From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys
Date: Thu, 18 Jun 2020 22:28:40 +0200 [thread overview]
Message-ID: <20200618202840.GA175579@x230> (raw)
In-Reply-To: <20200617234957.10611-2-t-josne@linux.microsoft.com>
Hi Lachlan,
Reviewed-by: Petr Vorel <pvorel@suse.cz>
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
> @@ -0,0 +1,67 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2020 Microsoft Corporation
> +# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
> +#
> +# Verify that keys are measured correctly based on policy.
> +
> +TST_NEEDS_CMDS="grep mktemp cut sed tr"
This is already a dependency for tst_test.sh, but it does not harm to have it
here (in case we remove the dependency from tst_test.sh).
> +TST_CNT=1
> +TST_NEEDS_DEVICE=1
> +
> +. ima_setup.sh
> +
> +# Based on https://lkml.org/lkml/2019/12/13/564.
> +# (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
> +test1()
> +{
> + local keyrings keycheck_line templates test_file=$(mktemp)
Do we need mktemp? Can't it be just:
local keyrings keycheck_line templates test_file="file.txt"
...
> + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
Because you later just overwrite the file (simplicity).
I also try to keep shell dependencies low so it's possible to run it with in
dracut initramfs with rapido [1] without too many dependencies (although mktemp
is already tst_test.sh dependency).
> +
> + expected_digest="$(compute_digest $algorithm $test_file)" || \
> + tst_brk TCONF "cannot compute digest for $algorithm"
> +
> + if [ "$digest" != "$expected_digest" ]; then
> + tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
> + fi
> + done
> +
> + rm $test_file
Again, IMHO no need to delete the file.
[1] https://github.com/rapido-linux/rapido
> +
> + tst_res TPASS "specified keyrings were measured correctly"
This TPASS will be called even if there is previous TFAIL "incorrect digest was
found for the ($keyring) keyring". We should either exit testing with return,
or have variable to detect failure and not call this (not sure what makes more
sense).
Kind regards,
Petr
next prev parent reply other threads:[~2020-06-18 20:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-17 23:49 [LTP] [PATCH v3 0/2] IMA: Verify measurement of certificates Lachlan Sneff
2020-06-17 23:49 ` [LTP] [PATCH v3 1/2] IMA: Add a test to verify measurment of keys Lachlan Sneff
2020-06-18 20:28 ` Petr Vorel [this message]
2020-06-24 13:21 ` Mimi Zohar
2020-06-24 15:27 ` Mimi Zohar
2020-06-17 23:49 ` [LTP] [PATCH v3 2/2] IMA: Add a test to verify importing a certificate into keyring Lachlan Sneff
2020-06-18 20:14 ` Petr Vorel
2020-06-24 16:41 ` Mimi Zohar
2020-06-24 19:59 ` Lachlan Sneff
2020-06-24 20:02 ` Mimi Zohar
2020-07-14 12:10 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618202840.GA175579@x230 \
--to=pvorel@suse.cz \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox