Add tests for EVM portable signatures

Verify that operations on files with EVM portable signatures succeed and
that the new kernel patch set does not break the existing kernel integrity
expectations. Build and install mount-idmapped for ci/fedora.sh, to
additionally test idmapped mounts.

To run the tests, pass the path of the kernel private key with the
TST_KEY_PATH environment variable. If not provided, search first in the
ima-evm-utils top directory, and then in
/lib/modules/$(uname -r)/source/certs/signing_key.pem and
/lib/modules/$(uname -r)/build/certs/signing_key.pem.

Root privileges are required to mount the image, configure IMA/EVM and set
xattrs.

Set TST_ENV to 'um', to relaunch the script in a new environment after
booting an UML kernel. The UML kernel path must be specified with the
TST_KERNEL environment variable.

Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the
current EVM mode, if a test needs a different one. Otherwise, execute only
the tests compatible with the current EVM mode.

Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before
launching the script, to run the check_evm_revalidate() test. Execute:

echo 4 > /sys/kernel/security/evm

The last two environment variables above affect which tests will run the
next time the script is executed. Without setting TST_ENV, changes to the
current EVM mode will be irreversibly done in the host. Next time, unless
the host is rebooted, only tests compatible with the last EVM mode set will
run. The others will be skipped.

By setting TST_ENV, this problem does not arise as, every time the
environment is created, it will be clean with no flags set in the EVM mode.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

build.sh

@@ -114,6 +114,11 @@ if [ $ret -eq 0 ]; then
 		grep "skipped" tests/fsverity.log  && \
 		   grep "skipped" tests/fsverity.log | wc -l
 	fi
+	if [ -f tests/portable_signatures.log ]; then
+		[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
+		grep "skipped" tests/portable_signatures.log  && \
+		   grep "skipped" tests/portable_signatures.log | wc -l
+	fi
 	exit 0
 fi
 

ci/fedora.sh

@@ -47,7 +47,11 @@ yum -y install \
 	which \
 	zstd \
 	haveged \
-	systemd
+	systemd \
+	keyutils \
+	e2fsprogs \
+	acl \
+	libcap
 
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
@@ -59,3 +63,4 @@ fi
 yum -y install softhsm || true
 
 ./tests/install-fsverity.sh
+./tests/install-mount-idmapped.sh

tests/Makefile.am

@@ -2,7 +2,7 @@ check_SCRIPTS =
 TESTS = $(check_SCRIPTS)
 
 check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
-		 fsverity.test
+		 fsverity.test portable_signatures.test
 
 clean-local:
 	-rm -f *.txt *.out *.sig *.sig2

tests/install-mount-idmapped.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+git clone https://github.com/brauner/mount-idmapped.git
+cd mount-idmapped
+gcc -o mount-idmapped mount-idmapped.c
+cd ..