From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v2 2/2] IMA: Add test for dm-crypt measurement
Date: Sun, 27 Sep 2020 20:56:05 -0700 [thread overview]
Message-ID: <20200928035605.22701-3-tusharsu@linux.microsoft.com> (raw)
In-Reply-To: <20200928035605.22701-1-tusharsu@linux.microsoft.com>
New functionality is being added to IMA to measure data provided by
kernel components. With this feature, IMA policy can be set to enable
measuring data provided by device-mapper targets. Currently one such
device-mapper target - dm-crypt, is being updated to use this
functionality. This new functionality needs test automation in LTP.
Add a testcase which verifies that the IMA subsystem correctly measures
the data coming from a device-mapper target - dm-crypt.
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
---
runtest/ima | 1 +
.../kernel/security/integrity/ima/README.md | 20 +++++++
.../integrity/ima/tests/ima_dm_crypt.sh | 60 +++++++++++++++++++
3 files changed, 81 insertions(+)
create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh
diff --git a/runtest/ima b/runtest/ima
index 5f4b4a7a1..123b6c8b0 100644
--- a/runtest/ima
+++ b/runtest/ima
@@ -5,4 +5,5 @@ ima_tpm ima_tpm.sh
ima_violations ima_violations.sh
ima_keys ima_keys.sh
ima_kexec ima_kexec.sh
+ima_dm_crypt ima_dm_crypt.sh
evm_overlay evm_overlay.sh
diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md
index 68d046678..007662fae 100644
--- a/testcases/kernel/security/integrity/ima/README.md
+++ b/testcases/kernel/security/integrity/ima/README.md
@@ -37,6 +37,26 @@ see example in `kexec.policy`.
The test attempts to kexec the existing running kernel image.
To kexec a different kernel image export `IMA_KEXEC_IMAGE=<pathname>`.
+### IMA DM target (dm-crypt) measurement test
+
+To enable IMA to measure device-mapper target - dm-crypt,
+`ima_dm_crypt.sh` requires a readable IMA policy, as well as
+a loaded measure policy with
+`func=CRITICAL_DATA data_sources=dm-crypt`
+
+As well as what's required for the IMA tests, dm-crypt measurement test require
+reading the IMA policy allowed in the kernel configuration:
+```
+CONFIG_IMA_READ_POLICY=y
+```
+
+The following kernel configuration is also required. It enables compiling
+the device-mapper target module dm-crypt, which allows to create a device
+that transparently encrypts the data on it.
+```
+CONFIG_DM_CRYPT
+```
+
## EVM tests
`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh
new file mode 100755
index 000000000..396033f8d
--- /dev/null
+++ b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2020 Microsoft Corporation
+# Author: Tushar Sugandhi <tusharsu@linux.microsoft.com>
+#
+# Verify that DM target dm-crypt are measured correctly based on policy.
+
+TST_NEEDS_CMDS="dmsetup"
+TST_CNT=1
+TST_NEEDS_DEVICE=1
+TST_SETUP=setup
+TST_CLEANUP=cleanup
+
+. ima_setup.sh
+
+FUNC_CRIT_DATA='func=CRITICAL_DATA'
+TEMPLATE_BUF='template=ima-buf'
+REQUIRED_POLICY="^measure.*($FUNC_CRIT_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRIT_DATA)"
+
+setup()
+{
+ require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt
+}
+
+cleanup()
+{
+ ROD "dmsetup remove test-crypt"
+}
+
+test1()
+{
+ local input_digest="039d8ff71918608d585adca3e5aab2e3f41f84d6"
+ local pattern='data_sources=[^[:space:]]+'
+ local tmp_file="$TST_TMPDIR/dm_crypt_tmp.txt"
+ local policy="data_sources"
+ local arg key res
+
+ tst_res TINFO "verifying dm target - dmcrypt gets measured correctly"
+
+ check_policy_pattern "$pattern" $FUNC_CRIT_DATA $TEMPLATE_BUF > $tmp_file || return
+
+ tgt="crypt"
+ key="faf453b4ee938cff2f0d2c869a0b743f59125c0a37f5bcd8f1dbbd911a78abaa"
+
+ arg="'0 1953125 crypt aes-xts-plain64 "
+ arg="$arg $key 0 "
+ arg="$arg /dev/loop0 0 1 allow_discards'"
+
+ ROD "dmsetup create test-crypt --table $arg"
+
+ res="$(check_ima_ascii_log_for_policy $policy $tmp_file $input_digest)"
+
+ if [ $res = "0" ]; then
+ tst_res TPASS "dm-crypt target verification passed"
+ else
+ tst_res TFAIL "dm-crypt target verification failed"
+ fi
+}
+
+tst_run
--
2.17.1
next prev parent reply other threads:[~2020-09-28 3:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-28 3:56 [LTP] [PATCH v2 0/2] IMA: Add test for dm-crypt measurement Tushar Sugandhi
2020-09-28 3:56 ` [LTP] [PATCH v2 1/2] IMA: generalize key measurement tests Tushar Sugandhi
2020-12-21 23:05 ` Petr Vorel
2021-02-22 18:54 ` Tushar Sugandhi
2021-02-23 22:38 ` Petr Vorel
2020-09-28 3:56 ` Tushar Sugandhi [this message]
2021-01-12 23:13 ` [LTP] [PATCH v2 2/2] IMA: Add test for dm-crypt measurement Petr Vorel
2021-05-06 9:14 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200928035605.22701-3-tusharsu@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox