[LTP] [LTP v4 0/5] IMA: verify measurement of certificate imported into a keyring

[LTP] [LTP v4 0/5] IMA: verify measurement of certificate imported into a keyring

[Petr Vorel]

Hi Mimi, Lakshmi,

changes v3->v4:
* Add new commit to add another policy dependency (template=ima-buf) and
and fix missing '.' in grep pattern
* Add cleanup function for test2: remove key with keyctl clear ID
instead of running keyctl new_session > /dev/null which was reported
as problematic (and still affects other tests which are run after this one)
* Update check_keys_policy() and checking the policy in general
* Remove new line when working policy to find keyrings and templates
* Replace tr with sed

I still kept keyctl new_session > /dev/null. Should I remove it?
Works for me without it, but that would probably require a cleanup.

Kind regards,
Petr

Lachlan Sneff (1):
  IMA: Add a test to verify measurement of certificate imported into a
    keyring

Petr Vorel (4):
  IMA/ima_keys.sh: Fix policy content check usage
  IMA/ima_keys.sh: Require template=ima-buf, fix grep pattern
  IMA: Refactor datafiles directory
  IMA/ima_keys.sh: Enhance policy checks

 .../kernel/security/integrity/ima/README.md   |  12 +-
 .../security/integrity/ima/datafiles/Makefile |  10 +-
 .../ima/datafiles/ima_kexec/Makefile          |  11 ++
 .../datafiles/{ => ima_kexec}/kexec.policy    |   0
 .../integrity/ima/datafiles/ima_keys/Makefile |  11 ++
 .../datafiles/{ => ima_keys}/keycheck.policy  |   2 +-
 .../ima/datafiles/ima_keys/x509_ima.der       | Bin 0 -> 650 bytes
 .../ima/datafiles/ima_policy/Makefile         |  11 ++
 .../datafiles/{ => ima_policy}/measure.policy |   0
 .../{ => ima_policy}/measure.policy-invalid   |   0
 .../security/integrity/ima/tests/ima_keys.sh  | 115 +++++++++++++++---
 11 files changed, 142 insertions(+), 30 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_kexec}/kexec.policy (100%)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_keys}/keycheck.policy (59%)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy (100%)
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy-invalid (100%)

-- 
2.28.0

[LTP] [LTP v4 1/5] IMA/ima_keys.sh: Fix policy content check usage

[Petr Vorel]

require_ima_policy_content cannot be used in subshell $() evaluation,
because tst_brk does not quit the test. It calls cleanup for the
subshell process and main process then continue:

ima_keys 1 TCONF: IMA policy does not specify 'func=KEY_CHECK'
=> Here it's running first cleanup. umount errors are because parent
shell process still has $PWD in directory to be unmounted:
umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy.
ima_keys 1 TINFO: umount(/dev/loop0) failed, try 1 ...
ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted  fs, kill it to speed up tests.
umount: /tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint: target is busy.
...
ima_keys 1 TINFO: umount(/dev/loop0) failed, try 50 ...
ima_keys 1 TINFO: Likely gvfsd-trash is probing newly mounted  fs, kill it to speed up tests.
ima_keys 1 TWARN: Failed to umount(/dev/loop0) after 50 retries
tst_device.c:222: WARN: ioctl(/dev/loop0, LOOP_CLR_FD, 0) no ENXIO for too long

Usage: tst_device acquire [size [filename]]
   or: tst_device release /path/to/device

ima_keys 1 TWARN: Failed to release device '/dev/loop0'
rm: cannot remove '/tmp/LTP_ima_keys.0dIVrwJKIG/mntpoint': Device or resource busy
ima_keys 1 TINFO: AppArmor enabled, this may affect test results
ima_keys 1 TINFO: it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root)
ima_keys 1 TINFO: loaded AppArmor profiles: none
/opt/ltp/testcases/bin/ima_keys.sh: line 25:  6166 Terminated              sleep $sec && tst_res TBROK "test killed, timeout! If you are running on slow machine, try exporting LTP_TIMEOUT_MUL > 1" && kill -9 -$pid  (wd: ~)

=> Here it should quit after running cleanup, but instead continue running:
ima_keys 1 TCONF: ima policy does not specify a keyrings to check

NOTE: The same limitation for using subshell $() is for
check_ima_policy_content, but it's safe due previous
require_ima_policy_content check.

Fixes: f20f44d72 ("IMA/ima_keys.sh: Fix policy readability check")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_keys.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 3aea26056..53c289054 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -16,11 +16,14 @@ TST_NEEDS_DEVICE=1
 # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
 test1()
 {
-	local keyrings keycheck_lines keycheck_line templates test_file="file.txt"
+	local keyrings keycheck_lines keycheck_line templates
+	local pattern="func=KEY_CHECK"
+	local test_file="file.txt"
 
 	tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
 
-	keycheck_lines=$(require_ima_policy_content "func=KEY_CHECK" "")
+	require_ima_policy_content "$pattern"
+	keycheck_lines=$(check_ima_policy_content "$pattern" "")
 	keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
 
 	if [ -z "$keycheck_line" ]; then
-- 
2.28.0

[LTP] [LTP v4 1/5] IMA/ima_keys.sh: Fix policy content check usage

[Petr Vorel]

Hi,

> require_ima_policy_content cannot be used in subshell $() evaluation,
> because tst_brk does not quit the test. It calls cleanup for the
> subshell process and main process then continue:
...

Merged this one to at least fix ima_keys.sh test.
I'll wait little longer before merging the rest of v4 patchset
https://patchwork.ozlabs.org/project/ltp/list/?series=196621

Kind regards,
Petr

[LTP] [LTP v4 1/5] IMA/ima_keys.sh: Fix policy content check usage

[Lakshmi Ramasubramanian]

On 8/24/20 10:19 AM, Petr Vorel wrote:

Hi Petr,

> 
>> require_ima_policy_content cannot be used in subshell $() evaluation,
>> because tst_brk does not quit the test. It calls cleanup for the
>> subshell process and main process then continue:
> ...
> 
> Merged this one to at least fix ima_keys.sh test.
> I'll wait little longer before merging the rest of v4 patchset
> https://patchwork.ozlabs.org/project/ltp/list/?series=196621
> 
Sorry for the late response.

I applied your v4 patches and ran keys tests. The issues reported 
earlier by Mimi are fixed.

thanks,
  -lakshmi

[LTP] [LTP v4 2/5] IMA/ima_keys.sh: Require template=ima-buf, fix grep pattern

[Petr Vorel]

test1 (and following test2 which will be added) require ima-buf template
which contains 'buf' identifier (the buffer data that was used to
generate the hash without size limitations). For simplicity we ignore
custom templates (ima_template_fmt kernel command line parameter), which
could also define it.

Also fix grep format for searching in the policy: add missing '.'
Searching for lines with specified templates *and* keyrings in the
measurement, but there is algorithm and hash in between, thus '.*'.
Previously template was just ignored due using just '*'.

Fixes: d2768c84e ("IMA: Add a test to verify measurement of keys")

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New commit (maybe I should have split them into 2 commits).

 .../kernel/security/integrity/ima/tests/ima_keys.sh    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 53c289054..015a3c115 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -17,13 +17,15 @@ TST_NEEDS_DEVICE=1
 test1()
 {
 	local keyrings keycheck_lines keycheck_line templates
-	local pattern="func=KEY_CHECK"
+	local func='func=KEY_CHECK'
+	local buf='template=ima-buf'
+	local pattern="($func.*$buf|$buf.*$func)"
 	local test_file="file.txt"
 
 	tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
 
-	require_ima_policy_content "$pattern"
-	keycheck_lines=$(check_ima_policy_content "$pattern" "")
+	require_ima_policy_content "$pattern" '-Eq'
+	keycheck_lines=$(check_ima_policy_content "$pattern" '-E')
 	keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
 
 	if [ -z "$keycheck_line" ]; then
@@ -39,7 +41,7 @@ test1()
 	templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
 		cut -d'=' -f2)
 
-	grep -E "($templates)*($keyrings)" $ASCII_MEASUREMENTS | while read line
+	grep -E "($templates).*($keyrings)" $ASCII_MEASUREMENTS | while read line
 	do
 		local digest expected_digest algorithm
 
-- 
2.28.0

[LTP] [LTP v4 3/5] IMA: Refactor datafiles directory

[Petr Vorel]

The IMA datafiles directory is structured so that it cannot be directly
expanded to include datafiles for tests other than `ima_policy.sh`
as it's installed into /opt/ltp/testcases/data/ima_policy.

Also not all policies are meant to be for ima_policy.sh, thus
move policies into their own directories based on the test which they
belong to. Rename policy directory to ima_policy to follow the
pattern that directory in sources match the installed directory.

Reported-by: Lachlan Sneff <t-josne@linux.microsoft.com>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: based on Lachlan's patch, rewritten ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
The same as in v3.

 .../kernel/security/integrity/ima/datafiles/Makefile  | 10 +++++-----
 .../integrity/ima/datafiles/ima_kexec/Makefile        | 11 +++++++++++
 .../ima/datafiles/{ => ima_kexec}/kexec.policy        |  0
 .../integrity/ima/datafiles/ima_keys/Makefile         | 11 +++++++++++
 .../ima/datafiles/{ => ima_keys}/keycheck.policy      |  0
 .../integrity/ima/datafiles/ima_policy/Makefile       | 11 +++++++++++
 .../ima/datafiles/{ => ima_policy}/measure.policy     |  0
 .../datafiles/{ => ima_policy}/measure.policy-invalid |  0
 8 files changed, 38 insertions(+), 5 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_kexec}/kexec.policy (100%)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_keys}/keycheck.policy (100%)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy (100%)
 rename testcases/kernel/security/integrity/ima/datafiles/{ => ima_policy}/measure.policy-invalid (100%)

diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile
index 369407112..6857ccfee 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
+++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
@@ -1,6 +1,8 @@
 #
 #    testcases/kernel/security/integrity/ima/policy testcases Makefile.
 #
+#    Copyright (c) Linux Test Project, 2019-2020
+#    Copyright (c) 2020 Microsoft Corporation
 #    Copyright (C) 2009, Cisco Systems Inc.
 #
 #    This program is free software; you can redistribute it and/or modify
@@ -20,12 +22,10 @@
 # Ngie Cooper, July 2009
 #
 
-top_srcdir		?= ../../../../../..
+top_srcdir	?= ../../../../../..
 
 include	$(top_srcdir)/include/mk/env_pre.mk
 
-INSTALL_DIR		:= testcases/data/ima_policy
+SUBDIRS	:= ima_*
 
-INSTALL_TARGETS		:= measure.policy-invalid *.policy
-
-include $(top_srcdir)/include/mk/generic_leaf_target.mk
+include $(top_srcdir)/include/mk/generic_trunk_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
new file mode 100644
index 000000000..5e0d632a7
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir	?= ../../../../../../..
+
+include	$(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR		:= testcases/data/ima_kexec
+INSTALL_TARGETS	:= *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/kexec.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_kexec/kexec.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
new file mode 100644
index 000000000..452321843
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir	?= ../../../../../../..
+
+include	$(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR		:= testcases/data/ima_keys
+INSTALL_TARGETS	:= *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/keycheck.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
new file mode 100644
index 000000000..953e21556
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/Makefile
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) Linux Test Project, 2020
+
+top_srcdir	?= ../../../../../../..
+
+include	$(top_srcdir)/include/mk/env_pre.mk
+
+INSTALL_DIR		:= testcases/data/ima_policy
+INSTALL_TARGETS	:= *.policy-invalid *.policy
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy
rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy
diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid b/testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid
similarity index 100%
rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid
rename to testcases/kernel/security/integrity/ima/datafiles/ima_policy/measure.policy-invalid
-- 
2.28.0

[LTP] [LTP v4 3/5] IMA: Refactor datafiles directory

[Petr Vorel]

Hi,

> --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile
> +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile
> @@ -1,6 +1,8 @@

>  #    testcases/kernel/security/integrity/ima/policy testcases Makefile.

> +#    Copyright (c) Linux Test Project, 2019-2020
> +#    Copyright (c) 2020 Microsoft Corporation
>  #    Copyright (C) 2009, Cisco Systems Inc.

>  #    This program is free software; you can redistribute it and/or modify
> @@ -20,12 +22,10 @@
>  # Ngie Cooper, July 2009


> -top_srcdir		?= ../../../../../..
> +top_srcdir	?= ../../../../../..

>  include	$(top_srcdir)/include/mk/env_pre.mk

> -INSTALL_DIR		:= testcases/data/ima_policy
> +SUBDIRS	:= ima_*
It looks this broke build on out-of-tree build:
https://travis-ci.org/github/linux-test-project/ltp/builds/722003659
https://travis-ci.org/github/linux-test-project/ltp/jobs/722003661
https://travis-ci.org/github/linux-test-project/ltp/jobs/722003662
https://travis-ci.org/github/linux-test-project/ltp/jobs/722003663
...

I'm sorry I overlooked that. I'll have look on Monday (unless anybody fixes it).

Kind regards,
Petr

> -INSTALL_TARGETS		:= measure.policy-invalid *.policy
> -
> -include $(top_srcdir)/include/mk/generic_leaf_target.mk
> +include $(top_srcdir)/include/mk/generic_trunk_target.mk

[LTP] [LTP v4 3/5] IMA: Refactor datafiles directory

[Petr Vorel]

Hi,

> > +SUBDIRS	:= ima_*
I guess this could fix it:
SUBDIRS	:= $(shell ls ima_*) 

I'm surprised that glob does not work on SUBDIRS.

> It looks this broke build on out-of-tree build:
> https://travis-ci.org/github/linux-test-project/ltp/builds/722003659
> https://travis-ci.org/github/linux-test-project/ltp/jobs/722003661
> https://travis-ci.org/github/linux-test-project/ltp/jobs/722003662
> https://travis-ci.org/github/linux-test-project/ltp/jobs/722003663
> ...

Kind regards,
Petr

[LTP] [LTP v4 3/5] IMA: Refactor datafiles directory

[Mimi Zohar]

On Fri, 2020-08-28 at 15:28 +0200, Petr Vorel wrote:
> Hi,
> 
> > > +SUBDIRS	:= ima_*
> I guess this could fix it:
> SUBDIRS	:= $(shell ls ima_*) 

Other LTP makefiles are using "wildcard".  Like this - $(wildcard
ima_*/)?

Mimi
> 
> I'm surprised that glob does not work on SUBDIRS.
> 
> > It looks this broke build on out-of-tree build:
> > https://travis-ci.org/github/linux-test-project/ltp/builds/722003659
> > https://travis-ci.org/github/linux-test-project/ltp/jobs/722003661
> > https://travis-ci.org/github/linux-test-project/ltp/jobs/722003662
> > https://travis-ci.org/github/linux-test-project/ltp/jobs/722003663
> > ...
> 
> Kind regards,
> Petr

[LTP] [LTP v4 3/5] IMA: Refactor datafiles directory

[Petr Vorel]

Hi Mimi,

> On Fri, 2020-08-28 at 15:28 +0200, Petr Vorel wrote:
> > Hi,

> > > > +SUBDIRS	:= ima_*
> > I guess this could fix it:
> > SUBDIRS	:= $(shell ls ima_*) 

> Other LTP makefiles are using "wildcard".  Like this - $(wildcard
> ima_*/)?
Thanks for a tip. But it looks like wildchard doesn't work on out-of-tree
either:

/usr/src/ltp/include/mk/generic_trunk_target.inc:97: *** SUBDIRS empty -- did you want generic_leaf_target instead?.  Stop.

It's visible only on powerpc64le-linux-gnu-gcc build, because that is the only
one from out-of-tree builds which also does make install.
(We removed make install from most of the builds in order  1) avoid sporadic
build failures due lack of space on Travis docker 2) safe time.)

Thus I fixed it in 4231003f3 with just simple listing the targets:
-SUBDIRS        := ima_*
+SUBDIRS        := ima_kexec ima_keys ima_policy

Kind regards,
Petr

[LTP] [LTP v4 3/5] IMA: Refactor datafiles directory

[Petr Vorel]

Hi,

> > > +SUBDIRS	:= ima_*
> I guess this could fix it:
> SUBDIRS	:= $(shell ls ima_*) 
This didn't work. Fixed in 4231003f3.

Kind regards,
Petr

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

From: Lachlan Sneff <t-josne@linux.microsoft.com>

The IMA subsystem supports measuring certificates that have been
imported into either system built-in or user-defined keyrings.
A test to verify measurement of a certificate imported
into a keyring is required.

Add an IMA measurement test that verifies that an x509 certificate
can be imported into a newly-created, user-defined keyring and measured
correctly by the IMA subsystem.

A certificate used by the test is included in the `datafiles/keys`
directory.

There can be restrictions on importing a certificate into a builtin
trusted keyring. For example, the `.ima` keyring requires that
imported certs be signed by a kernel private key in certain
kernel configurations. For this reason, this test defines
a user-defined keyring and imports a certificate into that.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
[ pvorel: Added key_import_test into keycheck.policy, cleanup key,
reword instructions in README.md, LTP API related fixes ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
changes v3->v4:
* Add cleanup function for test2: remove key with keyctl clear ID
instead of running keyctl new_session > /dev/null which was reported
as problematic (and still affects other tests which are run after this one)

 .../kernel/security/integrity/ima/README.md   |  12 ++-
 .../integrity/ima/datafiles/ima_keys/Makefile |   2 +-
 .../ima/datafiles/ima_keys/keycheck.policy    |   2 +-
 .../ima/datafiles/ima_keys/x509_ima.der       | Bin 0 -> 650 bytes
 .../security/integrity/ima/tests/ima_keys.sh  |  70 ++++++++++++++++--
 5 files changed, 73 insertions(+), 13 deletions(-)
 create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der

diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 392e1e868..68d046678 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -16,11 +16,15 @@ space, may contain equivalent measurement tcb rules, detecting them would
 require `IMA_READ_POLICY=y` therefore ignore this option.
 
 ### IMA key test
-`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy
-with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`.
+The measuring keys test (first test) in `ima_keys.sh` requires a readable IMA
+policy, as well as a loaded measure policy with `func=KEY_CHECK keyrings=...`.
 
-As well as what's required for the IMA tests, the following are also required
--in the kernel configuration:
+The certificate import test (second test) require measure policy with
+`func=KEY_CHECK keyrings=key_import_test`. Valid policy for both is in
+`keycheck.policy`.
+
+As well as what's required for the IMA tests, key tests require reading the IMA
+policy allowed in the kernel configuration:
 ```
 CONFIG_IMA_READ_POLICY=y
 ```
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
index 452321843..ac7ce33ab 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/Makefile
@@ -6,6 +6,6 @@ top_srcdir	?= ../../../../../../..
 include	$(top_srcdir)/include/mk/env_pre.mk
 
 INSTALL_DIR		:= testcases/data/ima_keys
-INSTALL_TARGETS	:= *.policy
+INSTALL_TARGETS	:= *.policy x509_ima.der
 
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
index 3f1934a3d..623162002 100644
--- a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
+++ b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/keycheck.policy
@@ -1 +1 @@
-measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf
+measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der b/testcases/kernel/security/integrity/ima/datafiles/ima_keys/x509_ima.der
new file mode 100644
index 0000000000000000000000000000000000000000..92be058da22adffa9d6b6e51efa0c737ebbbbdcd
GIT binary patch
literal 650
zcmXqLVrnyJVtl`VnTe5!NhJD#vj69`9|BBf8}FEsx@^_9$Clp>c-c6$+C196^D;7W
zvoaV27z!HjvoVLVaPe?t<QJFZCFZ6YN*hRmgqV4R$}{p4b2Al+Gt=`j^U@WvQ!5SS
z3}oO&a59SVLzFncG#ki?^BP(jSQr@@7#Ud_7)6Qm8W{k&hEOgIY;2s5>?=lA2Ij_I
z27|^<rp88wchfeduxmMW^j9qUxkIugeev4q7u7yrJR_rW$*!>VOo=tim8DK0r^FsU
zl)K`}`+CO4@4KBkoLmcj?fH`%wbDvU<d=4Z>6-SMf6Eh}{&)1rdsOoNQ-1fgBQ1t{
zVTqGwuK95LlFE)6i{@=vlP6!2`Y}x<BF&oXU_nlDxy@C+CNp&=W=00a#jys_20XwZ
zl@(@W{LjK<z+k`);_<VvFf*|?7|4P+d@N!tBCNWX-0#?!UAx9s`mgFmW+nI2#6kmk
zkhC(3gn?Lt$m4W@56wQ)?QVKW<nOtpT)HJrB?Q^`z&K?FdV8b(y8m)~mOOvswu^9m
z-o7mOwCAzaT*~`Y4wxFtmNA_89`W;j{r#iww*5OC5vgEziqD_%=ki$*`;s}`Pfwi{
zbotZ0X`ckHOmaVLm85n@E9hN_K;~PUB>DFAzh(;(UoMln9V>g;W#-LUGS7A`nYQKY
WBem{7L5JThS+;$vggi%(*E;~nlJ80Y

literal 0
HcmV?d00001

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index 015a3c115..ad3cbbdc7 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -6,12 +6,18 @@
 #
 # Verify that keys are measured correctly based on policy.
 
-TST_NEEDS_CMDS="cut grep sed tr xxd"
-TST_CNT=1
+TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
+TST_CNT=2
 TST_NEEDS_DEVICE=1
+TST_CLEANUP=cleanup
 
 . ima_setup.sh
 
+cleanup()
+{
+	tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
+}
+
 # Based on https://lkml.org/lkml/2019/12/13/564.
 # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
 test1()
@@ -29,13 +35,15 @@ test1()
 	keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
 
 	if [ -z "$keycheck_line" ]; then
-		tst_brk TCONF "ima policy does not specify a keyrings to check"
+		tst_res TCONF "IMA policy does not specify a keyrings to check"
+		return
 	fi
 
 	keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
 		sed "s/\./\\\./g" | cut -d'=' -f2)
 	if [ -z "$keyrings" ]; then
-		tst_brk TCONF "ima policy has a keyring key-value specifier, but no specified keyrings"
+		tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings"
+		return
 	fi
 
 	templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
@@ -51,11 +59,13 @@ test1()
 
 		echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file
 
-		expected_digest="$(compute_digest $algorithm $test_file)" || \
-			tst_brk TCONF "cannot compute digest for $algorithm"
+		if ! expected_digest="$(compute_digest $algorithm $test_file)"; then
+			tst_res TCONF "cannot compute digest for $algorithm"
+			return
+		fi
 
 		if [ "$digest" != "$expected_digest" ]; then
-			tst_res TFAIL "incorrect digest was found for the ($keyring) keyring"
+			tst_res TFAIL "incorrect digest was found for $keyring keyring"
 			return
 		fi
 	done
@@ -63,4 +73,50 @@ test1()
 	tst_res TPASS "specified keyrings were measured correctly"
 }
 
+# Create a new keyring, import a certificate into it, and verify
+# that the certificate is measured correctly by IMA.
+test2()
+{
+	tst_require_cmds evmctl keyctl openssl
+
+	local cert_file="$TST_DATAROOT/x509_ima.der"
+	local keyring_name="key_import_test"
+	local temp_file="file.txt"
+
+	tst_res TINFO "verify measurement of certificate imported into a keyring"
+
+	if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
+		tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
+	fi
+
+	KEYRING_ID=$(keyctl newring $keyring_name @s) || \
+		tst_brk TBROK "unable to create a new keyring"
+
+	if ! tst_is_num $KEYRING_ID; then
+		tst_brk TBROK "unable to parse the new keyring id ('$KEYRING_ID')"
+	fi
+
+	evmctl import $cert_file $KEYRING_ID > /dev/null || \
+		tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
+
+	grep $keyring_name $ASCII_MEASUREMENTS | tail -n1 | cut -d' ' -f6 | \
+		xxd -r -p > $temp_file
+
+	if [ ! -s $temp_file ]; then
+		tst_res TFAIL "keyring $keyring_name not found in $ASCII_MEASUREMENTS"
+		return
+	fi
+
+	if ! openssl x509 -in $temp_file -inform der > /dev/null; then
+		tst_res TFAIL "logged certificate is not a valid x509 certificate"
+		return
+	fi
+
+	if cmp -s $temp_file $cert_file; then
+		tst_res TPASS "logged certificate matches the original"
+	else
+		tst_res TFAIL "logged certificate does not match original"
+	fi
+}
+
 tst_run
-- 
2.28.0

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

On Thu, 2020-08-20 at 11:08 +0200, Petr Vorel wrote:

> @@ -63,4 +73,50 @@ test1()
>  	tst_res TPASS "specified keyrings were measured correctly"
>  }
> 
> +# Create a new keyring, import a certificate into it, and verify
> +# that the certificate is measured correctly by IMA.
> +test2()
> +{
> +	tst_require_cmds evmctl keyctl openssl
> +
> +	local cert_file="$TST_DATAROOT/x509_ima.der"
> +	local keyring_name="key_import_test"
> +	local temp_file="file.txt"
> +
> +	tst_res TINFO "verify measurement of certificate imported into a keyring"
> +
> +	if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
> +		tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
> +	fi
> +
> +	KEYRING_ID=$(keyctl newring $keyring_name @s) || \
> +		tst_brk TBROK "unable to create a new keyring"
> +
> +	if ! tst_is_num $KEYRING_ID; then
> +		tst_brk TBROK "unable to parse the new keyring id ('$KEYRING_ID')"
> +	fi
> +

Instead of using TST_DATAROOT, which is defined as
"$LTPROOT/datafiles", use LTPROOT directly to define the path to the
cert.  Adding the following will allow the test to run from the build
directory.
 
      if [ ! -f $cert_file ]; then
              cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
      fi

Mimi

> +	evmctl import $cert_file $KEYRING_ID > /dev/null || \
> +		tst_brk TBROK "unable to import a certificate into $keyring_name keyring"
> +

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

Hi Mimi,

...
> > +	if ! tst_is_num $KEYRING_ID; then
> > +		tst_brk TBROK "unable to parse the new keyring id ('$KEYRING_ID')"
> > +	fi
> > +

> Instead of using TST_DATAROOT, which is defined as
> "$LTPROOT/datafiles", use LTPROOT directly to define the path to the
> cert.  Adding the following will allow the test to run from the build
> directory.

>       if [ ! -f $cert_file ]; then
>               cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
>       fi
Yes, this will work if you set LTPROOT to <ltp git>/testcases/kernel/security/integrity/ima/tests/:

$ cd <ltp git>/testcases/kernel/security/integrity/ima/tests/
$ LTPROOT=$PWD PATH="../../../../../lib/:.:$PATH" ./ima_keys.sh

But, according to doc [1] $LTPROOT is "Prefix for installed LTP, the default is
/opt/ltp.". Using it like this is confusing (if we want to misuse $LTPROOT, one
would expect it's a cloned git root directory). Running from git root it'd have
to be:

$ cd <ltp git>
$ LTPROOT=$PWD/testcases/kernel/security/integrity/ima/tests/ \
PATH="testcases/lib:testcases/kernel/security/integrity/ima/tests/:$PATH" ima_keys.sh

TL;DR: I'd really prefer people run IMA from installed LTP (make && make install
in both testcases/lib and testcases/kernel/security/integrity/ima/ is just enough),
but I'll add this hack to make your testing easier :). But fixing this in
tst_test.sh is really needed.

> Mimi

Kind regards,
Petr

[1] https://github.com/linux-test-project/ltp/wiki/User-Guidelines

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

Hi Mimi,

> ...
> > > +	if ! tst_is_num $KEYRING_ID; then
> > > +		tst_brk TBROK "unable to parse the new keyring id ('$KEYRING_ID')"
> > > +	fi
> > > +

> > Instead of using TST_DATAROOT, which is defined as
> > "$LTPROOT/datafiles", use LTPROOT directly to define the path to the
> > cert.  Adding the following will allow the test to run from the build
> > directory.

> >       if [ ! -f $cert_file ]; then
> >               cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
> >       fi
> Yes, this will work if you set LTPROOT to <ltp git>/testcases/kernel/security/integrity/ima/tests/:

> $ cd <ltp git>/testcases/kernel/security/integrity/ima/tests/
> $ LTPROOT=$PWD PATH="../../../../../lib/:.:$PATH" ./ima_keys.sh

> But, according to doc [1] $LTPROOT is "Prefix for installed LTP, the default is
> /opt/ltp.". Using it like this is confusing (if we want to misuse $LTPROOT, one
> would expect it's a cloned git root directory). Running from git root it'd have
> to be:

> $ cd <ltp git>
> $ LTPROOT=$PWD/testcases/kernel/security/integrity/ima/tests/ \
> PATH="testcases/lib:testcases/kernel/security/integrity/ima/tests/:$PATH" ima_keys.sh

> TL;DR: I'd really prefer people run IMA from installed LTP (make && make install
> in both testcases/lib and testcases/kernel/security/integrity/ima/ is just enough),
> but I'll add this hack to make your testing easier :). But fixing this in
> tst_test.sh is really needed.

Suggesting this diff from v4:

+	# hack when running ima_keys.sh locally from ima_keys.sh directory
+	# LTPROOT=$PWD PATH="../../../../../lib/:.:$PATH" ./ima_keys.sh
+	if [ ! -f "$cert_file" ]; then
+		cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
+	fi

Visible also on
https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh-second-test.v4.fixes

Not sure if you still doing review & testing, thus waiting for your comments
or tags.

Kind regards,
Petr

> > Mimi

> Kind regards,
> Petr

> [1] https://github.com/linux-test-project/ltp/wiki/User-Guidelines

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

Hi Petr,

On Thu, 2020-08-27 at 15:55 +0200, Petr Vorel wrote:

> > > > +	if ! tst_is_num $KEYRING_ID; then
> > > > +		tst_brk TBROK "unable to parse the new keyring id ('$KEYRING_ID')"
> > > > +	fi
> > > > +
> > > Instead of using TST_DATAROOT, which is defined as
> > > "$LTPROOT/datafiles", use LTPROOT directly to define the path to the
> > > cert.  Adding the following will allow the test to run from the build
> > > directory.
> > >       if [ ! -f $cert_file ]; then
> > >               cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
> > >       fi
> > Yes, this will work if you set LTPROOT to <ltp git>/testcases/kernel/security/integrity/ima/tests/:

When running any of the tests from build tree test directory -
ltp/testcases/kernel/security/integrity/ima/tests, supplying LTPROOT
isn't necessary. "IMA: Refactor datafiles directory" broke running the
other tests directly from the build tree as well.

> > $ cd <ltp git>/testcases/kernel/security/integrity/ima/tests/
> > $ LTPROOT=$PWD PATH="../../../../../lib/:.:$PATH" ./ima_keys.sh
> > But, according to doc [1] $LTPROOT is "Prefix for installed LTP, the default is
> > /opt/ltp.". Using it like this is confusing (if we want to misuse $LTPROOT, one
> > would expect it's a cloned git root directory). Running from git root it'd have
> > to be:
> > $ cd <ltp git>
> > $ LTPROOT=$PWD/testcases/kernel/security/integrity/ima/tests/ \
> > PATH="testcases/lib:testcases/kernel/security/integrity/ima/tests/:$PATH" ima_keys.sh
> > TL;DR: I'd really prefer people run IMA from installed LTP (make && make install
> > in both testcases/lib and testcases/kernel/security/integrity/ima/ is just enough),
> > but I'll add this hack to make your testing easier :). But fixing this in
> > tst_test.sh is really needed.

I'm looking ...

> 
> Suggesting this diff from v4:
> 
> +	# hack when running ima_keys.sh locally from ima_keys.sh directory
> +	# LTPROOT=$PWD PATH="../../../../../lib/:.:$PATH" ./ima_keys.sh
> +	if [ ! -f "$cert_file" ]; then
> +		cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
> +	fi
> 
> Visible also on
> https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh-second-test.v4.fixes
> 
> Not sure if you still doing review & testing, thus waiting for your comments
> or tags.

Sorry, yes I'm planning to.

Mimi

> 
> Kind regards,
> Petr
> 
> > > Mimi
> > Kind regards,
> > Petr
> > [1] https://github.com/linux-test-project/ltp/wiki/User-Guidelines

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

Hi Mimi,

...
> > > > Instead of using TST_DATAROOT, which is defined as
> > > > "$LTPROOT/datafiles", use LTPROOT directly to define the path to the
> > > > cert.  Adding the following will allow the test to run from the build
> > > > directory.
> > > >       if [ ! -f $cert_file ]; then
> > > >               cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
> > > >       fi
> > > Yes, this will work if you set LTPROOT to <ltp git>/testcases/kernel/security/integrity/ima/tests/:

> When running any of the tests from build tree test directory -
> ltp/testcases/kernel/security/integrity/ima/tests, supplying LTPROOT
> isn't necessary. "IMA: Refactor datafiles directory" broke running the
> other tests directly from the build tree as well.
Correct, I overlooked $LTPROOT does not have to be set.
You're right, there is export LTPROOT="$PWD" in tst_test.sh.

The only broken tests are ima_policy.sh and ima_keys.sh. I fixed that workaround
in the commit "IMA: Refactor datafiles directory":

+++ testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -160,6 +160,11 @@ ima_setup()
 	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
 	IMA_POLICY="$IMA_DIR/policy"
 
+	# hack when running tests locally from tests directory
+	if [ ! -d "$TST_DATAROOT" ]; then
+		TST_DATAROOT="$LTPROOT/../datafiles/$TST_ID/"
+	fi
+
 	print_ima_config
 
 	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
---

Again, pushed to:
https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh-second-test.v4.fixes

Kind regards,
Petr

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

On Fri, 2020-08-28 at 00:54 +0200, Petr Vorel wrote:
> Hi Mimi,
> 
> ...
> > > > > Instead of using TST_DATAROOT, which is defined as
> > > > > "$LTPROOT/datafiles", use LTPROOT directly to define the path to the
> > > > > cert.  Adding the following will allow the test to run from the build
> > > > > directory.
> > > > >       if [ ! -f $cert_file ]; then
> > > > >               cert_file="$LTPROOT/../datafiles/ima_keys/x509_ima.der"
> > > > >       fi
> > > > Yes, this will work if you set LTPROOT to <ltp git>/testcases/kernel/security/integrity/ima/tests/:
> > When running any of the tests from build tree test directory -
> > ltp/testcases/kernel/security/integrity/ima/tests, supplying LTPROOT
> > isn't necessary. "IMA: Refactor datafiles directory" broke running the
> > other tests directly from the build tree as well.
> Correct, I overlooked $LTPROOT does not have to be set.
> You're right, there is export LTPROOT="$PWD" in tst_test.sh.
> 
> The only broken tests are ima_policy.sh and ima_keys.sh. I fixed that workaround
> in the commit "IMA: Refactor datafiles directory":
> 
> +++ testcases/kernel/security/integrity/ima/tests/ima_setup.sh
> @@ -160,6 +160,11 @@ ima_setup()
>  	BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements"
>  	IMA_POLICY="$IMA_DIR/policy"
>  
> +	# hack when running tests locally from tests directory
> +	if [ ! -d "$TST_DATAROOT" ]; then
> +		TST_DATAROOT="$LTPROOT/../datafiles/$TST_ID/"
> +	fi
> +

Thanks, Petr.  This works properly.  To remove the "hack", would
require running the test from "ima", not "ima/tests", but that would
require fixing how ima_setup.sh is called.   It also would still
require setting TST_DATAROOT to TST_DATAROOT/$TST_ID.

Mimi

>  	print_ima_config
>  
>  	if [ "$TST_NEEDS_DEVICE" = 1 ]; then
> ---
> 
> Again, pushed to:
> https://github.com/pevik/ltp/tree/Lachlan_Sneff/ima_keys.sh-second-test.v4.fixes
> 
> Kind regards,
> Petr

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

Hi Mimi,

> Thanks, Petr.  This works properly.  To remove the "hack", would
> require running the test from "ima", not "ima/tests", but that would
> require fixing how ima_setup.sh is called.   It also would still
> require setting TST_DATAROOT to TST_DATAROOT/$TST_ID.
Let's keep it and suppose people run tests from ima/tests.
This needs to be fixed on LTP side, I have it on my TODO list.

Anything else?
After that I'll work on ima_tpm.sh and after on policy automatic loading.
BTW there are also plans for reboot support [1] [2], that could be used as
workaround for configuration without CONFIG_IMA_READ_POLICY=y and
CONFIG_IMA_WRITE_POLICY=y.

[1] http://lists.linux.it/pipermail/ltp/2020-August/018636.html
[2] http://lists.linux.it/pipermail/ltp/2020-August/018658.html

> Mimi

Kind regards,
Petr

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote:
> Hi Mimi,
> 
> > Thanks, Petr.  This works properly.  To remove the "hack", would
> > require running the test from "ima", not "ima/tests", but that would
> > require fixing how ima_setup.sh is called.   It also would still
> > require setting TST_DATAROOT to TST_DATAROOT/$TST_ID.
> Let's keep it and suppose people run tests from ima/tests.
> This needs to be fixed on LTP side, I have it on my TODO list.

Sure
> 
> Anything else?
> After that I'll work on ima_tpm.sh and after on policy automatic loading.
> BTW there are also plans for reboot support [1] [2], that could be used as
> workaround for configuration without CONFIG_IMA_READ_POLICY=y and
> CONFIG_IMA_WRITE_POLICY=y.
> 
> [1] http://lists.linux.it/pipermail/ltp/2020-August/018636.html
> [2] http://lists.linux.it/pipermail/ltp/2020-August/018658.html

Sounds good!

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> for the entire patch set.

thanks,

Mimi

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

Hi Mimi,

...
> > Anything else?
> > After that I'll work on ima_tpm.sh and after on policy automatic loading.
> > BTW there are also plans for reboot support [1] [2], that could be used as
> > workaround for configuration without CONFIG_IMA_READ_POLICY=y and
> > CONFIG_IMA_WRITE_POLICY=y.

> > [1] http://lists.linux.it/pipermail/ltp/2020-August/018636.html
> > [2] http://lists.linux.it/pipermail/ltp/2020-August/018658.html

> Sounds good!

> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> for the entire patch set.

Thanks a lot for your review and testing!
Merged the rest of the patchset (first commit was already merged on Monday).

Kind regards,
Petr

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote:
> BTW there are also plans for reboot support [1] [2], that could be used as
> workaround for configuration without CONFIG_IMA_READ_POLICY=y and
> CONFIG_IMA_WRITE_POLICY=y.

The reboot support could also be used for carrying the IMA measurement
list across kexec and verifying the TPM PCRs.

Mimi

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

> On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote:
> > BTW there are also plans for reboot support [1] [2], that could be used as
> > workaround for configuration without CONFIG_IMA_READ_POLICY=y and
> > CONFIG_IMA_WRITE_POLICY=y.

> The reboot support could also be used for carrying the IMA measurement
> list across kexec and verifying the TPM PCRs.
Adding into my TODO list. I'd just run whole test ima_kexec.sh twice and reboot
in between.

> Mimi

Kind regards,
Petr

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

On Fri, 2020-08-28 at 14:49 +0200, Petr Vorel wrote:
> > On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote:
> > > BTW there are also plans for reboot support [1] [2], that could be used as
> > > workaround for configuration without CONFIG_IMA_READ_POLICY=y and
> > > CONFIG_IMA_WRITE_POLICY=y.
> > The reboot support could also be used for carrying the IMA measurement
> > list across kexec and verifying the TPM PCRs.

> Adding into my TODO list. I'd just run whole test ima_kexec.sh twice and reboot
> in between.

The ima_kexec.sh tests measures the kexec boot cmdline and kernel
image.   What's needed is walking the measurement list re-calculating
the PCRs and then verifying them against the actual TPM PCRs.  Maybe
running the ima_tpm.sh test twice.

Mimi

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Petr Vorel]

Hi Mimi,

> On Fri, 2020-08-28 at 14:49 +0200, Petr Vorel wrote:
> > > On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote:
> > > > BTW there are also plans for reboot support [1] [2], that could be used as
> > > > workaround for configuration without CONFIG_IMA_READ_POLICY=y and
> > > > CONFIG_IMA_WRITE_POLICY=y.
> > > The reboot support could also be used for carrying the IMA measurement
> > > list across kexec and verifying the TPM PCRs.

> > Adding into my TODO list. I'd just run whole test ima_kexec.sh twice and reboot
> > in between.

> The ima_kexec.sh tests measures the kexec boot cmdline and kernel
> image.   What's needed is walking the measurement list re-calculating
> the PCRs and then verifying them against the actual TPM PCRs.  Maybe
> running the ima_tpm.sh test twice.
Right, thanks for clarification :).

It takes some time till reboot implementation in LTP API is implemented. But I
hope to send fix for TPM 2.0 and sha256 hash (these changes in v5.8) for
ima_tpm.sh this week.


Kind regards,
Petr

[LTP] [LTP v4 4/5] IMA: Add a test to verify measurement of certificate imported into a keyring

[Mimi Zohar]

On Thu, 2020-08-20 at 11:08 +0200, Petr Vorel wrote:
> From: Lachlan Sneff <t-josne@linux.microsoft.com>
> 
> The IMA subsystem supports measuring certificates that have been
> imported into either system built-in or user-defined keyrings.
> A test to verify measurement of a certificate imported
> into a keyring is required.
> 
> Add an IMA measurement test that verifies that an x509 certificate
> can be imported into a newly-created, user-defined keyring and measured
> correctly by the IMA subsystem.
> 
> A certificate used by the test is included in the `datafiles/keys`
> directory.
> 
> There can be restrictions on importing a certificate into a builtin
> trusted keyring. For example, the `.ima` keyring requires that
> imported certs be signed by a kernel private key in certain
> kernel configurations. For this reason, this test defines
> a user-defined keyring and imports a certificate into that.

FYI, similar restrictions could be defined for userspace keyrings. 
Refer to Mat Martineau's LSS 2019 talk titled "Using and Implementing
Keyring Restrictions for Userspace" and the keyctl's "restrict_keyring"
option.

Mimi

[LTP] [LTP v4 5/5] IMA/ima_keys.sh: Enhance policy checks

[Petr Vorel]

Add check_keys_policy helper to check for all policy's keyrings and
templates (removed head) and reuse policy check code.

Replaced tr with sed to cut down the dependencies.

Log keyrings and templates for easier debugging.

NOTE: check_keys_policy cannot be used with subhell $() redirection
(unless previously checked with other helpers), thus use redirection to
the file.

Tested on 2 policies with more lines than example policy
in keycheck.policy:

measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist|key_import_test template=ima-buf
measure func=KEY_CHECK keyrings=key_import_test template=ima-buf

measure func=KEY_CHECK template=ima-buf keyrings=.ima|.builtin_trusted_keys
measure func=KEY_CHECK template=ima-buf keyrings=key_import_test

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
changes v3->v4:
* update check_keys_policy() and checking the policy in general
* remove new line when working policy to find keyrings and templates
* replace tr with sed

 .../security/integrity/ima/tests/ima_keys.sh  | 60 ++++++++++++-------
 1 file changed, 37 insertions(+), 23 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
index ad3cbbdc7..c5a6d2591 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh
@@ -6,48 +6,63 @@
 #
 # Verify that keys are measured correctly based on policy.
 
-TST_NEEDS_CMDS="cmp cut grep sed tr xxd"
+TST_NEEDS_CMDS="cmp cut grep sed xxd"
 TST_CNT=2
 TST_NEEDS_DEVICE=1
+TST_SETUP=setup
 TST_CLEANUP=cleanup
 
 . ima_setup.sh
 
+FUNC_KEYCHECK='func=KEY_CHECK'
+TEMPLATE_BUF='template=ima-buf'
+REQUIRED_POLICY="^measure.*($FUNC_KEYCHECK.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_KEYCHECK)"
+
+setup()
+{
+	require_ima_policy_content "$REQUIRED_POLICY" '-E' > policy.txt
+}
+
 cleanup()
 {
 	tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID
 }
 
+check_keys_policy()
+{
+	local pattern="$1"
+
+	if ! grep -E "$pattern" policy.txt; then
+		tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK, $TEMPLATE_BUF"
+		return 1
+	fi
+	return 0
+}
+
 # Based on https://lkml.org/lkml/2019/12/13/564.
 # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys")
 test1()
 {
-	local keyrings keycheck_lines keycheck_line templates
-	local func='func=KEY_CHECK'
-	local buf='template=ima-buf'
-	local pattern="($func.*$buf|$buf.*$func)"
-	local test_file="file.txt"
-
-	tst_res TINFO "verifying key measurement for keyrings and templates specified in IMA policy file"
+	local keycheck_lines i keyrings templates
+	local pattern='keyrings=[^[:space:]]+'
+	local test_file="file.txt" tmp_file="file2.txt"
 
-	require_ima_policy_content "$pattern" '-Eq'
-	keycheck_lines=$(check_ima_policy_content "$pattern" '-E')
-	keycheck_line=$(echo "$keycheck_lines" | grep "keyrings" | head -n1)
+	tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy"
 
-	if [ -z "$keycheck_line" ]; then
-		tst_res TCONF "IMA policy does not specify a keyrings to check"
-		return
-	fi
-
-	keyrings=$(echo "$keycheck_line" | tr " " "\n" | grep "keyrings" | \
-		sed "s/\./\\\./g" | cut -d'=' -f2)
+	check_keys_policy "$pattern" > $tmp_file || return
+	keycheck_lines=$(cat $tmp_file)
+	keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \
+		sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g')
 	if [ -z "$keyrings" ]; then
 		tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings"
 		return
 	fi
 
-	templates=$(echo "$keycheck_line" | tr " " "\n" | grep "template" | \
-		cut -d'=' -f2)
+	templates=$(for i in $keycheck_lines; do echo "$i" | grep "template" | \
+		cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g')
+
+	tst_res TINFO "keyrings: '$keyrings'"
+	tst_res TINFO "templates: '$templates'"
 
 	grep -E "($templates).*($keyrings)" $ASCII_MEASUREMENTS | while read line
 	do
@@ -81,13 +96,12 @@ test2()
 
 	local cert_file="$TST_DATAROOT/x509_ima.der"
 	local keyring_name="key_import_test"
+	local pattern="keyrings=[^[:space:]]*$keyring_name"
 	local temp_file="file.txt"
 
 	tst_res TINFO "verify measurement of certificate imported into a keyring"
 
-	if ! check_ima_policy_content "^measure.*func=KEY_CHECK.*keyrings=.*$keyring_name"; then
-		tst_brk TCONF "IMA policy does not contain $keyring_name keyring"
-	fi
+	check_keys_policy "$pattern" >/dev/null || return
 
 	KEYRING_ID=$(keyctl newring $keyring_name @s) || \
 		tst_brk TBROK "unable to create a new keyring"
-- 
2.28.0