1
0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-07-01 13:21:12 +02:00

Merge branch 'uml' into next

From "Support testing in new enviroments" cover letter:

One of the main limitations of running tests in the current environment is
that features/bug fixes to be tested need to be already included in the
running kernel, which is not always the case.

User Mode Linux (UML) and virtual machines can be used to overcome this
limitation. They allow to create a new environment and run a custom kernel
built by a CI or by the user. The tests can then check the features/bug
fixes of the custom kernel.

Running tests in a new environment also gives the ability to control the
configuration, and to have a clean state for each test by creating new
environments as necessary. The current environment might not allow that,
e.g. for security reasons.

Introduce a mechanism for creating and managing new environments. Expose an
API that allow to transparently create one or multiple environments in a
test script, and to reexecute that script in the new one. Using that API
requires minimal changes to the existing scripts.

The API is generic enough to support different types of enviroments. The
environment can be selected with the TST_ENV environment variable. At the
moment, only UML is supported. QEMU will be added at a later stage.

With the ability to test custom kernels, ima-evm-utils might introduce
specific tests for that, separated from the tests to verify the
ima-evm-utils user space functionality. At the moment, there is no such
distinction, existing tests verify both.

First, fix error messages and a variable in evmctl. Then, add kernel
configuration options for the tests, to be merged with the default
configuration. Add a new job in the Github workflow to build the UML kernel
from a repository and branch specified in the LINUX_URL and LINUX_BRANCH
variables (if the kernel repository does not have a branch with the same
name of the ima-evm-utils one). Per Github documentation, these variables
can be defined at organization, repository and environment level.

Return the correct script exit code if no test was executed. Introduce the
new API for creating and managing new enviroments, for existing and new
test scripts. If TST_ENV is not set, calling the API results in a nop, and
tests are executed in the current environment.

Add the possibility to select individual tests to run in a test script,
with the TST_LIST variable, so that a new environment can be created
multiple times for a subset of tests (useful if for example a test require
kernel settings different from the previous test).

Add tests for EVM portable signatures and modify fsverity.test to use the
new API.

Finally, don't require making changes to the system to run fsverity.test,
install a software dependency after the appropriate repository has been
set up, and temporarily remove CONFIG_DEBUG_SG to avoid a kernel panic
until the patches to fix it are accepted in the upstream kernel.
This commit is contained in:
Mimi Zohar
2023-01-27 11:49:19 -05:00
13 changed files with 1615 additions and 19 deletions

View File

@ -3,7 +3,79 @@ name: "distros"
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
outputs:
LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
name: build
timeout-minutes: 100
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v3
- name: Determine last kernel commit
id: last-commit
shell: bash
run: |
mkdir linux-integrity
pushd linux-integrity
git init
LINUX_URL=${{ vars.LINUX_URL }}
if [ -z "$LINUX_URL" ]; then
LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
fi
LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
if [ -z "$LINUX_BRANCH" ]; then
LINUX_BRANCH=next-integrity
fi
git remote add origin $LINUX_URL
LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}')
[ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}')
echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
popd
- name: Cache UML kernel
id: cache-linux
uses: actions/cache@v3
with:
path: linux
key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Cache signing key
id: cache-key
uses: actions/cache@v3
with:
path: signing_key.pem
key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Compile UML kernel
if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true'
shell: bash
run: |
if [ "$DEVTOOLSET" = "yes" ]; then
source /opt/rh/devtoolset-10/enable
fi
if [ "$ARCH" = "i386" ]; then
CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
fi
pushd linux-integrity
git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
make ARCH=um defconfig
./scripts/kconfig/merge_config.sh -m .config $(ls ../kernel-configs/*)
# Update manually, to specify ARCH=um
make ARCH=um olddefconfig
# Make everything built-in
make ARCH=um localyesconfig
make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
chmod +x linux
cp linux ..
cp certs/signing_key.pem ..
popd
job:
needs: build
runs-on: ubuntu-latest
strategy:
@ -75,6 +147,13 @@ jobs:
CC: clang
TSS: ibmtss
- container: "fedora:latest"
env:
CC: clang
TSS: ibmtss
TST_ENV: um
TST_KERNEL: ../linux
- container: "centos:7"
env:
CC: gcc
@ -98,7 +177,7 @@ jobs:
container:
image: ${{ matrix.container }}
env: ${{ matrix.env }}
options: --privileged --device /dev/loop-control
options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm
steps:
- name: Show OS
@ -125,8 +204,24 @@ jobs:
fi
fi
- name: Retrieve UML kernel
if: ${{ matrix.env.TST_ENV }}
uses: actions/cache@v3
continue-on-error: false
with:
path: linux
key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Retrieve signing key
if: ${{ matrix.env.TST_ENV }}
continue-on-error: false
uses: actions/cache@v3
with:
path: signing_key.pem
key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Compiler version
run: $CC --version
- name: Compile
run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" ./build.sh
run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" TST_ENV="$TST_ENV" TST_KERNEL="$TST_KERNEL" ./build.sh

View File

@ -114,6 +114,11 @@ if [ $ret -eq 0 ]; then
grep "skipped" tests/fsverity.log && \
grep "skipped" tests/fsverity.log | wc -l
fi
if [ -f tests/portable_signatures.log ]; then
[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
grep "skipped" tests/portable_signatures.log && \
grep "skipped" tests/portable_signatures.log | wc -l
fi
exit 0
fi

View File

@ -44,7 +44,13 @@ yum -y install \
util-linux \
vim-common \
wget \
which
which \
zstd \
systemd \
keyutils \
e2fsprogs \
acl \
libcap
yum -y install docbook5-style-xsl || true
yum -y install swtpm || true
@ -55,4 +61,8 @@ if [ -f /etc/centos-release ]; then
fi
yum -y install softhsm || true
# haveged is available via EPEL on CentOS stream8.
yum -y install haveged || true
./tests/install-fsverity.sh
./tests/install-mount-idmapped.sh

213
kernel-configs/base Normal file
View File

@ -0,0 +1,213 @@
CONFIG_LOCALVERSION="-dont-use"
CONFIG_WATCH_QUEUE=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_HZ_PERIODIC=y
CONFIG_LOG_BUF_SHIFT=17
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
CONFIG_KALLSYMS_ALL=y
CONFIG_SYSTEM_DATA_VERIFICATION=y
CONFIG_TRACEPOINTS=y
CONFIG_CON_CHAN="xterm"
CONFIG_SSL_CHAN="pty"
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA1=y
CONFIG_MODULE_SIG_HASH="sha1"
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_BLK_DEBUG_FS=y
CONFIG_ASN1=y
CONFIG_UNINLINE_SPIN_UNLOCK=y
CONFIG_SLUB=y
CONFIG_COMPACTION=y
CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
CONFIG_MIGRATION=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_LEGACY_PTY_COUNT=256
CONFIG_NULL_TTY=y
CONFIG_SERIAL_DEV_BUS=y
CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
CONFIG_VALIDATE_FS_PARSER=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_EXT4_DEBUG=y
CONFIG_REISERFS_FS_XATTR=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_FS_POSIX_ACL=y
CONFIG_FS_VERITY=y
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y
CONFIG_CONFIGFS_FS=y
CONFIG_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_PATH=y
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_SKCIPHER2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_ECC=y
CONFIG_CRYPTO_ECDSA=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_WP512=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_ASYMMETRIC_KEY_TYPE=y
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
CONFIG_X509_CERTIFICATE_PARSER=y
CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
CONFIG_PKCS7_MESSAGE_PARSER=y
CONFIG_PKCS7_TEST_KEY=y
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS=""
CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE=y
CONFIG_BINARY_PRINTF=y
CONFIG_CRYPTO_LIB_AES=y
CONFIG_CRYPTO_LIB_SHA256=y
CONFIG_CRC_CCITT=y
CONFIG_XXHASH=y
CONFIG_AUDIT_GENERIC=y
CONFIG_LZO_COMPRESS=y
CONFIG_LZO_DECOMPRESS=y
CONFIG_ZSTD_COMMON=y
CONFIG_ZSTD_COMPRESS=y
CONFIG_ZSTD_DECOMPRESS=y
CONFIG_ASSOCIATIVE_ARRAY=y
CONFIG_SGL_ALLOC=y
CONFIG_GLOB=y
CONFIG_CLZ_TAB=y
CONFIG_MPILIB=y
CONFIG_SIGNATURE=y
CONFIG_OID_REGISTRY=y
CONFIG_STACKDEPOT=y
CONFIG_STACKDEPOT_ALWAYS_INIT=y
CONFIG_PRINTK_TIME=y
CONFIG_PRINTK_CALLER=y
CONFIG_DYNAMIC_DEBUG=y
CONFIG_DYNAMIC_DEBUG_CORE=y
CONFIG_DEBUG_INFO_DWARF5=y
CONFIG_GDB_SCRIPTS=y
CONFIG_FRAME_WARN=2048
CONFIG_READABLE_ASM=y
CONFIG_DEBUG_SECTION_MISMATCH=y
CONFIG_DEBUG_FS=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_UBSAN=y
CONFIG_CC_HAS_UBSAN_BOUNDS=y
CONFIG_UBSAN_BOUNDS=y
CONFIG_UBSAN_ONLY_BOUNDS=y
CONFIG_UBSAN_SHIFT=y
CONFIG_UBSAN_DIV_ZERO=y
CONFIG_UBSAN_BOOL=y
CONFIG_UBSAN_ENUM=y
CONFIG_UBSAN_ALIGNMENT=y
CONFIG_PAGE_EXTENSION=y
CONFIG_DEBUG_PAGEALLOC=y
CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
CONFIG_SLUB_DEBUG=y
CONFIG_SLUB_DEBUG_ON=y
CONFIG_PAGE_OWNER=y
CONFIG_PAGE_POISONING=y
CONFIG_DEBUG_OBJECTS=y
CONFIG_DEBUG_OBJECTS_FREE=y
CONFIG_DEBUG_OBJECTS_TIMERS=y
CONFIG_DEBUG_OBJECTS_WORK=y
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
CONFIG_DEBUG_KMEMLEAK=y
CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE=16000
CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y
CONFIG_DEBUG_STACK_USAGE=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_SHIRQ=y
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_ON_OOPS_VALUE=1
CONFIG_LOCKUP_DETECTOR=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
CONFIG_WQ_WATCHDOG=y
CONFIG_DEBUG_TIMEKEEPING=y
CONFIG_PROVE_LOCKING=y
CONFIG_PROVE_RAW_LOCK_NESTING=y
CONFIG_LOCK_STAT=y
CONFIG_DEBUG_RT_MUTEXES=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_DEBUG_MUTEXES=y
CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
CONFIG_DEBUG_RWSEMS=y
CONFIG_DEBUG_LOCK_ALLOC=y
CONFIG_LOCKDEP=y
CONFIG_LOCKDEP_BITS=15
CONFIG_LOCKDEP_CHAINS_BITS=16
CONFIG_LOCKDEP_STACK_TRACE_BITS=19
CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS=14
CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS=12
CONFIG_WW_MUTEX_SELFTEST=y
CONFIG_CSD_LOCK_WAIT_DEBUG=y
CONFIG_TRACE_IRQFLAGS=y
CONFIG_DEBUG_IRQFLAGS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_PLIST=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_PROVE_RCU=y
CONFIG_RCU_TRACE=y
CONFIG_NOP_TRACER=y
CONFIG_TRACE_CLOCK=y
CONFIG_RING_BUFFER=y
CONFIG_EVENT_TRACING=y
CONFIG_CONTEXT_SWITCH_TRACER=y
CONFIG_PREEMPTIRQ_TRACEPOINTS=y
CONFIG_TRACING=y
CONFIG_DRM=n
CONFIG_USB=n
CONFIG_SOUND=n
CONFIG_9P_FS=y
CONFIG_9P_FS_POSIX_ACL=y
CONFIG_9P_FS_SECURITY=y
CONFIG_ETHERNET=n
CONFIG_WLAN=n

29
kernel-configs/integrity Normal file
View File

@ -0,0 +1,29 @@
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_DEFAULT_HASH="sha256"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_ARCH_POLICY=y
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_BLACKLIST_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
CONFIG_EVM_ADD_XATTRS=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"

View File

@ -1184,9 +1184,9 @@ static int cmd_setxattr_ima(struct command *cmd)
#define MAX_KEY_SIZE 128
static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *sig)
{
size_t mdlen;
size_t siglen = MAX_DIGEST_SIZE;
EVP_MD_CTX *pctx;
EVP_PKEY *pkey = NULL;
struct stat st;
@ -1260,7 +1260,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, evmkey, sizeof(evmkey));
if (!pkey) {
log_err("HMAC_Init() failed\n");
log_err("EVP_PKEY_new_mac_key() failed\n");
goto out;
}
@ -1326,12 +1326,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
err = EVP_DigestSignUpdate(pctx, &hmac_misc, hmac_size);
if (err != 1) {
log_err("HMAC_Update() failed\n");
log_err("EVP_DigestSignUpdate() failed\n");
goto out_ctx_cleanup;
}
err = EVP_DigestSignFinal(pctx, hash, &mdlen);
err = EVP_DigestSignFinal(pctx, sig, &siglen);
if (err != 1)
log_err("HMAC_Final() failed\n");
log_err("EVP_DigestSignFinal() failed\n");
out_ctx_cleanup:
EVP_PKEY_free(pkey);
#if OPENSSL_VERSION_NUMBER >= 0x10100000
@ -1340,7 +1340,7 @@ out_ctx_cleanup:
out:
free(key);
if (err == 1)
return mdlen;
return siglen;
return err;
}

View File

@ -2,7 +2,7 @@ check_SCRIPTS =
TESTS = $(check_SCRIPTS)
check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
fsverity.test
fsverity.test portable_signatures.test
clean-local:
-rm -f *.txt *.out *.sig *.sig2

View File

@ -12,7 +12,7 @@
# for verifying the calculated boot_aggregate is included in this
# directory as well.
trap cleanup SIGINT SIGTERM EXIT
trap '_report_exit_and_cleanup cleanup' SIGINT SIGTERM EXIT
# Base VERBOSE on the environment variable, if set.
VERBOSE="${VERBOSE:-0}"

View File

@ -30,7 +30,7 @@
# custom policy rules might take precedence.
cd "$(dirname "$0")" || exit 1
PATH=../src:$PATH
PATH=../src:../fsverity-utils:$PATH
source ./functions.sh
# Base VERBOSE on the environment variable, if set.
@ -47,7 +47,7 @@ FSVERITY="$(which fsverity)"
_require dd mkfs blkid e2fsck tune2fs evmctl setfattr
./gen-keys.sh >/dev/null 2>&1
trap cleanup SIGINT SIGTERM EXIT
trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM EXIT
cleanup() {
if [ -e $TST_MNT ]; then
@ -58,7 +58,6 @@ cleanup() {
rm "$TST_IMG"
fi
fi
_report_exit_and_cleanup
}
# Loopback mount a file
@ -309,6 +308,15 @@ measure-ima() {
return "$error"
}
# Run in the new environment if TST_ENV is set.
_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
# Exit from the creator of the new environment.
_exit_env "$TST_KERNEL"
# Mount filesystems in the new environment.
_init_env
# Dependency on being able to read and write the IMA policy file.
# Requires both CONFIG_IMA_WRITE_POLICY, CONFIG_IMA_READ_POLICY be
# enabled.

View File

@ -72,6 +72,12 @@ declare -i TNESTED=0 # just for sanity checking
expect_pass() {
local -i ret
if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
[ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
testsskip+=1
return "$SKIP"
fi
if [ $TNESTED -gt 0 ]; then
echo $RED"expect_pass should not be run nested"$NORM
testsfail+=1
@ -98,6 +104,12 @@ expect_pass() {
expect_fail() {
local ret
if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
[ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
testsskip+=1
return "$SKIP"
fi
if [ $TNESTED -gt 0 ]; then
echo $RED"expect_fail should not be run nested"$NORM
testsfail+=1
@ -250,10 +262,14 @@ _enable_gost_engine() {
# Show test stats and exit into automake test system
# with proper exit code (same as ours). Do cleanups.
_report_exit_and_cleanup() {
local exit_code=$?
if [ -n "${WORKDIR}" ]; then
rm -rf "${WORKDIR}"
fi
"$@"
if [ $testsfail -gt 0 ]; then
echo "================================="
echo " Run with FAILEARLY=1 $0 $*"
@ -267,12 +283,33 @@ _report_exit_and_cleanup() {
[ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
echo " FAIL: $testsfail"
echo "$NORM"
# Signal failure to the testing environment creator with an unclean shutdown.
if [ -n "$TST_ENV" ] && [ $$ -eq 1 ]; then
if [ -z "$(command -v poweroff)" ]; then
echo "Warning: cannot properly shutdown system"
fi
# If no test was executed and the script was successful,
# do a clean shutdown.
if [ $testsfail -eq 0 ] && [ $testspass -eq 0 ] && [ $testsskip -eq 0 ] &&
[ $exit_code -ne "$FAIL" ] && [ $exit_code -ne "$HARDFAIL" ]; then
poweroff -f
fi
# If tests were executed and no test failed, do a clean shutdown.
if { [ $testspass -gt 0 ] || [ $testsskip -gt 0 ]; } &&
[ $testsfail -eq 0 ]; then
poweroff -f
fi
fi
if [ $testsfail -gt 0 ]; then
exit "$FAIL"
elif [ $testspass -gt 0 ]; then
exit "$OK"
else
elif [ $testsskip -gt 0 ]; then
exit "$SKIP"
else
exit "$exit_code"
fi
}
@ -312,4 +349,76 @@ _softhsm_teardown() {
rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
}
}
# Syntax: _run_env <kernel> <init> <additional kernel parameters>
_run_env() {
if [ -z "$TST_ENV" ]; then
return
fi
if [ $$ -eq 1 ]; then
return
fi
if [ "$TST_ENV" = "um" ]; then
expect_pass "$1" rootfstype=hostfs rw init="$2" quiet mem=2048M "$3"
else
echo $RED"Testing environment $TST_ENV not supported"$NORM
exit "$FAIL"
fi
}
# Syntax: _exit_env <kernel>
_exit_env() {
if [ -z "$TST_ENV" ]; then
return
fi
if [ $$ -eq 1 ]; then
return
fi
exit "$OK"
}
# Syntax: _init_env
_init_env() {
if [ -z "$TST_ENV" ]; then
return
fi
if [ $$ -ne 1 ]; then
return
fi
mount -t tmpfs tmpfs /tmp
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t securityfs securityfs /sys/kernel/security
if [ -n "$(command -v haveged 2> /dev/null)" ]; then
$(command -v haveged) -w 1024 &> /dev/null
fi
pushd "$PWD" > /dev/null || exit "$FAIL"
}
# Syntax: _cleanup_env <cleanup function>
_cleanup_env() {
if [ -z "$TST_ENV" ]; then
$1
return
fi
if [ $$ -ne 1 ]; then
return
fi
$1
umount /sys/kernel/security
umount /sys
umount /proc
umount /tmp
}

View File

@ -2,6 +2,5 @@
git clone https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git
cd fsverity-utils
CC=gcc make -j$(nproc) && sudo make install
CC=gcc make -j$(nproc)
cd ..
rm -rf fsverity-utils

View File

@ -0,0 +1,6 @@
#!/bin/sh
git clone https://github.com/brauner/mount-idmapped.git
cd mount-idmapped
gcc -o mount-idmapped mount-idmapped.c
cd ..

1122
tests/portable_signatures.test Executable file

File diff suppressed because it is too large Load Diff