mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-07-01 13:21:12 +02:00
Merge branch 'uml' into next
From "Support testing in new enviroments" cover letter: One of the main limitations of running tests in the current environment is that features/bug fixes to be tested need to be already included in the running kernel, which is not always the case. User Mode Linux (UML) and virtual machines can be used to overcome this limitation. They allow to create a new environment and run a custom kernel built by a CI or by the user. The tests can then check the features/bug fixes of the custom kernel. Running tests in a new environment also gives the ability to control the configuration, and to have a clean state for each test by creating new environments as necessary. The current environment might not allow that, e.g. for security reasons. Introduce a mechanism for creating and managing new environments. Expose an API that allow to transparently create one or multiple environments in a test script, and to reexecute that script in the new one. Using that API requires minimal changes to the existing scripts. The API is generic enough to support different types of enviroments. The environment can be selected with the TST_ENV environment variable. At the moment, only UML is supported. QEMU will be added at a later stage. With the ability to test custom kernels, ima-evm-utils might introduce specific tests for that, separated from the tests to verify the ima-evm-utils user space functionality. At the moment, there is no such distinction, existing tests verify both. First, fix error messages and a variable in evmctl. Then, add kernel configuration options for the tests, to be merged with the default configuration. Add a new job in the Github workflow to build the UML kernel from a repository and branch specified in the LINUX_URL and LINUX_BRANCH variables (if the kernel repository does not have a branch with the same name of the ima-evm-utils one). Per Github documentation, these variables can be defined at organization, repository and environment level. Return the correct script exit code if no test was executed. Introduce the new API for creating and managing new enviroments, for existing and new test scripts. If TST_ENV is not set, calling the API results in a nop, and tests are executed in the current environment. Add the possibility to select individual tests to run in a test script, with the TST_LIST variable, so that a new environment can be created multiple times for a subset of tests (useful if for example a test require kernel settings different from the previous test). Add tests for EVM portable signatures and modify fsverity.test to use the new API. Finally, don't require making changes to the system to run fsverity.test, install a software dependency after the appropriate repository has been set up, and temporarily remove CONFIG_DEBUG_SG to avoid a kernel panic until the patches to fix it are accepted in the upstream kernel.
This commit is contained in:
99
.github/workflows/ci.yml
vendored
99
.github/workflows/ci.yml
vendored
@ -3,7 +3,79 @@ name: "distros"
|
||||
on: [push, pull_request]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
|
||||
name: build
|
||||
timeout-minutes: 100
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Determine last kernel commit
|
||||
id: last-commit
|
||||
shell: bash
|
||||
run: |
|
||||
mkdir linux-integrity
|
||||
pushd linux-integrity
|
||||
git init
|
||||
LINUX_URL=${{ vars.LINUX_URL }}
|
||||
if [ -z "$LINUX_URL" ]; then
|
||||
LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
|
||||
fi
|
||||
LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
|
||||
if [ -z "$LINUX_BRANCH" ]; then
|
||||
LINUX_BRANCH=next-integrity
|
||||
fi
|
||||
git remote add origin $LINUX_URL
|
||||
LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}')
|
||||
[ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}')
|
||||
echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
|
||||
popd
|
||||
|
||||
- name: Cache UML kernel
|
||||
id: cache-linux
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: linux
|
||||
key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
|
||||
|
||||
- name: Cache signing key
|
||||
id: cache-key
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: signing_key.pem
|
||||
key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
|
||||
|
||||
- name: Compile UML kernel
|
||||
if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true'
|
||||
shell: bash
|
||||
run: |
|
||||
if [ "$DEVTOOLSET" = "yes" ]; then
|
||||
source /opt/rh/devtoolset-10/enable
|
||||
fi
|
||||
if [ "$ARCH" = "i386" ]; then
|
||||
CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
|
||||
fi
|
||||
pushd linux-integrity
|
||||
git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
|
||||
make ARCH=um defconfig
|
||||
./scripts/kconfig/merge_config.sh -m .config $(ls ../kernel-configs/*)
|
||||
# Update manually, to specify ARCH=um
|
||||
make ARCH=um olddefconfig
|
||||
# Make everything built-in
|
||||
make ARCH=um localyesconfig
|
||||
make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
|
||||
chmod +x linux
|
||||
cp linux ..
|
||||
cp certs/signing_key.pem ..
|
||||
popd
|
||||
|
||||
job:
|
||||
needs: build
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
strategy:
|
||||
@ -75,6 +147,13 @@ jobs:
|
||||
CC: clang
|
||||
TSS: ibmtss
|
||||
|
||||
- container: "fedora:latest"
|
||||
env:
|
||||
CC: clang
|
||||
TSS: ibmtss
|
||||
TST_ENV: um
|
||||
TST_KERNEL: ../linux
|
||||
|
||||
- container: "centos:7"
|
||||
env:
|
||||
CC: gcc
|
||||
@ -98,7 +177,7 @@ jobs:
|
||||
container:
|
||||
image: ${{ matrix.container }}
|
||||
env: ${{ matrix.env }}
|
||||
options: --privileged --device /dev/loop-control
|
||||
options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm
|
||||
|
||||
steps:
|
||||
- name: Show OS
|
||||
@ -125,8 +204,24 @@ jobs:
|
||||
fi
|
||||
fi
|
||||
|
||||
- name: Retrieve UML kernel
|
||||
if: ${{ matrix.env.TST_ENV }}
|
||||
uses: actions/cache@v3
|
||||
continue-on-error: false
|
||||
with:
|
||||
path: linux
|
||||
key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
|
||||
|
||||
- name: Retrieve signing key
|
||||
if: ${{ matrix.env.TST_ENV }}
|
||||
continue-on-error: false
|
||||
uses: actions/cache@v3
|
||||
with:
|
||||
path: signing_key.pem
|
||||
key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
|
||||
|
||||
- name: Compiler version
|
||||
run: $CC --version
|
||||
|
||||
- name: Compile
|
||||
run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" ./build.sh
|
||||
run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" TST_ENV="$TST_ENV" TST_KERNEL="$TST_KERNEL" ./build.sh
|
||||
|
5
build.sh
5
build.sh
@ -114,6 +114,11 @@ if [ $ret -eq 0 ]; then
|
||||
grep "skipped" tests/fsverity.log && \
|
||||
grep "skipped" tests/fsverity.log | wc -l
|
||||
fi
|
||||
if [ -f tests/portable_signatures.log ]; then
|
||||
[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
|
||||
grep "skipped" tests/portable_signatures.log && \
|
||||
grep "skipped" tests/portable_signatures.log | wc -l
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
|
12
ci/fedora.sh
12
ci/fedora.sh
@ -44,7 +44,13 @@ yum -y install \
|
||||
util-linux \
|
||||
vim-common \
|
||||
wget \
|
||||
which
|
||||
which \
|
||||
zstd \
|
||||
systemd \
|
||||
keyutils \
|
||||
e2fsprogs \
|
||||
acl \
|
||||
libcap
|
||||
|
||||
yum -y install docbook5-style-xsl || true
|
||||
yum -y install swtpm || true
|
||||
@ -55,4 +61,8 @@ if [ -f /etc/centos-release ]; then
|
||||
fi
|
||||
yum -y install softhsm || true
|
||||
|
||||
# haveged is available via EPEL on CentOS stream8.
|
||||
yum -y install haveged || true
|
||||
|
||||
./tests/install-fsverity.sh
|
||||
./tests/install-mount-idmapped.sh
|
||||
|
213
kernel-configs/base
Normal file
213
kernel-configs/base
Normal file
@ -0,0 +1,213 @@
|
||||
CONFIG_LOCALVERSION="-dont-use"
|
||||
CONFIG_WATCH_QUEUE=y
|
||||
CONFIG_AUDIT=y
|
||||
CONFIG_AUDITSYSCALL=y
|
||||
CONFIG_HZ_PERIODIC=y
|
||||
CONFIG_LOG_BUF_SHIFT=17
|
||||
CONFIG_USER_NS=y
|
||||
CONFIG_PID_NS=y
|
||||
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
|
||||
CONFIG_KALLSYMS_ALL=y
|
||||
CONFIG_SYSTEM_DATA_VERIFICATION=y
|
||||
CONFIG_TRACEPOINTS=y
|
||||
CONFIG_CON_CHAN="xterm"
|
||||
CONFIG_SSL_CHAN="pty"
|
||||
CONFIG_MODULE_SIG_FORMAT=y
|
||||
CONFIG_MODULE_SIG=y
|
||||
CONFIG_MODULE_SIG_FORCE=y
|
||||
CONFIG_MODULE_SIG_ALL=y
|
||||
CONFIG_MODULE_SIG_SHA1=y
|
||||
CONFIG_MODULE_SIG_HASH="sha1"
|
||||
CONFIG_MODULES_TREE_LOOKUP=y
|
||||
CONFIG_BLK_DEBUG_FS=y
|
||||
CONFIG_ASN1=y
|
||||
CONFIG_UNINLINE_SPIN_UNLOCK=y
|
||||
CONFIG_SLUB=y
|
||||
CONFIG_COMPACTION=y
|
||||
CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
|
||||
CONFIG_MIGRATION=y
|
||||
CONFIG_BLK_DEV_LOOP=y
|
||||
CONFIG_LEGACY_PTY_COUNT=256
|
||||
CONFIG_NULL_TTY=y
|
||||
CONFIG_SERIAL_DEV_BUS=y
|
||||
CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
|
||||
CONFIG_VALIDATE_FS_PARSER=y
|
||||
CONFIG_EXT4_FS_POSIX_ACL=y
|
||||
CONFIG_EXT4_FS_SECURITY=y
|
||||
CONFIG_EXT4_DEBUG=y
|
||||
CONFIG_REISERFS_FS_XATTR=y
|
||||
CONFIG_REISERFS_FS_POSIX_ACL=y
|
||||
CONFIG_REISERFS_FS_SECURITY=y
|
||||
CONFIG_FS_POSIX_ACL=y
|
||||
CONFIG_FS_VERITY=y
|
||||
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
|
||||
CONFIG_TMPFS_POSIX_ACL=y
|
||||
CONFIG_TMPFS_XATTR=y
|
||||
CONFIG_CONFIGFS_FS=y
|
||||
CONFIG_KEYS=y
|
||||
CONFIG_ENCRYPTED_KEYS=y
|
||||
CONFIG_SECURITY=y
|
||||
CONFIG_SECURITYFS=y
|
||||
CONFIG_SECURITY_NETWORK=y
|
||||
CONFIG_SECURITY_PATH=y
|
||||
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
|
||||
CONFIG_CRYPTO_AEAD2=y
|
||||
CONFIG_CRYPTO_SKCIPHER=y
|
||||
CONFIG_CRYPTO_SKCIPHER2=y
|
||||
CONFIG_CRYPTO_RNG=y
|
||||
CONFIG_CRYPTO_RNG2=y
|
||||
CONFIG_CRYPTO_RNG_DEFAULT=y
|
||||
CONFIG_CRYPTO_AKCIPHER2=y
|
||||
CONFIG_CRYPTO_AKCIPHER=y
|
||||
CONFIG_CRYPTO_KPP2=y
|
||||
CONFIG_CRYPTO_ACOMP2=y
|
||||
CONFIG_CRYPTO_MANAGER=y
|
||||
CONFIG_CRYPTO_MANAGER2=y
|
||||
CONFIG_CRYPTO_NULL2=y
|
||||
CONFIG_CRYPTO_RSA=y
|
||||
CONFIG_CRYPTO_ECC=y
|
||||
CONFIG_CRYPTO_ECDSA=y
|
||||
CONFIG_CRYPTO_AES=y
|
||||
CONFIG_CRYPTO_CBC=y
|
||||
CONFIG_CRYPTO_HMAC=y
|
||||
CONFIG_CRYPTO_MD5=y
|
||||
CONFIG_CRYPTO_SHA1=y
|
||||
CONFIG_CRYPTO_SHA256=y
|
||||
CONFIG_CRYPTO_SHA512=y
|
||||
CONFIG_CRYPTO_WP512=y
|
||||
CONFIG_CRYPTO_LZO=y
|
||||
CONFIG_CRYPTO_ZSTD=y
|
||||
CONFIG_CRYPTO_DRBG_MENU=y
|
||||
CONFIG_CRYPTO_DRBG_HMAC=y
|
||||
CONFIG_CRYPTO_DRBG=y
|
||||
CONFIG_CRYPTO_JITTERENTROPY=y
|
||||
CONFIG_CRYPTO_HASH_INFO=y
|
||||
CONFIG_ASYMMETRIC_KEY_TYPE=y
|
||||
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
|
||||
CONFIG_X509_CERTIFICATE_PARSER=y
|
||||
CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
|
||||
CONFIG_PKCS7_MESSAGE_PARSER=y
|
||||
CONFIG_PKCS7_TEST_KEY=y
|
||||
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
|
||||
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
|
||||
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
|
||||
CONFIG_SYSTEM_TRUSTED_KEYRING=y
|
||||
CONFIG_SYSTEM_TRUSTED_KEYS=""
|
||||
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
|
||||
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
|
||||
CONFIG_SECONDARY_TRUSTED_KEYRING=y
|
||||
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
|
||||
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
|
||||
CONFIG_SYSTEM_REVOCATION_LIST=y
|
||||
CONFIG_SYSTEM_REVOCATION_KEYS=""
|
||||
CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE=y
|
||||
CONFIG_BINARY_PRINTF=y
|
||||
CONFIG_CRYPTO_LIB_AES=y
|
||||
CONFIG_CRYPTO_LIB_SHA256=y
|
||||
CONFIG_CRC_CCITT=y
|
||||
CONFIG_XXHASH=y
|
||||
CONFIG_AUDIT_GENERIC=y
|
||||
CONFIG_LZO_COMPRESS=y
|
||||
CONFIG_LZO_DECOMPRESS=y
|
||||
CONFIG_ZSTD_COMMON=y
|
||||
CONFIG_ZSTD_COMPRESS=y
|
||||
CONFIG_ZSTD_DECOMPRESS=y
|
||||
CONFIG_ASSOCIATIVE_ARRAY=y
|
||||
CONFIG_SGL_ALLOC=y
|
||||
CONFIG_GLOB=y
|
||||
CONFIG_CLZ_TAB=y
|
||||
CONFIG_MPILIB=y
|
||||
CONFIG_SIGNATURE=y
|
||||
CONFIG_OID_REGISTRY=y
|
||||
CONFIG_STACKDEPOT=y
|
||||
CONFIG_STACKDEPOT_ALWAYS_INIT=y
|
||||
CONFIG_PRINTK_TIME=y
|
||||
CONFIG_PRINTK_CALLER=y
|
||||
CONFIG_DYNAMIC_DEBUG=y
|
||||
CONFIG_DYNAMIC_DEBUG_CORE=y
|
||||
CONFIG_DEBUG_INFO_DWARF5=y
|
||||
CONFIG_GDB_SCRIPTS=y
|
||||
CONFIG_FRAME_WARN=2048
|
||||
CONFIG_READABLE_ASM=y
|
||||
CONFIG_DEBUG_SECTION_MISMATCH=y
|
||||
CONFIG_DEBUG_FS=y
|
||||
CONFIG_DEBUG_FS_ALLOW_ALL=y
|
||||
CONFIG_UBSAN=y
|
||||
CONFIG_CC_HAS_UBSAN_BOUNDS=y
|
||||
CONFIG_UBSAN_BOUNDS=y
|
||||
CONFIG_UBSAN_ONLY_BOUNDS=y
|
||||
CONFIG_UBSAN_SHIFT=y
|
||||
CONFIG_UBSAN_DIV_ZERO=y
|
||||
CONFIG_UBSAN_BOOL=y
|
||||
CONFIG_UBSAN_ENUM=y
|
||||
CONFIG_UBSAN_ALIGNMENT=y
|
||||
CONFIG_PAGE_EXTENSION=y
|
||||
CONFIG_DEBUG_PAGEALLOC=y
|
||||
CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
|
||||
CONFIG_SLUB_DEBUG=y
|
||||
CONFIG_SLUB_DEBUG_ON=y
|
||||
CONFIG_PAGE_OWNER=y
|
||||
CONFIG_PAGE_POISONING=y
|
||||
CONFIG_DEBUG_OBJECTS=y
|
||||
CONFIG_DEBUG_OBJECTS_FREE=y
|
||||
CONFIG_DEBUG_OBJECTS_TIMERS=y
|
||||
CONFIG_DEBUG_OBJECTS_WORK=y
|
||||
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
|
||||
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
|
||||
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
|
||||
CONFIG_DEBUG_KMEMLEAK=y
|
||||
CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE=16000
|
||||
CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y
|
||||
CONFIG_DEBUG_STACK_USAGE=y
|
||||
CONFIG_SCHED_STACK_END_CHECK=y
|
||||
CONFIG_DEBUG_SHIRQ=y
|
||||
CONFIG_PANIC_ON_OOPS=y
|
||||
CONFIG_PANIC_ON_OOPS_VALUE=1
|
||||
CONFIG_LOCKUP_DETECTOR=y
|
||||
CONFIG_SOFTLOCKUP_DETECTOR=y
|
||||
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
|
||||
CONFIG_DETECT_HUNG_TASK=y
|
||||
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
|
||||
CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
|
||||
CONFIG_WQ_WATCHDOG=y
|
||||
CONFIG_DEBUG_TIMEKEEPING=y
|
||||
CONFIG_PROVE_LOCKING=y
|
||||
CONFIG_PROVE_RAW_LOCK_NESTING=y
|
||||
CONFIG_LOCK_STAT=y
|
||||
CONFIG_DEBUG_RT_MUTEXES=y
|
||||
CONFIG_DEBUG_SPINLOCK=y
|
||||
CONFIG_DEBUG_MUTEXES=y
|
||||
CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
|
||||
CONFIG_DEBUG_RWSEMS=y
|
||||
CONFIG_DEBUG_LOCK_ALLOC=y
|
||||
CONFIG_LOCKDEP=y
|
||||
CONFIG_LOCKDEP_BITS=15
|
||||
CONFIG_LOCKDEP_CHAINS_BITS=16
|
||||
CONFIG_LOCKDEP_STACK_TRACE_BITS=19
|
||||
CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS=14
|
||||
CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS=12
|
||||
CONFIG_WW_MUTEX_SELFTEST=y
|
||||
CONFIG_CSD_LOCK_WAIT_DEBUG=y
|
||||
CONFIG_TRACE_IRQFLAGS=y
|
||||
CONFIG_DEBUG_IRQFLAGS=y
|
||||
CONFIG_DEBUG_LIST=y
|
||||
CONFIG_DEBUG_PLIST=y
|
||||
CONFIG_DEBUG_NOTIFIERS=y
|
||||
CONFIG_BUG_ON_DATA_CORRUPTION=y
|
||||
CONFIG_PROVE_RCU=y
|
||||
CONFIG_RCU_TRACE=y
|
||||
CONFIG_NOP_TRACER=y
|
||||
CONFIG_TRACE_CLOCK=y
|
||||
CONFIG_RING_BUFFER=y
|
||||
CONFIG_EVENT_TRACING=y
|
||||
CONFIG_CONTEXT_SWITCH_TRACER=y
|
||||
CONFIG_PREEMPTIRQ_TRACEPOINTS=y
|
||||
CONFIG_TRACING=y
|
||||
CONFIG_DRM=n
|
||||
CONFIG_USB=n
|
||||
CONFIG_SOUND=n
|
||||
CONFIG_9P_FS=y
|
||||
CONFIG_9P_FS_POSIX_ACL=y
|
||||
CONFIG_9P_FS_SECURITY=y
|
||||
CONFIG_ETHERNET=n
|
||||
CONFIG_WLAN=n
|
29
kernel-configs/integrity
Normal file
29
kernel-configs/integrity
Normal file
@ -0,0 +1,29 @@
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
CONFIG_IMA=y
|
||||
CONFIG_IMA_MEASURE_PCR_IDX=10
|
||||
CONFIG_IMA_NG_TEMPLATE=y
|
||||
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
|
||||
CONFIG_IMA_DEFAULT_HASH_SHA256=y
|
||||
CONFIG_IMA_DEFAULT_HASH="sha256"
|
||||
CONFIG_IMA_WRITE_POLICY=y
|
||||
CONFIG_IMA_READ_POLICY=y
|
||||
CONFIG_IMA_APPRAISE=y
|
||||
CONFIG_IMA_ARCH_POLICY=y
|
||||
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
|
||||
CONFIG_IMA_APPRAISE_BOOTPARAM=y
|
||||
CONFIG_IMA_APPRAISE_MODSIG=y
|
||||
CONFIG_IMA_TRUSTED_KEYRING=y
|
||||
CONFIG_IMA_BLACKLIST_KEYRING=y
|
||||
CONFIG_IMA_LOAD_X509=y
|
||||
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
|
||||
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
|
||||
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
|
||||
CONFIG_EVM=y
|
||||
CONFIG_EVM_ATTR_FSUUID=y
|
||||
CONFIG_EVM_ADD_XATTRS=y
|
||||
CONFIG_EVM_LOAD_X509=y
|
||||
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
|
14
src/evmctl.c
14
src/evmctl.c
@ -1184,9 +1184,9 @@ static int cmd_setxattr_ima(struct command *cmd)
|
||||
|
||||
#define MAX_KEY_SIZE 128
|
||||
|
||||
static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
|
||||
static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *sig)
|
||||
{
|
||||
size_t mdlen;
|
||||
size_t siglen = MAX_DIGEST_SIZE;
|
||||
EVP_MD_CTX *pctx;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
struct stat st;
|
||||
@ -1260,7 +1260,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
|
||||
|
||||
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, evmkey, sizeof(evmkey));
|
||||
if (!pkey) {
|
||||
log_err("HMAC_Init() failed\n");
|
||||
log_err("EVP_PKEY_new_mac_key() failed\n");
|
||||
goto out;
|
||||
}
|
||||
|
||||
@ -1326,12 +1326,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
|
||||
|
||||
err = EVP_DigestSignUpdate(pctx, &hmac_misc, hmac_size);
|
||||
if (err != 1) {
|
||||
log_err("HMAC_Update() failed\n");
|
||||
log_err("EVP_DigestSignUpdate() failed\n");
|
||||
goto out_ctx_cleanup;
|
||||
}
|
||||
err = EVP_DigestSignFinal(pctx, hash, &mdlen);
|
||||
err = EVP_DigestSignFinal(pctx, sig, &siglen);
|
||||
if (err != 1)
|
||||
log_err("HMAC_Final() failed\n");
|
||||
log_err("EVP_DigestSignFinal() failed\n");
|
||||
out_ctx_cleanup:
|
||||
EVP_PKEY_free(pkey);
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
||||
@ -1340,7 +1340,7 @@ out_ctx_cleanup:
|
||||
out:
|
||||
free(key);
|
||||
if (err == 1)
|
||||
return mdlen;
|
||||
return siglen;
|
||||
return err;
|
||||
}
|
||||
|
||||
|
@ -2,7 +2,7 @@ check_SCRIPTS =
|
||||
TESTS = $(check_SCRIPTS)
|
||||
|
||||
check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
|
||||
fsverity.test
|
||||
fsverity.test portable_signatures.test
|
||||
|
||||
clean-local:
|
||||
-rm -f *.txt *.out *.sig *.sig2
|
||||
|
@ -12,7 +12,7 @@
|
||||
# for verifying the calculated boot_aggregate is included in this
|
||||
# directory as well.
|
||||
|
||||
trap cleanup SIGINT SIGTERM EXIT
|
||||
trap '_report_exit_and_cleanup cleanup' SIGINT SIGTERM EXIT
|
||||
|
||||
# Base VERBOSE on the environment variable, if set.
|
||||
VERBOSE="${VERBOSE:-0}"
|
||||
|
@ -30,7 +30,7 @@
|
||||
# custom policy rules might take precedence.
|
||||
|
||||
cd "$(dirname "$0")" || exit 1
|
||||
PATH=../src:$PATH
|
||||
PATH=../src:../fsverity-utils:$PATH
|
||||
source ./functions.sh
|
||||
|
||||
# Base VERBOSE on the environment variable, if set.
|
||||
@ -47,7 +47,7 @@ FSVERITY="$(which fsverity)"
|
||||
_require dd mkfs blkid e2fsck tune2fs evmctl setfattr
|
||||
./gen-keys.sh >/dev/null 2>&1
|
||||
|
||||
trap cleanup SIGINT SIGTERM EXIT
|
||||
trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM EXIT
|
||||
|
||||
cleanup() {
|
||||
if [ -e $TST_MNT ]; then
|
||||
@ -58,7 +58,6 @@ cleanup() {
|
||||
rm "$TST_IMG"
|
||||
fi
|
||||
fi
|
||||
_report_exit_and_cleanup
|
||||
}
|
||||
|
||||
# Loopback mount a file
|
||||
@ -309,6 +308,15 @@ measure-ima() {
|
||||
return "$error"
|
||||
}
|
||||
|
||||
# Run in the new environment if TST_ENV is set.
|
||||
_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
|
||||
|
||||
# Exit from the creator of the new environment.
|
||||
_exit_env "$TST_KERNEL"
|
||||
|
||||
# Mount filesystems in the new environment.
|
||||
_init_env
|
||||
|
||||
# Dependency on being able to read and write the IMA policy file.
|
||||
# Requires both CONFIG_IMA_WRITE_POLICY, CONFIG_IMA_READ_POLICY be
|
||||
# enabled.
|
||||
|
@ -72,6 +72,12 @@ declare -i TNESTED=0 # just for sanity checking
|
||||
expect_pass() {
|
||||
local -i ret
|
||||
|
||||
if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
|
||||
[ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
|
||||
testsskip+=1
|
||||
return "$SKIP"
|
||||
fi
|
||||
|
||||
if [ $TNESTED -gt 0 ]; then
|
||||
echo $RED"expect_pass should not be run nested"$NORM
|
||||
testsfail+=1
|
||||
@ -98,6 +104,12 @@ expect_pass() {
|
||||
expect_fail() {
|
||||
local ret
|
||||
|
||||
if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
|
||||
[ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
|
||||
testsskip+=1
|
||||
return "$SKIP"
|
||||
fi
|
||||
|
||||
if [ $TNESTED -gt 0 ]; then
|
||||
echo $RED"expect_fail should not be run nested"$NORM
|
||||
testsfail+=1
|
||||
@ -250,10 +262,14 @@ _enable_gost_engine() {
|
||||
# Show test stats and exit into automake test system
|
||||
# with proper exit code (same as ours). Do cleanups.
|
||||
_report_exit_and_cleanup() {
|
||||
local exit_code=$?
|
||||
|
||||
if [ -n "${WORKDIR}" ]; then
|
||||
rm -rf "${WORKDIR}"
|
||||
fi
|
||||
|
||||
"$@"
|
||||
|
||||
if [ $testsfail -gt 0 ]; then
|
||||
echo "================================="
|
||||
echo " Run with FAILEARLY=1 $0 $*"
|
||||
@ -267,12 +283,33 @@ _report_exit_and_cleanup() {
|
||||
[ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
|
||||
echo " FAIL: $testsfail"
|
||||
echo "$NORM"
|
||||
# Signal failure to the testing environment creator with an unclean shutdown.
|
||||
if [ -n "$TST_ENV" ] && [ $$ -eq 1 ]; then
|
||||
if [ -z "$(command -v poweroff)" ]; then
|
||||
echo "Warning: cannot properly shutdown system"
|
||||
fi
|
||||
|
||||
# If no test was executed and the script was successful,
|
||||
# do a clean shutdown.
|
||||
if [ $testsfail -eq 0 ] && [ $testspass -eq 0 ] && [ $testsskip -eq 0 ] &&
|
||||
[ $exit_code -ne "$FAIL" ] && [ $exit_code -ne "$HARDFAIL" ]; then
|
||||
poweroff -f
|
||||
fi
|
||||
|
||||
# If tests were executed and no test failed, do a clean shutdown.
|
||||
if { [ $testspass -gt 0 ] || [ $testsskip -gt 0 ]; } &&
|
||||
[ $testsfail -eq 0 ]; then
|
||||
poweroff -f
|
||||
fi
|
||||
fi
|
||||
if [ $testsfail -gt 0 ]; then
|
||||
exit "$FAIL"
|
||||
elif [ $testspass -gt 0 ]; then
|
||||
exit "$OK"
|
||||
else
|
||||
elif [ $testsskip -gt 0 ]; then
|
||||
exit "$SKIP"
|
||||
else
|
||||
exit "$exit_code"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -312,4 +349,76 @@ _softhsm_teardown() {
|
||||
rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
|
||||
unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
|
||||
EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
|
||||
}
|
||||
}
|
||||
|
||||
# Syntax: _run_env <kernel> <init> <additional kernel parameters>
|
||||
_run_env() {
|
||||
if [ -z "$TST_ENV" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
if [ $$ -eq 1 ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
if [ "$TST_ENV" = "um" ]; then
|
||||
expect_pass "$1" rootfstype=hostfs rw init="$2" quiet mem=2048M "$3"
|
||||
else
|
||||
echo $RED"Testing environment $TST_ENV not supported"$NORM
|
||||
exit "$FAIL"
|
||||
fi
|
||||
}
|
||||
|
||||
# Syntax: _exit_env <kernel>
|
||||
_exit_env() {
|
||||
if [ -z "$TST_ENV" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
if [ $$ -eq 1 ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
exit "$OK"
|
||||
}
|
||||
|
||||
# Syntax: _init_env
|
||||
_init_env() {
|
||||
if [ -z "$TST_ENV" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
if [ $$ -ne 1 ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
mount -t tmpfs tmpfs /tmp
|
||||
mount -t proc proc /proc
|
||||
mount -t sysfs sysfs /sys
|
||||
mount -t securityfs securityfs /sys/kernel/security
|
||||
|
||||
if [ -n "$(command -v haveged 2> /dev/null)" ]; then
|
||||
$(command -v haveged) -w 1024 &> /dev/null
|
||||
fi
|
||||
|
||||
pushd "$PWD" > /dev/null || exit "$FAIL"
|
||||
}
|
||||
|
||||
# Syntax: _cleanup_env <cleanup function>
|
||||
_cleanup_env() {
|
||||
if [ -z "$TST_ENV" ]; then
|
||||
$1
|
||||
return
|
||||
fi
|
||||
|
||||
if [ $$ -ne 1 ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
$1
|
||||
|
||||
umount /sys/kernel/security
|
||||
umount /sys
|
||||
umount /proc
|
||||
umount /tmp
|
||||
}
|
||||
|
@ -2,6 +2,5 @@
|
||||
|
||||
git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
|
||||
cd fsverity-utils
|
||||
CC=gcc make -j$(nproc) && sudo make install
|
||||
CC=gcc make -j$(nproc)
|
||||
cd ..
|
||||
rm -rf fsverity-utils
|
||||
|
6
tests/install-mount-idmapped.sh
Executable file
6
tests/install-mount-idmapped.sh
Executable file
@ -0,0 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
git clone https://github.com/brauner/mount-idmapped.git
|
||||
cd mount-idmapped
|
||||
gcc -o mount-idmapped mount-idmapped.c
|
||||
cd ..
|
1122
tests/portable_signatures.test
Executable file
1122
tests/portable_signatures.test
Executable file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user