tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings" > > + fi > > + > > + templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \ > > + cut -d'=' -f2) > > + > > + grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line > > Probably because I have multiple KEY_CHECK rules, this is failing: > > grep: Unmatched ( or \( > > And then it continues merrily alongs its way. > > ima_keys 1 TPASS: specified keyrings were measured correctly > ima_keys 2 TCONF: missing /etc/keys/x509_ima.der > > Mimi > > > + do > > + local digest expected_digest algorithm > > + > > + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) > > + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) > > + keyring=$(echo "$line" | cut -d' ' -f5) > > + > > + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file > > + > > + expected_digest="$(compute_digest $algorithm $test_file)" || \ > > + tst_brk TCONF "cannot compute digest for $algorithm" > > + > > + if [ "$digest" != "$expected_digest" ]; then > > + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring" > > + fi > > + done > > + > > + rm $test_file > > + > > + tst_res TPASS "specified keyrings were measured correctly" > > +} ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-17 23:49 [LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates Lachlan Sneff 2020-06-17 23:49 ` [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff @ 2020-06-17 23:49 ` Lachlan Sneff 2020-06-18 20:14 ` Petr Vorel 2020-06-24 16:41 ` Mimi Zohar 1 sibling, 2 replies; 11+ messages in thread From: Lachlan Sneff @ 2020-06-17 23:49 UTC (permalink / raw) To: ltp Add an IMA measurement test that verifies that an x509 certificate can be imported into the .ima keyring and measured correctly. Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> --- .../kernel/security/integrity/ima/README.md | 21 +++++++++ .../security/integrity/ima/tests/ima_keys.sh | 47 ++++++++++++++++++- 2 files changed, 66 insertions(+), 2 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 16a1f48c3..e41f7b570 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y CONFIG_IMA=y ``` +IMA Key Import test +------------- + +`ima_keys.sh` requires an x509 key to be generated and placed +at `/etc/keys/x509_ima.der`. + +The x509 public key key must be signed by the private key you generate. +Follow these instructions: +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys. + +The test cannot be set-up automatically because the kernel must be built +with one of the keys you generate. + +As well as what's required for the IMA tests, the following are also required +in the kernel configuration: +``` +CONFIG_IMA_READ_POLICY=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" +``` + EVM tests --------- diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 2b5324dbf..1d9824aba 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -5,10 +5,12 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="grep mktemp cut sed tr" -TST_CNT=1 +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp" +TST_CNT=2 TST_NEEDS_DEVICE=1 +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" + . ima_setup.sh # Based on https://lkml.org/lkml/2019/12/13/564. @@ -64,4 +66,45 @@ test1() tst_res TPASS "specified keyrings were measured correctly" } + +# Test that a cert can be imported into the ".ima" keyring correctly. +test2() { + local keyring_id key_id test_file=$(mktemp) + + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" + + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" + fi + + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" + + keyring_id=$(keyctl show %:.ima | sed -n 2p | \ + sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \ + tst_btk TCONF "unable to retrieve .ima keyring id" + + if ! tst_is_num "$keyring_id"; then + tst_brk TCONF "unable to parse keyring id from keyring" + fi + + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ + tst_brk TCONF "unable to import a cert into the .ima keyring" + + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ + xxd -r -p > $test_file || \ + tst_brk TCONF "cert not found in ascii_runtime_measurements log" + + if ! openssl x509 -in $test_file -inform der > /dev/null; then + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" + fi + + if cmp -s "$test_file" $CERT_FILE; then + tst_res TPASS "logged cert matches original cert" + else + tst_res TFAIL "logged cert does not match original cert" + fi + + rm $test_file +} + tst_run -- 2.25.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-17 23:49 ` [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff @ 2020-06-18 20:14 ` Petr Vorel 2020-06-24 16:41 ` Mimi Zohar 1 sibling, 0 replies; 11+ messages in thread From: Petr Vorel @ 2020-06-18 20:14 UTC (permalink / raw) To: ltp Hi Lachlan, LGTM, I'd just like to do some tests. That's what prevents me from merging (my notes below are just nits, I'll fix them before merging). @Mimi: would you have time to have look into these tests? Reviewed-by: Petr Vorel <pvorel@suse.cz> > Add an IMA measurement test that verifies that an x509 certificate > can be imported into the .ima keyring and measured correctly. > Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> > --- > .../kernel/security/integrity/ima/README.md | 21 +++++++++ > .../security/integrity/ima/tests/ima_keys.sh | 47 ++++++++++++++++++- > 2 files changed, 66 insertions(+), 2 deletions(-) > diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md > index 16a1f48c3..e41f7b570 100644 > --- a/testcases/kernel/security/integrity/ima/README.md > +++ b/testcases/kernel/security/integrity/ima/README.md > @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y > CONFIG_IMA=y > ``` Thanks for a docs, I'll move it to the first commit. > +IMA Key Import test IMA Key Import tests > +------------- > + > +`ima_keys.sh` requires an x509 key to be generated and placed > +at `/etc/keys/x509_ima.der`. `ima_keys.sh` requires an x509 public key to be generated and placed > +at `/etc/keys/x509_ima.der`. > + > +The x509 public key key must be signed by the private key you generate. > +Follow these instructions: > +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys. I was thinking to use non-distro link: https://www.mankier.com/1/evmctl#Generate_Trusted_Keys as Ubuntu docs is tied to certain evmctl version, but on the other hand it document what you used when wrote tests. And Ubuntu URL is probably is probably safer to use (mankier.com can vanish in the future). Thus keep this one. > + > +The test cannot be set-up automatically because the kernel must be built > +with one of the keys you generate. > + > +As well as what's required for the IMA tests, the following are also required > +in the kernel configuration: > +``` > +CONFIG_IMA_READ_POLICY=y > +CONFIG_SYSTEM_TRUSTED_KEYRING=y > +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" > +``` > + > EVM tests > --------- > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > index 2b5324dbf..1d9824aba 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > @@ -5,10 +5,12 @@ > # Verify that keys are measured correctly based on policy. > -TST_NEEDS_CMDS="grep mktemp cut sed tr" > -TST_CNT=1 > +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp" > +TST_CNT=2 > TST_NEEDS_DEVICE=1 > +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" > + > . ima_setup.sh > # Based on https://lkml.org/lkml/2019/12/13/564. > @@ -64,4 +66,45 @@ test1() > tst_res TPASS "specified keyrings were measured correctly" > } > + > +# Test that a cert can be imported into the ".ima" keyring correctly. > +test2() { > + local keyring_id key_id test_file=$(mktemp) > + > + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" > + > + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then > + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" > + fi > + > + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" > + > + keyring_id=$(keyctl show %:.ima | sed -n 2p | \ > + sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \ > + tst_btk TCONF "unable to retrieve .ima keyring id" > + > + if ! tst_is_num "$keyring_id"; then > + tst_brk TCONF "unable to parse keyring id from keyring" > + fi > + > + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ > + tst_brk TCONF "unable to import a cert into the .ima keyring" > + > + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ > + xxd -r -p > $test_file || \ > + tst_brk TCONF "cert not found in ascii_runtime_measurements log" > + > + if ! openssl x509 -in $test_file -inform der > /dev/null; then > + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" > + fi > + > + if cmp -s "$test_file" $CERT_FILE; then > + tst_res TPASS "logged cert matches original cert" > + else > + tst_res TFAIL "logged cert does not match original