[LTP] [PATCH 1/3] IMA: Update key test documentation

public inbox for ltp@lists.linux.it
 help / color / mirror / Atom feed

From: Lachlan Sneff <t-josne@linux.microsoft.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH 1/3] IMA: Update key test documentation
Date: Mon,  3 Aug 2020 13:59:02 -0400	[thread overview]
Message-ID: <20200803175904.40269-2-t-josne@linux.microsoft.com> (raw)
In-Reply-To: <20200803175904.40269-1-t-josne@linux.microsoft.com>

The current documentation for the existing IMA key test was
left in by accident by a previous merge. It does not apply
to the test that is currently included in the LTP.

Update the documentation for the IMA key test.

Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
---
 .../kernel/security/integrity/ima/README.md   | 22 +++++--------------
 1 file changed, 5 insertions(+), 17 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index d4644ba39..2956ac7fd 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -15,27 +15,15 @@ Although a custom policy, loaded via dracut, systemd or manually from user
 space, may contain equivalent measurement tcb rules, detecting them would
 require `IMA_READ_POLICY=y` therefore ignore this option.
 
-### IMA key import test
-`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der`
-(defined in `CONFIG_IMA_X509_PATH` kernel config option).
-The key must be signed by the private key you generate. Follow these instructions:
-https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys
-
-The test cannot be set-up automatically because the x509 public key must be
-built into the kernel and loaded onto a trusted keyring
-(e.g. `.builtin_trusted_keys`, `.secondary_trusted_keyring`).
-
-As well as what's required for the IMA tests, the following are also required
-in the kernel configuration:
+### IMA key test
+`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
+with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
+
+Mandatory kernel configuration for IMA:
 ```
 CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem"
 ```
 
-Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`.
-
 ### IMA kexec test
 
 `ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`,
-- 
2.25.1

next prev parent reply	other threads:[~2020-08-03 17:59 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-03 17:59 [LTP] [PATCH v1 0/3] Verify measurement of certificate imported into a keyring Lachlan Sneff
2020-08-03 17:59 ` Lachlan Sneff [this message]
2020-08-03 17:59 ` [LTP] [PATCH 2/3] IMA: Refactor datafiles directory Lachlan Sneff
2020-08-03 17:59 ` [LTP] [PATCH 3/3] IMA: Add a test to verify measurement of certificate imported into a keyring Lachlan Sneff
  -- strict thread matches above, loose matches on Subject: below --
2020-08-03 18:47 [LTP] [PATCH v1 0/3] Verify " Lachlan Sneff
2020-08-03 18:47 ` [LTP] [PATCH 1/3] IMA: Update key test documentation Lachlan Sneff
2020-08-04  4:35   ` Petr Vorel
2020-08-04 16:42     ` Lachlan Sneff
2020-08-05  8:36       ` Petr Vorel
2020-08-05  8:44   ` Petr Vorel

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d4644ba3 dfblob:2956ac7f )
 OR (
bs:"[LTP] [PATCH 1/3] IMA: Update key test documentation" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200803175904.40269-2-t-josne@linux.microsoft.com \
    --to=t-josne@linux.microsoft.com \
    --cc=ltp@lists.linux.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox