Add tests for EVM portable signatures

Verify that operations on files with EVM portable signatures succeed and that the new kernel patch set does not break the existing kernel integrity expectations. Build and install mount-idmapped for ci/fedora.sh, to additionally test idmapped mounts. To run the tests, pass the path of the kernel private key with the TST_KEY_PATH environment variable. If not provided, search first in the ima-evm-utils top directory, and then in /lib/modules/$(uname -r)/source/certs/signing_key.pem and /lib/modules/$(uname -r)/build/certs/signing_key.pem. Root privileges are required to mount the image, configure IMA/EVM and set xattrs. Set TST_ENV to 'um', to relaunch the script in a new environment after booting an UML kernel. The UML kernel path must be specified with the TST_KERNEL environment variable. Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the current EVM mode, if a test needs a different one. Otherwise, execute only the tests compatible with the current EVM mode. Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before launching the script, to run the check_evm_revalidate() test. Execute: echo 4 > /sys/kernel/security/evm The last two environment variables above affect which tests will run the next time the script is executed. Without setting TST_ENV, changes to the current EVM mode will be irreversibly done in the host. Next time, unless the host is rebooted, only tests compatible with the last EVM mode set will run. The others will be skipped. By setting TST_ENV, this problem does not arise as, every time the environment is created, it will be clean with no flags set in the EVM mode. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-27 22:32:31 +02:00 · 2023-01-26 14:58:03 +01:00 · 2023-01-26 14:58:03 +01:00 · cf832d72f9
commit cf832d72f9
parent b573b7d4a1
5 changed files with 1140 additions and 2 deletions
--- a/build.sh
+++ b/build.sh
@ -114,6 +114,11 @@ if [ $ret -eq 0 ]; then
 		grep "skipped" tests/fsverity.log  && \
 		   grep "skipped" tests/fsverity.log | wc -l
 	fi
+	if [ -f tests/portable_signatures.log ]; then
+		[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
+		grep "skipped" tests/portable_signatures.log  && \
+		   grep "skipped" tests/portable_signatures.log | wc -l
+	fi
 	exit 0
 fi

--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@ -47,7 +47,11 @@ yum -y install \
 	which \
 	zstd \
 	haveged \
-	systemd
+	systemd \
+	keyutils \
+	e2fsprogs \
+	acl \
+	libcap

 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
@ -59,3 +63,4 @@ fi
 yum -y install softhsm || true

 ./tests/install-fsverity.sh
+./tests/install-mount-idmapped.sh
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -2,7 +2,7 @@ check_SCRIPTS =
 TESTS = $(check_SCRIPTS)

 check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
-		 fsverity.test
+		 fsverity.test portable_signatures.test

 clean-local:
 	-rm -f *.txt *.out *.sig *.sig2
--- a/tests/install-mount-idmapped.sh
+++ b/tests/install-mount-idmapped.sh
@ -0,0 +1,6 @@
+#!/bin/sh
+
+git clone https://github.com/brauner/mount-idmapped.git
+cd mount-idmapped
+gcc -o mount-idmapped mount-idmapped.c
+cd ..
--- a/tests/portable_signatures.test
+++ b/tests/portable_signatures.test