cert" > + fi > + > + rm $test_file I guess you can avoid deleting this file. There is automatic cleanup of the test directory and even if the test is run with -i (number of iterations), it'll be unique as it's using using mktemp. > +} > + > tst_run Kind regards, Petr ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-17 23:49 ` [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff 2020-06-18 20:14 ` Petr Vorel @ 2020-06-24 16:41 ` Mimi Zohar 2020-06-24 19:59 ` Lachlan Sneff 1 sibling, 1 reply; 11+ messages in thread From: Mimi Zohar @ 2020-06-24 16:41 UTC (permalink / raw) To: ltp Hi Lachlan, On Wed, 2020-06-17 at 19:49 -0400, Lachlan Sneff wrote: > Add an IMA measurement test that verifies that an x509 certificate > can be imported into the .ima keyring and measured correctly. Please expand this, explaining that the x509 certificate needs to be signed by a key on one of the trusted keyrings. Once there is a reliable way of adding a key to the IMA keyring, this opens up a lot of other testing possibilities. > > Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> > --- > .../kernel/security/integrity/ima/README.md | 21 +++++++++ > .../security/integrity/ima/tests/ima_keys.sh | 47 ++++++++++++++++++- > 2 files changed, 66 insertions(+), 2 deletions(-) > > diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md > index 16a1f48c3..e41f7b570 100644 > --- a/testcases/kernel/security/integrity/ima/README.md > +++ b/testcases/kernel/security/integrity/ima/README.md > @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y > CONFIG_IMA=y > ``` > > +IMA Key Import test > +------------- > + > +`ima_keys.sh` requires an x509 key to be generated and placed > +at `/etc/keys/x509_ima.der`. The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the running kernel's Kconfig? > + > +The x509 public key key must be signed by the private key you generate. > +Follow these instructions: > +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys. > + > +The test cannot be set-up automatically because the kernel must be built > +with one of the keys you generate. Please reword this to convey that the public key must be built into the kernel and loaded onto a trusted keyring (eg. .builtin_trusted_keys, .secondary_trusted_keyring) > + > +As well as what's required for the IMA tests, the following are also required > +in the kernel configuration: > +``` > +CONFIG_IMA_READ_POLICY=y > +CONFIG_SYSTEM_TRUSTED_KEYRING=y > +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" > +``` > + > EVM tests > --------- > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > index 2b5324dbf..1d9824aba 100755 > --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh > @@ -5,10 +5,12 @@ > # > # Verify that keys are measured correctly based on policy. > > -TST_NEEDS_CMDS="grep mktemp cut sed tr" > -TST_CNT=1 > +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp" > +TST_CNT=2 > TST_NEEDS_DEVICE=1 > > +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" > + > . ima_setup.sh > > # Based on https://lkml.org/lkml/2019/12/13/564. > @@ -64,4 +66,45 @@ test1() > tst_res TPASS "specified keyrings were measured correctly" > } > > + > +# Test that a cert can be imported into the ".ima" keyring correctly. > +test2() { > + local keyring_id key_id test_file=$(mktemp) > + > + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" > + > + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then > + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" > + fi > + > + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" > + > + keyring_id=$(keyctl show %:.ima | sed -n 2p | \ > + sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \ > + tst_btk TCONF "unable to retrieve .ima keyring id" Using "keyctl describe" returns the keyring id as the first token, making it simpler to parse. Mimi > + > + if ! tst_is_num "$keyring_id"; then > + tst_brk TCONF "unable to parse keyring id from keyring" > + fi > + > + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ > + tst_brk TCONF "unable to import a cert into the .ima keyring" > + > + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ > + xxd -r -p > $test_file || \ > + tst_brk TCONF "cert not found in ascii_runtime_measurements log" > + > + if ! openssl x509 -in $test_file -inform der > /dev/null; then > + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" > + fi > + > + if cmp -s "$test_file" $CERT_FILE; then > + tst_res TPASS "logged cert matches original cert" > + else > + tst_res TFAIL "logged cert does not match original cert" > + fi > + > + rm $test_file > +} > + > tst_run ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-24 16:41 ` Mimi Zohar @ 2020-06-24 19:59 ` Lachlan Sneff 2020-06-24 20:02 ` Mimi Zohar 0 siblings, 1 reply; 11+ messages in thread From: Lachlan Sneff @ 2020-06-24 19:59 UTC (permalink / raw) To: ltp Thank you for the review, Mimi! On 6/24/20 12:41 PM, Mimi Zohar wrote: > Hi Lachlan, > > On Wed, 2020-06-17 at 19:49 -0400, Lachlan Sneff wrote: >> Add an IMA measurement test that verifies that an x509 certificate >> can be imported into the .ima keyring and measured correctly. > Please expand this, explaining that the x509 certificate needs to be > signed by a key on one of the trusted keyrings. > > Once there is a reliable way of adding a key to the IMA keyring, this > opens up a lot of other testing possibilities. This is a great idea. I definitely wasn't clear enough here. >> Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com> >> --- >> .../kernel/security/integrity/ima/README.md | 21 +++++++++ >> .../security/integrity/ima/tests/ima_keys.sh | 47 ++++++++++++++++++- >> 2 files changed, 66 insertions(+), 2 deletions(-) >> >> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md >> index 16a1f48c3..e41f7b570 100644 >> --- a/testcases/kernel/security/integrity/ima/README.md >> +++ b/testcases/kernel/security/integrity/ima/README.md >> @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y >> CONFIG_IMA=y >> ``` >> >> +IMA Key Import test >> +------------- >> + >> +`ima_keys.sh` requires an x509 key to be generated and placed >> +at `/etc/keys/x509_ima.der`. > The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on > CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the > running kernel's Kconfig? I didn't think pulling it from the kernel config. Will try this. I assume `grep "..." /boot/config-$(uname -r)` is the right way to grab a line from the config? >> + >> +The x509 public key key must be signed by the private key you generate. >> +Follow these instructions: >> +https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys. >> + >> +The test cannot be set-up automatically because the kernel must be built >> +with one of the keys you generate. > Please reword this to convey that the public key must be built into > the kernel and loaded onto a trusted keyring (eg. > .builtin_trusted_keys, .secondary_trusted_keyring) Sounds good. >> + >> +As well as what's required for the IMA tests, the following are also required >> +in the kernel configuration: >> +``` >> +CONFIG_IMA_READ_POLICY=y >> +CONFIG_SYSTEM_TRUSTED_KEYRING=y >> +CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" >> +``` >> + >> EVM tests >> --------- >> >> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh >> index 2b5324dbf..1d9824aba 100755 >> --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh >> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh >> @@ -5,10 +5,12 @@ >> # >> # Verify that keys are measured correctly based on policy. >> >> -TST_NEEDS_CMDS="grep mktemp cut sed tr" >> -TST_CNT=1 >> +TST_NEEDS_CMDS="grep mktemp cut sed tr xxd keyctl evmctl openssl cmp" >> +TST_CNT=2 >> TST_NEEDS_DEVICE=1 >> >> +CERT_FILE="${CERT_FILE:-/etc/keys/x509_ima.der}" >> + >> . ima_setup.sh >> >> # Based on https://lkml.org/lkml/2019/12/13/564. >> @@ -64,4 +66,45 @@ test1() >> tst_res TPASS "specified keyrings were measured correctly" >> } >> >> + >> +# Test that a cert can be imported into the ".ima" keyring correctly. >> +test2() { >> + local keyring_id key_id test_file=$(mktemp) >> + >> + [ -f $CERT_FILE ] || tst_brk TCONF "missing $CERT_FILE" >> + >> + if ! openssl x509 -in $CERT_FILE -inform der > /dev/null; then >> + tst_brk TCONF "The suppled cert file ($CERT_FILE) is not a valid x509 certificate" >> + fi >> + >> + tst_res TINFO "adding a cert to the .ima keyring ($CERT_FILE)" >> + >> + keyring_id=$(keyctl show %:.ima | sed -n 2p | \ >> + sed 's/^[[:space:]]*//' | cut -d' ' -f1) || \ >> + tst_btk TCONF "unable to retrieve .ima keyring id" > Using "keyctl describe" returns the keyring id as the first token, > making it simpler to parse. Didn't realize this, will simplify the code here. > > Mimi Thanks again! Will get a patchset out with the changes asap. > >> + >> + if ! tst_is_num "$keyring_id"; then >> + tst_brk TCONF "unable to parse keyring id from keyring" >> + fi >> + >> + evmctl import $CERT_FILE "$keyring_id" > /dev/null || \ >> + tst_brk TCONF "unable to import a cert into the .ima keyring" >> + >> + grep -F ".ima" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ >> + xxd -r -p > $test_file || \ >> + tst_brk TCONF "cert not found in ascii_runtime_measurements log" >> + >> + if ! openssl x509 -in $test_file -inform der > /dev/null; then >> + tst_brk TCONF "The cert logged in ascii_runtime_measurements is not a valid x509 certificate" >> + fi >> + >> + if cmp -s "$test_file" $CERT_FILE; then >> + tst_res TPASS "logged cert matches original cert" >> + else >> + tst_res TFAIL "logged cert does not match original cert" >> + fi >> + >> + rm $test_file >> +} >> + >> tst_run ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-24 19:59 ` Lachlan Sneff @ 2020-06-24 20:02 ` Mimi Zohar 2020-07-14 12:10 ` Petr Vorel 0 siblings, 1 reply; 11+ messages in thread From: Mimi Zohar @ 2020-06-24 20:02 UTC (permalink / raw) To: ltp On Wed, 2020-06-24 at 15:59 -0400, Lachlan Sneff wrote: > > >> diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md > >> index 16a1f48c3..e41f7b570 100644 > >> --- a/testcases/kernel/security/integrity/ima/README.md > >> +++ b/testcases/kernel/security/integrity/ima/README.md > >> @@ -16,6 +16,27 @@ CONFIG_INTEGRITY=y > >> CONFIG_IMA=y > >> ``` > >> > >> +IMA Key Import test > >> +------------- > >> + > >> +`ima_keys.sh` requires an x509 key to be generated and placed > >> +at `/etc/keys/x509_ima.der`. > > The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on > > CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the > > running kernel's Kconfig? > I didn't think pulling it from the kernel config. Will try this. I > assume `grep "..." /boot/config-$(uname -r)` is the right way to grab a > line from the config? Try using scripts/extract-ikconfig. Mimi ^ permalink raw reply [flat|nested] 11+ messages in thread
* [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring 2020-06-24 20:02 ` Mimi Zohar @ 2020-07-14 12:10 ` Petr Vorel 0 siblings, 0 replies; 11+ messages in thread From: Petr Vorel @ 2020-07-14 12:10 UTC (permalink / raw) To: ltp Hi Mimi, Lachlan, > > >> +`ima_keys.sh` requires an x509 key to be generated and placed > > >> +at `/etc/keys/x509_ima.der`. > > > The filename "/etc/keys/x509_ima.der" is configurable. ?It's based on > > > CONFIG_IMA_X509_PATH Kconfig option. ?Perhaps extract it from the > > > running kernel's Kconfig? > > I didn't think pulling it from the kernel config. Will try this. I > > assume `grep "..." /boot/config-$(uname -r)` is the right way to grab a > > line from the config? > Try using scripts/extract-ikconfig. For now I'd just try to grep /boot/config-$(uname -r), but allow to run the test with the default value if kconfig not presented / readable (when running without root). I'm not sure if extract-ikconfig as external dependency would be suitable for LTP (understand it's great for kselftest as it's already presented). BTW there is a ticket for adding kernel config related helpers into the LTP shell API [1], I'll also note extract-ikconfig there. LTP refused for long time working with kernel config, because it it's requirement meant that SUT without it could not be tested. Always try to not make kernel config as hard dependency (various embedded or old android will be disabled; some linux distros require root for reading the config). Design in [1] also suggest to have possibility to run the test even without config. [1] https://github.com/linux-test-project/ltp/issues/700 > Mimi Kind regards, Petr ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2020-07-14 12:10 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-06-17 23:49 [LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates Lachlan Sneff 2020-06-17 23:49 ` [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff 2020-06-18 20:28 ` Petr Vorel 2020-06-24 13:21 ` Mimi Zohar 2020-06-24 15:27 ` Mimi Zohar 2020-06-17 23:49 ` [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff 2020-06-18 20:14 ` Petr Vorel 2020-06-24 16:41 ` Mimi Zohar 2020-06-24 19:59 ` Lachlan Sneff 2020-06-24 20:02 ` Mimi Zohar 2020-07-14 12:10 ` Petr Vorel
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox