Release version 1.5

New to this release is CI support for testing new kernel integrity
features not yet upstreamed and bugfixes, or functionality not enabled
by distros in a User Mode Linux (UML) environment.  Testing in a UML
environment also allows saving CI build artifacts, such as private
keys, needed for creating and loading public keys onto the trusted
kernel keyrings.  These public keys may be used for code - file data
and metadata - signature verification.

See the NEWS file for a short summary of changes and the git history
for details.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

.github/workflows/ci.yml

@@ -3,7 +3,79 @@ name: "distros"
 on: [push, pull_request]
 
 jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
+    name: build
+    timeout-minutes: 100
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Determine last kernel commit
+        id: last-commit
+        shell: bash
+        run: |
+          mkdir linux-integrity
+          pushd linux-integrity
+          git init
+          LINUX_URL=${{ vars.LINUX_URL }}
+          if [ -z "$LINUX_URL" ]; then
+              LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
+          fi
+          LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
+          if [ -z "$LINUX_BRANCH" ]; then
+              LINUX_BRANCH=next-integrity
+          fi
+          git remote add origin $LINUX_URL
+          LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}')
+          [ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}')
+          echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
+          popd
+
+      - name: Cache UML kernel
+        id: cache-linux
+        uses: actions/cache@v3
+        with:
+          path: linux
+          key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
+
+      - name: Cache signing key
+        id: cache-key
+        uses: actions/cache@v3
+        with:
+          path: signing_key.pem
+          key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
+
+      - name: Compile UML kernel
+        if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true'
+        shell: bash
+        run: |
+          if [ "$DEVTOOLSET" = "yes" ]; then
+                  source /opt/rh/devtoolset-10/enable
+          fi
+          if [ "$ARCH" = "i386" ]; then
+                  CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
+          fi
+          pushd linux-integrity
+          git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
+          make ARCH=um defconfig
+          ./scripts/kconfig/merge_config.sh -m .config $(ls ../kernel-configs/*)
+          # Update manually, to specify ARCH=um
+          make ARCH=um olddefconfig
+          # Make everything built-in
+          make ARCH=um localyesconfig
+          make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
+          chmod +x linux
+          cp linux ..
+          cp certs/signing_key.pem ..
+          popd
+
   job:
+    needs: build
     runs-on: ubuntu-latest
 
     strategy:
@@ -17,7 +89,7 @@ jobs:
               ARCH: i386
               TSS: tpm2-tss
               VARIANT: i386
-              COMPILE_SSL: openssl-3.0.0-beta1
+              COMPILE_SSL: openssl-3.0.5
 
           # cross compilation builds
           - container: "debian:stable"
@@ -52,18 +124,17 @@ jobs:
             env:
               CC: clang
               TSS: ibmtss
-              COMPILE_SSL: openssl-3.0.0-beta1
 
           - container: "opensuse/leap"
             env:
               CC: gcc
               TSS: tpm2-tss
 
-          - container: "ubuntu:groovy"
+          - container: "ubuntu:jammy"
             env:
               CC: gcc
               TSS: ibmtss
-              COMPILE_SSL: openssl-3.0.0-beta1
+              COMPILE_SSL: openssl-3.0.5
 
           - container: "ubuntu:xenial"
             env:
@@ -75,12 +146,14 @@ jobs:
               CC: clang
               TSS: ibmtss
 
-          - container: "centos:7"
+          - container: "fedora:latest"
             env:
-              CC: gcc
-              TSS: tpm2-tss
+              CC: clang
+              TSS: ibmtss
+              TST_ENV: um
+              TST_KERNEL: ../linux
 
-          - container: "centos:latest"
+          - container: "centos:7"
             env:
               CC: gcc
               TSS: tpm2-tss
@@ -103,7 +176,7 @@ jobs:
     container:
       image: ${{ matrix.container }}
       env: ${{ matrix.env }}
-      options: --security-opt seccomp=unconfined
+      options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm
 
     steps:
     - name: Show OS
@@ -119,7 +192,12 @@ jobs:
         INSTALL="${INSTALL%%/*}"
         if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi
         ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh
-        if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi
+
+    - name: Build openSSL
+      run: |
+        if [ "$COMPILE_SSL" ]; then
+          COMPILE_SSL="$COMPILE_SSL" VARIANT="$VARIANT" ./tests/install-openssl3.sh; \
+        fi
 
     - name: Build swtpm
       run: |
@@ -130,8 +208,24 @@ jobs:
             fi
         fi
 
+    - name: Retrieve UML kernel
+      if: ${{ matrix.env.TST_ENV }}
+      uses: actions/cache@v3
+      continue-on-error: false
+      with:
+        path: linux
+        key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
+
+    - name: Retrieve signing key
+      if: ${{ matrix.env.TST_ENV }}
+      continue-on-error: false
+      uses: actions/cache@v3
+      with:
+        path: signing_key.pem
+        key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
+
     - name: Compiler version
       run: $CC --version
 
     - name: Compile
-      run: CC="$CC" VARIANT="$VARIANT" ./build.sh
+      run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" TST_ENV="$TST_ENV" TST_KERNEL="$TST_KERNEL" ./build.sh

.travis.yml

@@ -1,6 +1,6 @@
 # Copyright (c) 2017-2021 Petr Vorel <pvorel@suse.cz>
 
-dist: bionic
+dist: focal
 language: C
 services:
     - docker
@@ -9,7 +9,7 @@ matrix:
     include:
         # 32 bit build
         - os: linux
-          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.0-beta1
+          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.5
           compiler: gcc
 
         # cross compilation builds
@@ -32,7 +32,7 @@ matrix:
 
         # glibc (gcc/clang)
         - os: linux
-          env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" COMPILE_SSL=openssl-3.0.0-beta1
+          env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
           compiler: clang
 
         - os: linux
@@ -40,7 +40,7 @@ matrix:
           compiler: gcc
 
         - os: linux
-          env: DISTRO=ubuntu:groovy TSS=ibmtss COMPILE_SSL=openssl-3.0.0-beta1
+          env: DISTRO=ubuntu:jammy TSS=ibmtss COMPILE_SSL=openssl-3.0.5
           compiler: gcc
 
         - os: linux
@@ -52,11 +52,11 @@ matrix:
           compiler: clang
 
         - os: linux
-          env: DISTRO=centos:7 TSS=tpm2-tss
+          env: DISTRO=centos:7 TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
           compiler: gcc
 
         - os: linux
-          env: DISTRO=centos:latest TSS=tpm2-tss
+          env: REPO="quay.io/centos/" DISTRO="${REPO}centos:stream8" TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
           compiler: clang
 
         - os: linux
@@ -82,7 +82,7 @@ before_install:
             sudo sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list"
             wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | sudo apt-key add -
             sudo apt update
-            sudo apt -y install podman slirp4netns crun
+            sudo apt -y install fuse-overlayfs podman slirp4netns crun
         fi
     - $CONTAINER info
 
@@ -95,4 +95,4 @@ script:
     - INSTALL="${DISTRO#${REPO}}"
     - INSTALL="${INSTALL%%:*}"
     - INSTALL="${INSTALL%%/*}"
-    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"
+    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ \"$COMPILE_SSL\" ]; then COMPILE_SSL=\"$COMPILE_SSL\" VARIANT=\"$VARIANT\" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" COMPILE_SSL=\"$COMPILE_SSL\" ./build.sh"

Makefile.am

@@ -1,4 +1,8 @@
 SUBDIRS = src tests
+if HAVE_PANDOC
+SUBDIRS += doc
+endif
+
 if MANPAGE_DOCBOOK_XSL
 dist_man_MANS = evmctl.1
 endif

NEWS

@@ -1,3 +1,32 @@
+2023-2-24  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.5:
+
+	* CI changes:
+	  * New: UML kernel testing environment
+	  * Support for running specific test(s)
+	  * Update distros
+	  * Update software release versions
+	* New features:
+	  * Signing fs-verity signatures
+	  * Reading TPM 2.0 PCRs via sysfs interface
+	* New tests:
+	  * Missing IMA mmapped file measurements
+	  * Overlapping IMA policy rules
+	  * EVM portable signatures
+	  * fs-verity file measurements in the IMA measurement list
+	* Build and library changes:
+	  * OpenSSL 3.0 version related changes
+	  * New configuration options: --disable-engine, --enable-sigv1
+	  * Deprecate IMA signature v1 format
+	* Misc bug fixes and code cleanup:
+	  * memory leaks, bounds checking, use after free
+	  * Fix and update test output
+	  * Add missing sanity checks
+	* Documentation:
+	  * Store the sourceforge ima-evm-utils wiki for historical
+	    purposes.
+
 2021-10-22  Mimi Zohar <zohar@linux.ibm.com>
 
 	version 1.4:
@@ -64,7 +93,7 @@
 	    the TPM PCRs, verify the IMA template data digest against the
 	    template data.  (Based on LTP "--verify" option.)
 	  - Ignore file measurement violations while verifying the IMA
-	    measurment list. (Based on LTP "--validate" option.)
+	    measurement list. (Based on LTP "--validate" option.)
 	  - Verify the file data signature included in the measurement list
 	    based on the file hash also included in the measurement list
 	    (--verify-sig)
@@ -213,7 +242,7 @@
 2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 
 	version 0.1.0
-	* Fully functional version for lastest 3.x kernels
+	* Fully functional version for latest 3.x kernels
 
 2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 

README

@@ -25,28 +25,34 @@ COMMANDS
 
  --version
  help <command>
- import [--rsa] pubkey keyring
- sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
+ import  [--rsa (deprecated)] pubkey keyring
+ sign [-r] [--imahash | --imasig ] [--key key] [--pass[=<password>] file
  verify file
- ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
- ima_sign [--sigfile] [--key key] [--pass password] file
+ ima_sign [--sigfile] [--key key] [--pass[=<password>]] file
  ima_verify file
+ ima_setxattr [--sigfile file]
  ima_hash file
- ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]
+   [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...]
+   [--verify-bank hash-algorithm] file
+ ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
+   [--hwtpm]
  ima_fix [-t fdsxm] path
- sign_hash [--key key] [--pass password]
+ ima_clear [-t fdsxm] path
+ sign_hash [--veritysig] [--key key] [--pass=<password>]
  hmac [--imahash | --imasig ] file
 
 
 OPTIONS
 -------
 
-  -a, --hashalgo     sha1, sha224, sha256, sha384, sha512
+  -a, --hashalgo     sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: sha256)
   -s, --imasig       make IMA signature
+      --veritysig    sign an fs-verity file digest hash
   -d, --imahash      make IMA hash
   -f, --sigfile      store IMA signature in .sig file instead of xattr
       --xattr-user   store xattrs in user namespace (for testing purposes)
-      --rsa          use RSA key type and signing scheme v1
+      --rsa          use RSA key type and signing scheme v1 (deprecated)
   -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
                      or a pkcs11 URI
       --keyid n      overwrite signature keyid with a 32-bit value in hex (for signing)
@@ -63,7 +69,15 @@ OPTIONS
       --smack        use extra SMACK xattrs for EVM
       --m32          force EVM hmac/signature for 32 bit target system
       --m64          force EVM hmac/signature for 64 bit target system
-      --engine e     preload OpenSSL engine e (such as: gost)
+      --engine e     preload OpenSSL engine e (such as: gost) is deprecated
+      --ino          use custom inode for EVM
+      --uid          use custom UID for EVM
+      --gid          use custom GID for EVM
+      --mode         use custom Mode for EVM
+      --generation   use custom Generation for EVM(unspecified: from FS, empty: use 0)
+      --ima          use custom IMA signature for EVM
+      --selinux      use custom Selinux label for EVM
+      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
       --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
       --ignore-violations ignore ToMToU measurement violations
       --verify-sig   verify the file signature based on the file hash, both
@@ -205,7 +219,7 @@ asymmetric keys support:
 
 Configuration file x509_evm.genkey:
 
-	# Begining of the file
+	# Beginning of the file
 	[ req ]
 	default_bits = 1024
 	distinguished_name = req_distinguished_name
@@ -256,7 +270,7 @@ following steps:
 
 Configuration file ima-local-ca.genkey:
 
-	# Begining of the file
+	# Beginning of the file
 	[ req ]
 	default_bits = 2048
 	distinguished_name = req_distinguished_name
@@ -287,7 +301,7 @@ Produce X509 in DER format for using while building the kernel:
 
 Configuration file ima.genkey:
 
-	# Begining of the file
+	# Beginning of the file
 	[ req ]
 	default_bits = 1024
 	distinguished_name = req_distinguished_name

acinclude.m4

@@ -2,7 +2,7 @@
 AC_DEFUN([PKG_ARG_ENABLE],
 	[
 	AC_MSG_CHECKING(whether to enable $1)
-	AC_ARG_ENABLE([$1], AC_HELP_STRING([--enable-$1], [enable $1 (default is $2)]), 
+	AC_ARG_ENABLE([$1], AS_HELP_STRING([--enable-$1], [enable $1 (default is $2)]),
 	[pkg_cv_enable_$1=$enableval],	
 	[AC_CACHE_VAL([pkg_cv_enable_$1], [pkg_cv_enable_$1=$2])])
 	if test $pkg_cv_enable_$1 = yes; then

build.sh

@@ -1,6 +1,16 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 
+if [ -n "$CI" ]; then
+	# If we under CI only thing we can analyze is logs so better to enable
+	# verbosity to a maximum.
+	set -x
+	# This is to make stdout and stderr synchronous in the logs.
+	exec 2>&1
+
+	mount -t securityfs -o rw securityfs /sys/kernel/security
+fi
+
 set -e
 
 CC="${CC:-gcc}"
@@ -32,6 +42,14 @@ log_exit()
 
 cd `dirname $0`
 
+if [ "$COMPILE_SSL" ]; then
+	echo "COMPILE_SSL: $COMPILE_SSL"
+	export CFLAGS="-I/opt/openssl3/include $CFLAGS"
+	export LD_LIBRARY_PATH="/opt/openssl3/lib64:/opt/openssl3/lib:$HOME/src/ima-evm-utils/src/.libs:$LD_LIBRARY_PATH"
+	export LDFLAGS="-L/opt/openssl3/lib64 -L/opt/openssl3/lib $LDFLAGS"
+	export PATH="/opt/openssl3/bin:$HOME/src/ima-evm-utils/src/.libs:$PATH"
+fi
+
 case "$VARIANT" in
 	i386)
 		echo "32-bit compilation"
@@ -79,17 +97,7 @@ VERBOSE=1 make check || ret=$?
 
 title "logs"
 if [ $ret -eq 0 ]; then
-	if [ -f tests/ima_hash.log ]; then
-		tail -3 tests/ima_hash.log
-		grep "skipped" tests/ima_hash.log  && \
-		   grep "skipped" tests/ima_hash.log | wc -l
-	fi
-	if [ -f tests/sign_verify.log ]; then
-		tail -3 tests/sign_verify.log
-		grep "skipped" tests/sign_verify.log  && \
-		   grep "skipped" tests/sign_verify.log | wc -l
-	fi
-	tail -20 tests/boot_aggregate.log
+	cd tests; make check_logs; cd ..
 	exit 0
 fi
 

ci/alpine.sh

@@ -26,9 +26,11 @@ apk add \
 	attr-dev \
 	autoconf \
 	automake \
+	bash \
 	diffutils \
 	docbook-xml \
 	docbook-xsl \
+	e2fsprogs-extra \
 	keyutils-dev \
 	libtool \
 	libxslt \
@@ -40,9 +42,11 @@ apk add \
 	pkgconfig \
 	procps \
 	sudo \
+	util-linux \
 	wget \
 	which \
-	xxd
+	xxd \
+	gawk
 
 if [ ! "$TSS" ]; then
 	apk add git

ci/alt.sh

@@ -11,7 +11,8 @@ apt-get install -y \
 		$TSS \
 		asciidoc \
 		attr \
-		docbook-style-xsl \
+		e2fsprogs \
+		fsverity-utils-devel \
 		gnutls-utils \
 		libattr-devel \
 		libkeyutils-devel \
@@ -21,6 +22,7 @@ apt-get install -y \
 		openssl-gost-engine \
 		rpm-build \
 		softhsm \
+		util-linux \
 		wget \
 		xsltproc \
 		xxd \

ci/debian.sh

@@ -2,6 +2,9 @@
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -ex
 
+# workaround for Ubuntu impish asking to interactively configure tzdata
+export DEBIAN_FRONTEND="noninteractive"
+
 if [ -z "$CC" ]; then
 	echo "missing \$CC!" >&2
 	exit 1
@@ -37,6 +40,7 @@ $apt \
 	debianutils \
 	docbook-xml \
 	docbook-xsl \
+	e2fsprogs \
 	gzip \
 	libattr1-dev$ARCH \
 	libkeyutils-dev$ARCH \
@@ -47,8 +51,10 @@ $apt \
 	pkg-config \
 	procps \
 	sudo \
+	util-linux \
 	wget \
-	xsltproc
+	xsltproc \
+	gawk
 
 $apt xxd || $apt vim-common
 $apt libengine-gost-openssl1.1$ARCH || true

ci/fedora.sh

@@ -25,9 +25,12 @@ yum -y install \
 	automake \
 	diffutils \
 	docbook-xsl \
+	e2fsprogs \
+	git-core \
 	gnutls-utils \
 	gzip \
 	keyutils-libs-devel \
+	kmod \
 	libattr-devel \
 	libtool \
 	libxslt \
@@ -38,9 +41,16 @@ yum -y install \
 	pkg-config \
 	procps \
 	sudo \
+	util-linux \
 	vim-common \
 	wget \
-	which
+	which \
+	zstd \
+	systemd \
+	keyutils \
+	e2fsprogs \
+	acl \
+	libcap
 
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
@@ -50,3 +60,9 @@ if [ -f /etc/centos-release ]; then
 	yum -y install epel-release
 fi
 yum -y install softhsm || true
+
+# haveged is available via EPEL on CentOS stream8.
+yum -y install haveged || true
+
+./tests/install-fsverity.sh
+./tests/install-mount-idmapped.sh

ci/tumbleweed.sh

@@ -26,6 +26,7 @@ zypper --non-interactive install --force-resolution --no-recommends \
 	diffutils \
 	docbook_5 \
 	docbook5-xsl-stylesheets \
+	e2fsprogs \
 	gzip \
 	ibmswtpm2 \
 	keyutils-devel \
@@ -37,10 +38,12 @@ zypper --non-interactive install --force-resolution --no-recommends \
 	pkg-config \
 	procps \
 	sudo \
+	util-linux \
 	vim \
 	wget \
 	which \
-	xsltproc
+	xsltproc \
+	gawk
 
 zypper --non-interactive install --force-resolution --no-recommends \
 	gnutls openssl-engine-libp11 softhsm || true

configure.ac

@@ -1,7 +1,7 @@
 # autoconf script
 
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 1.4, zohar@linux.ibm.com)
+AC_INIT(ima-evm-utils, 1.5, zohar@linux.ibm.com)
 AM_INIT_AUTOMAKE([foreign])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -15,16 +15,14 @@ AM_PROG_CC_C_O
 #AC_PROG_CXX
 #AC_PROG_CPP
 AC_PROG_INSTALL
-AC_PROG_LIBTOOL
 #AC_PROG_LN_S
+AC_CHECK_PROG(have_pandoc, [pandoc], [yes], [no])
+AM_CONDITIONAL([HAVE_PANDOC], [test "x$have_pandoc" = "xyes"])
 LT_INIT
 
 # FIXME: Replace `main' with a function in `-lpthread':
 #AC_CHECK_LIB([pthread], [main])
 
-# Checks for header files.
-AC_HEADER_STDC
-
 PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
 AC_SUBST(KERNEL_HEADERS)
 AC_CHECK_HEADER(unistd.h)
@@ -53,6 +51,16 @@ AC_ARG_ENABLE([openssl_conf],
 		AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by evmctl.])
 	      fi], [enable_openssl_conf=yes])
 
+AC_ARG_ENABLE(sigv1,
+	      AS_HELP_STRING([--enable-sigv1], [Build ima-evm-utils with signature v1 support]))
+	AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
+	AS_IF([test "$enable_sigv1"  != "yes"], [enable_sigv1="no"])
+
+AC_ARG_ENABLE(engine,
+	      [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL engine support])],,[enable_engine=yes])
+	AC_CHECK_LIB([crypto], [ENGINE_init],, [enable_engine=no])
+	AM_CONDITIONAL([CONFIG_IMA_EVM_ENGINE], [test "x$enable_engine" = "xyes"])
+
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
@@ -73,6 +81,8 @@ AX_DEFAULT_HASH_ALGO([$KERNEL_HEADERS])
 AC_CONFIG_FILES([Makefile
 		src/Makefile
 		tests/Makefile
+		doc/Makefile
+		doc/sf/Makefile
 		packaging/ima-evm-utils.spec
 		])
 AC_OUTPUT
@@ -87,5 +97,8 @@ echo	"   openssl-conf: $enable_openssl_conf"
 echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
 echo	" tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
 echo    "         ibmtss: $ac_cv_header_ibmtss_tss_h"
+echo    "         sigv1:  $enable_sigv1"
+echo    "         engine: $enable_engine"
 echo	"            doc: $have_doc"
+echo	"         pandoc: $have_pandoc"
 echo

doc/Makefile.am

@@ -0,0 +1 @@
+SUBDIRS = sf

doc/sf/Makefile.am

@@ -0,0 +1,6 @@
+noinst_DATA = sf-wiki.html
+
+sf-wiki.html:sf-wiki.md
+	pandoc $+ -f markdown -t html > $@
+
+CLEANFILES = sf-wiki.html

doc/sf/sf-diagram.html

@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML>
+</STYLE>
+<BODY LANG="en-US" DIR="LTR">
+<p style="text-align: center; font-family:arial">
+<FONT SIZE=+3><b><a href="https://sourceforge.net/p/linux-ima/wiki/Home">
+See documentation at Linux IMA/EVM Wiki</a></b></FONT>
+<br>
+<FONT SIZE=+3><b>Linux Integrity Subsystem</b></FONT>
+<p>The goals of the kernel integrity subsystem are to detect if files have
+been accidentally or maliciously altered, both remotely and locally,
+appraise a file's measurement against a "good" value stored as an extended
+attribute, and enforce local file integrity.  These goals are complementary
+to Mandatory Access Control(MAC) protections provided by LSM modules, such as
+SElinux and Smack, which, depending on policy, can attempt to protect file
+integrity. The following modules provide several integrity functions:</p>
+<object type="text/html" style="float:right" height=450 data="tcg.html-20100504"></object>
+<UL>
+<LI><B>Collect</B> - measure a file before it is accessed. </li>
+<LI><B>Store</B> - add the measurement to a kernel resident list and, if a
+hardware Trusted Platform Module (TPM) is present, extend the IMA PCR </li>
+<LI><B>Attest</B> -if present, use the TPM to sign the IMA PCR value, to
+allow a remote validation of the measurement list.</li>
+<LI><B>Appraise</B> - enforce local validation of a measurement against a
+'good' value stored in an extended attribute of the file.</li>
+<LI><B>Protect</B> - protect a file's security extended attributes
+</UL>
+<p>The first three functions were introduced with Integrity Measurement
+Architecture (IMA) in 2.6.30.  The EVM/IMA-appraisal patches add support for
+the last two features.</p>
+<p>For additional information about the Linux integrity subsystem, refer to the
+<a href="http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page">Wiki</a>.
+</p>
+<H3><a name="Trusted-Computing">Trusted Computing: architecture and opensource components</a></H3>
+<P> IMA measurement, one component of the kernel's integrity subsystem, is part
+of an overall Integrity Architecture based on the
+<a href="https://www.trustedcomputinggroup.org/home">Trusted Computing Group's
+</a> open standards, including Trusted Platform Module (TPM), Trusted Boot,
+Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform
+Trust Services (PTS). The diagram shows how these standards relate, and
+provides links to the respective specifications and open source
+implementations. IMA and EVM can still run on platforms without a
+hardware TPM, although without the hardware guarantee of compromise
+detection.
+</P>
+</BODY></HTML>

doc/sf/sf-tcg.html

@@ -0,0 +1,99 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML>
+<STYLE TYPE="text/css">
+.tcg TD, .tcgcell
+{
+background-color:lightblue;
+color:black;
+font-family:sans-serif;
+font-weight:700;
+padding:0;
+}
+
+.tcg2 TD, .tcg2cell
+{
+background-color:white;
+color:black;
+font-family:sans-serif;
+padding:5;
+border:0;
+}
+</STYLE>
+<table CLASS="tcg">
+<tr> <th COLSPAN=2 ><HREF="http://www.trustedcomputinggroup.org/trusted_computing"></A></th> </tr>
+<tr>
+<td><h3>Applications
+<table ALIGN=RIGHT CLASS="tcg2">
+<tr>
+<th>spec</th>
+<th>info</th>
+</tr>
+<tr>
+<td><a href="http://www.trustedcomputinggroup.org/resources/infrastructure_work_group_platform_trust_services_interface_specification_version_10" target="_top">PTS</a></td>
+<td><a href="http://openpts.sourceforge.jp" target="_top">OpenPTS</a></td>
+</tr>
+<tr><td style="background-color: lightblue"></td>
+<td><a href="http://sourceforge.net/projects/trousers/files/tpm-tools/tpm-tools-1.3.2.tar.gz/download" target="_top">tpm-tools</a></td>
+</tr>
+</table>
+<h2></td>
+</tr>
+<tr>
+<td><h3>Libraries
+<table ALIGN=RIGHT CLASS="tcg2">
+<tr>
+<th>spec</th>
+<th>info</th>
+</tr>
+<tr><td><a href="http://www.trustedcomputinggroup.org/developers/software_stack" target="_top">TSS</a></td>
+<td><a href="http://trousers.sourceforge.net/" target="_top">TrouSerS</a></td>
+</tr>
+</table>
+</td>
+</tr>
+<tr><td><h3>Linux Kernel
+<table ALIGN=RIGHT CLASS="tcg2">
+<tr>
+<th>spec</th>
+<th>info</th>
+</tr>
+<tr><td style="background-color: lightblue"></td>
+<td><a href="http://linux-ima.sourceforge.net/#Integrity Measurement Architecture" target="_top">IMA</a>,
+<a href="http://linux-ima.sourceforge.net/#Linux Extended Verification Module" target="_top">EVM</a></td>
+</td>
+</tr>
+<td><a href="http://www.trustedcomputinggroup.org/files/resource_files/87BCE22B-1D09-3519-ADEBA772FBF02CBD/TCG_PCClientTPMSpecification_1-20_1-00_FINAL.pdf" target="_top">tpm-1.2</a></td>
+<td><a href="http://tpmdd.sourceforge.net" target="_top">TPM driver</a></td>
+</tr>
+</table>
+</td>
+</tr>
+<tr><td><h3>Boot
+<table ALIGN=RIGHT CLASS="tcg2">
+<tr>
+<th>spec</th>
+<th>info</th>
+</tr>
+<tr><td><a href="http://www.trustedcomputinggroup.org/resources/pc_client_work_group_specific_implementation_specification_for_conventional_bios_specification_version_12" target="_top">BIOS</a></td>
+<td><a href="http://sourceforge.jp/projects/openpts/wiki/GRUB-IMA" target="_top">GRUB-IMA</a>,
+<a href="http://sourceforge.net/projects/tboot" target="_top"> TBOOT</a></td>
+</tr>
+</td>
+</tr>
+</table>
+<tr><td><h3>Hardware
+<table ALIGN=RIGHT CLASS="tcg2">
+<tr>
+<th>spec</th>
+<th>info</th>
+</tr>
+<tr>
+<td><a href="http://www.trustedcomputinggroup.org/developers/trusted_platform_module"  target="_top">TPM</a></td>
+<td><a href="http://ibmswtpm.sourceforge.net" target="_top">(swTPM)</a></td>
+</tr>
+</table>
+</td>
+</tr>
+</table>
+</BODY>
+</HTML>

doc/sf/sf-wiki.md

@@ -0,0 +1,932 @@
+The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file's measurement against a "good" value stored as an extended attribute, and enforce local file integrity. These goals are complementary to Mandatory Access Control(MAC) protections provided by LSM modules, such as SElinux and Smack, which, depending on policy, can attempt to protect file integrity.
+
+[TOC]
+
+## Overview
+### Features
+
+The following modules provide several integrity functions:
+
+-   **Collect** – measure a file before it is accessed.
+-   **Store** – add the measurement to a kernel resident list and, if a
+    hardware Trusted Platform Module (TPM) is present, extend the IMA
+    PCR
+-   **Attest** – if present, use the TPM to sign the IMA PCR value, to
+    allow a remote validation of the measurement list.
+-   **Appraise** – enforce local validation of a measurement against a
+    “good” value stored in an extended attribute of the file.
+-   **Protect** – protect a file's security extended attributes
+    (including appraisal hash) against off-line attack.
+
+ -   **Audit** – audit the file hashes.
+
+The first three functions were introduced with Integrity Measurement Architecture ([IMA](#integrity-measurement-architecture-ima)) in 2.6.30.   The "appraise" and "protect" features were originally posted as a single [EVM](#linux-extended-verification-module-evm)/[IMA-appraisal](#ima-appraisal) patch set for in the 2.6.36 timeframe, but were subsequently split.   EVM, the "protect" feature, was upstreamed in Linux 3.2, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention [Trusted and Encrypted keys](#creating-trusted-and-evm-encrypted-keys).   EVM support for protecting file metadata based on digital signatures was upstreamed in the Linux 3.3.  IMA-appraisal, the fourth aspect, appraising a file's integrity, was upstreamed in Linux 3.7.
+
+The goals, design, and benefits of these features are further described in the whitepaper ["An Overview of the Linux Integrity Subsystem"](http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf "http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf").
+
+### Components
+
+IMA-measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The linux-ima project page contains a [diagram](http://linux-ima.sourceforge.net/) showing how these standards relate, and provides links to the respective specifications and open source implementations. IMA-measurement and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.
+
+IMA-appraisal, a second component of the kernel's integrity subsystem,  extends the "secure boot" concept of verifying  a file's integrity, before transferring control or allowing the file to be accessed by the OS.
+
+IMA-audit, another component of the kernel's integrity subsystem, includes file hashes in the system audit logs, which can be used to augment existing system security analytics/forensics.
+
+The IMA-measurement, IMA-appraisal, and IMA-audit aspects of the kernel's integrity subsystem complement each other, but can be configured and used independently of each other.
+
+## Integrity Measurement Architecture (IMA-measurement)
+
+
+IMA-measurement is an open source trusted computing component. IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list cannot be compromised by any software attack, without being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system's runtime integrity.
+
+### Enabling IMA-measurement
+
+IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with a builtin  "ima_policy=" on the boot command line. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.)
+
+To determine if your distro enables IMA by default, mount securityfs (mount -t securityfs security /sys/kernel/security), if it isn't already mounted, and then check if '<securityfs>/integrity/ima' exists. If it exists, IMA is indeed enabled. On systems without IMA enabled, [recompile the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled) with the config option 'CONFIG_IMA' enabled.
+
+### Controlling IMA-measurement
+
+IMA is controlled with several kernel command line parameters:
+
+
+ima_audit= informational audit logging
+ Format: { "0" | "1" }
+ 0 -- normal integrity auditing messages. (Default)
+ 1 -- enable additional informational integrity auditing messages.
+
+ (eg. Although file measurements are only added to the measurement list once and cached, if the inode is flushed, subsequent access to the inode will result in re-measuring the file and attempting to add the measurement again to the measurement list. Enabling ima_audit will log such attempts.)
+
+ima_policy= builtin policy
+Format:  {"tcb" | "appraise_tcb" | "secure-boot"}
+**NEW** Linux-4.13 default: no policy
+
+ima_template= template used
+ Format: { "ima" | "ima-ng" | "ima-sig" }
+ Linux 3.13 default: "ima-ng"
+
+ima_hash= hash used
+ Format: { "sha1" | "md5" | "sha256" | "sha512" | "wp512" | ... }
+  'ima' template default: "sha1"
+  Linux 3.13 default: "sha256"
+
+ ima_tcb  (deprecated)
+ If specified, enables the TCB policy, which meets the needs of the Trusted Computing Base. This means IMA will measure all programs exec'd, files mmap'd for exec, and all files opened for read by uid=0.
+
+### IMA Measurement List
+
+IMA-measurements maintains a runtime measurement list, which can be displayed as shown below.
+
+- mount securityfs as /sys/kernel/security
+
+    $ su -c 'mkdir /sys/kernel/security'
+    $ su -c 'mount -t securityfs securityfs /sys/kernel/security'
+
+Modify /etc/fstab to mount securityfs on boot.
+
+- display the runtime measurement list    (Only root is allowed access to securityfs files.)
+
+Example 1: 'ima-ng' template
+    $ su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements'
+
+    PCR     template-hash                           filedata-hash                           filename-hint
+    10 91f34b5c671d73504b274a919661cf80dab1e127 ima-ng sha1:1801e1be3e65ef1eaa5c16617bec8f1274eaf6b3 boot_aggregate
+    10 8b1683287f61f96e5448f40bdef6df32be86486a ima-ng sha256:efdd249edec97caf9328a4a01baa99b7d660d1afc2e118b69137081c9b689954 /init
+    10 ed893b1a0bc54ea5cd57014ca0a0f087ce71e4af ima-ng sha256:1fd312aa6e6417a4d8dcdb2693693c81892b3db1a6a449dec8e64e4736a6a524 /usr/lib64/ld-2.16.so
+    10 9051e8eb6a07a2b10298f4dc2342671854ca432b ima-ng sha256:3d3553312ab91bb95ae7a1620fedcc69793296bdae4e987abc5f8b121efd84b8 /etc/ld.so.cache
+
+PCR: default CONFIG_IMA_MEASURE_PCR_IDX is 10
+template-hash: sha1 hash(filedata-hash length, filedata-hash, pathname length, pathname)
+filedata-hash: sha256 hash(filedata)
+
+
+Example 2:  'ima-sig' template (same format as ima-ng, but with an appended signature when present)
+
+    PCR     template-hash                           filedata-hash                           filename-hint                         file-signature
+    10 f63c10947347c71ff205ebfde5971009af27b0ba ima-sig sha256:6c118980083bccd259f069c2b3c3f3a2f5302d17a685409786564f4cf05b3939 /usr/lib64/libgspell-1.so.1.0.0   0302046e6c10460100aa43a4b1136f45735669632ad ...
+    10 595eb9bf805874b459ce073af158378f274ea961 ima-sig sha256:8632769297867a80a9614caa98034d992441e723f0b383ca529faa306c640638 /usr/lib64/gedit/plugins/libmodelines.so 0302046e6c104601002394b70ab93 ...
+
+
+Example 3: *original* 'ima' template
+
+    PCR     template-hash                           filedata-hash                           filename-hint
+    10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate
+    10 2c7020ad8cab6b7419e4973171cb704bdbf52f77 ima e09e048c48301268ff38645f4c006137e42951d0 /init
+    10 ef7a0aff83dd46603ebd13d1d789445365adb3b3 ima 0f8b3432535d5eab912ad3ba744507e35e3617c1 /init
+    10 247dba6fc82b346803660382d1973c019243e59f ima 747acb096b906392a62734916e0bb39cef540931 ld-2.9.so
+    10 341de30a46fa55976b26e55e0e19ad22b5712dcb ima 326045fc3d74d8c8b23ac8ec0a4d03fdacd9618a ld.so.cache
+
+PCR: default CONFIG_IMA_MEASURE_PCR_IDX is 10
+template-hash: sha1 hash(filedata-hash, filename-hint)
+filedata-hash: sha1 hash(filedata)
+
+The first element in the runtime measurement list, shown above, is the boot_aggregate. The boot_aggregate is a SHA1 hash over tpm registers 0-7, assuming a TPM chip exists, and zeroes, if the TPM chip does not exist.
+
+- display the bios measurement list entries, used in calculating the boot aggregate
+
+    $ su -c 'head /sys/kernel/security/tpm0/ascii_bios_measurements'
+
+    0 f797cb88c4b07745a129f35ea01b47c6c309cda9 08 [S-CRTM Version]
+    0 dca68da0707a9a52b24db82def84f26fa463b44d 01 [POST CODE]
+    0 dd9efa31c88f467c3d21d3b28de4c53b8d55f3bc 01 [POST CODE]
+    0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE]
+    0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE]
+    0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE]
+    0 38dd128dc93ff91df1291a1c9008dcf251a0ef39 01 [POST CODE]
+    0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE]
+    0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE]
+    0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE]
+
+### Verifying IMA Measurements
+
+The IMA tests programs are part of the [Linux Test Project.](https://github.com/linux-test-project/ltp/wiki)
+
+- Download, compile, and install the standalone version of the IMA LTP test programs in /usr/local/bin.
+
+    $ wget -O ltp-ima-standalone-v2.tar.gz http://downloads.sf.net/project/linux-ima/linux-ima/ltp-ima-standalone-v2.tar.gz
+    $ tar -xvzf ltp-ima-standalone-v2.tar.gz
+    ima-tests/Makefile
+    ima-tests/README
+    ima-tests/ima_boot_aggregate.c
+    ima-tests/ima_measure.c
+    ima-tests/ima_mmap.c
+    ima-tests/ima_sigv2.c
+    ima-tests/ltp-tst-replacement.c
+    ima-tests/pkeys.c
+    ima-tests/rsa_oid.c
+    ima-tests/config.h
+    ima-tests/debug.h
+    ima-tests/hash_info.h
+    ima-tests/ima_sigv2.h
+    ima-tests/list.h
+    ima-tests/pkeys.h
+    ima-tests/rsa.h
+    ima-tests/test.h
+    $ cd ima-tests
+    $ make
+    $ su -c 'make install'
+
+- ima_boot_aggregate <tpm_bios file>
+
+Using the TPM's binary bios measurement list, re-calculate the boot aggregate.
+
+    $ su -c '/usr/local/bin/ima_boot_aggregate /sys/kernel/security/tpm0/binary_bios_measurements'
+    000 f797cb88c4b07745a129f35ea01b47c6c309cda9
+    000 dca68da0707a9a52b24db82def84f26fa463b44d
+    < snip >
+    005 6895eb784cdaf843eaad522e639f75d24d4c1ff5
+    PCR-00: 07274edf7147abda49200100fd668ce2c3a374d7
+    PCR-01: 48dff4fbf3a34d56a08dfc1504a3a9d707678ff7
+    PCR-02: 53de584dcef03f6a7dac1a240a835893896f218d
+    PCR-03: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275
+    PCR-04: acb44e9dd4594d3f121df2848f572e4d891f0574
+    PCR-05: df72e880e68a2b52e6b6738bb4244b932e0f1c76
+    PCR-06: 585e579e48997fee8efd20830c6a841eb353c628
+    PCR-07: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275
+    boot_aggregate:b5a166c10d153b7cc3e5b4f1eab1f71672b7c524
+
+and compare the value with the ascii_runtime_measurement list value.
+
+    $ su -c 'cat /sys/kernel/security/ima/ascii_runtime_measurements | grep boot_aggregate'
+    10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate
+
+<br>
+
+- ima_measure <binary_runtime_measurements> \[--validate\] \[--verify\] \[--verbose\]
+
+using the IMA binary measurement list, calculate the PCR aggregate value
+
+    $ su -c '/usr/local/bin/ima_measure /sys/kernel/security/ima/binary_runtime_measurements --validate'
+    PCRAggr (re-calculated): B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B
+
+and compare it against the PCR value
+
+    $ cat /sys/devices/pnp0/00:0a/pcrs | grep PCR-10
+    PCR-10: B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B
+
+### IMA re-measuring files
+
+Part of the TCG requirement is that all Trusted Computing Base (TCB) files be measured, and re-measured if the file has changed, before reading/executing the file. IMA detects file changes based on i_version. To re-measure a file after it has changed, the filesystem must support i_version and, if needed, be mounted with i_version (eg. ext3, ext4).  Not all filesystems require the explicit mount option.   With commit a2a2c3c8580a ("ima: Use i_version only when filesystem supports it") i_version is considered an optimization.  If i_version is not enabled, either because the local filesystem does not support it or the filesystem was not mounted with i_version, the file will now always be re-measured, whether or not the file changed, but only new measurements will be added to the measurement list.
+
+-   Attempt to mount a filesystem with i_version support.
+
+        $ su -c 'mount -o remount,rw,iversion /home'
+
+        mount: you must specify the filesystem type
+
+    Attempt to remount '/home' with i_version support, shown above, failed. Please install a version of the [util-linux-ng-2.15-rc1](http://www.kernel.org/pub/linux/utils/util-linux-ng/v2.15/ "http://www.kernel.org/pub/linux/utils/util-linux-ng/v2.15/") package or later.
+
+-   To automatically mount a filesystem with i_version support, update /etc/fstab.
+
+        UUID=blah  /home                   ext3    defaults,iversion
+
+-   Mount the root filesystem with i_version.
+    -   For systems with /etc/rc.sysinit, update the mount options
+        adding 'iversion':
+
+            # Remount the root filesystem read-write.
+            update_boot_stage RCmountfs
+            if remount_needed ; then
+              action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion /
+            fi
+
+    -   For systems using dracut, root 'mount' options can be specified on the boot
+        command line using 'rootflags'. Add 'rootflags=i_version'. Unlike 'mount',
+        which expects 'iversion', notice that on the boot command line 'i_version'
+        contains an underscore.
+
+### Linux-audit support
+
+As of [Linux-audit](http://people.redhat.com/sgrubb/audit/ "http://people.redhat.com/sgrubb/audit/") 2.0, support for integrity auditing messages is available.
+
+### Defining an LSM specific policy
+
+The ima_tcb default measurement policy in linux-2.6.30 measures all system sensitive files - executables, mmapped libraries, and files opened for read by root. These measurements, the measurement list and the aggregate integrity value, can be used to attest to a system's
+runtime integrity. Based on these measurements, a remote party can detect whether critical system files have been modified or if malicious software has been executed.
+
+Default policy
+
+    dont_measure fsmagic=PROC_SUPER_MAGIC
+    dont_measure fsmagic=SYSFS_MAGIC
+    dont_measure fsmagic=DEBUGFS_MAGIC
+    dont_measure fsmagic=TMPFS_MAGIC
+    dont_measure fsmagic=SECURITYFS_MAGIC
+    dont_measure fsmagic=SELINUX_MAGIC
+    measure func=BPRM_CHECK
+    measure func=FILE_MMAP mask=MAY_EXEC
+
+    < add LSM specific rules here >
+
+    measure func=PATH_CHECK mask=MAY_READ uid=0
+
+But not all files opened by root for read, are necessarily part of the Trusted Computing Base (TCB), and therefore do not need to be measured. Linux Security Modules (LSM) maintain file metadata, which can be leveraged to limit the number of files measured.
+
+Examples: adding LSM specific rules
+
+    SELinux:
+    dont_measure obj_type=var_log_t
+    dont_measure obj_type=auditd_log_t
+
+    Smack:
+    measure subj_user=_ func=INODE_PERM mask=MAY_READ
+
+To replace the default policy 'cat' the custom IMA measurement policy and redirect the output to "< securityfs >/ima/policy".  Both dracut and systemd have been modified to load the custom IMA policy.  If the IMA policy contains LSM labels, then the LSM policy must be loaded prior to the IMA policy. (eg. if systemd loads the SELinux policy, then systemd must also load the IMA policy.)
+
+systemd commit c8161158 adds support for loading a custom IMA measurement policy.  Simply place the custom IMA policy in /etc/ima/ima-policy.  systemd will automatically load the custom policy.
+
+dracut commit 0c71fb6 add initramfs support for loading the custom IMA measurement policy. Build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), to load the custom IMA measurement policy(default: /etc/sysconfig/ima-policy).
+
+For more information on defining an LSM specific measurement/appraisal/audit policy, refer to the kernel Documentation/ABI/testing/ima_policy.
+
+
+## IMA-appraisal
+
+IMA currently maintains an integrity measurement list used for remote attestation. The IMA-appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute 'security.ima'. The initial method for validating 'security.ima' are hashed based, which provides file data integrity, and digital signature based, which in addition to providing file data integrity, provides authenticity.
+
+### Enabling IMA-appraisal
+
+IMA-appraisal was upstreamed in Linux 3.7.  For distros that enable IMA-appraisal by default in their kernels, appraising file measurements requires rebooting the kernel first with the boot command line parameters 'ima_appraise_tcb' and ima_appraise='fix' to [label the filesystem](#labeling-the-filesystem-with-securityima-extended-attributes). Once labeled, reboot with just the 'ima_appraise_tcb' boot command line parameter.
+
+Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled) for directions on configuring and building a new kernel with IMA-appraisal support enabled.
+
+### Understanding the IMA-appraisal policy
+
+The IMA-appraisal policy extends the measurement policy ABI with two new keywords: appraise/dont_appraise. The default appraise policy appraises all files owned by root. Like the default measurement policy, the default appraisal policy does not appraise pseudo filesystem files (eg. debugfs, tmpfs, securityfs, or selinuxfs.)
+
+Additional rules can be added to the default IMA measurement/appraisal policy, which take advantage of the SELinux labels, for a more fine grained policy. Refer to Documentation/ABI/testing/ima_policy.
+
+### Labeling the filesystem with 'security.ima' extended attributes
+
+A new boot parameter 'ima_appraise=' has been defined in order to label existing file systems with the 'security.ima' extended attribute.
+
+-   ima_appraise= appraise integrity measurements\
+     Format: { "off" | "log" | "fix" } \
+
+
+off - is a runtime parameter that turns off integrity appraisal verification.
+enforce - verifies and enforces runtime file integrity. \[default\]
+fix - for non-digitally signed files, updates the 'security.ima' xattr to reflect the existing file hash.
+
+
+After building a kernel with IMA-appraisal enabled and verified that the filesystems are mounted with [i_version](#ima-re-measuring-files) support, to label the filesystem, reboot with the boot command line options 'ima_appraise_tcb' and 'ima_appraise=fix'. Opening a file owned by root, will cause the 'security.ima' extended attributes to be written. For example, to label the entire filesystem, execute:
+
+`find / \\( -fstype rootfs -o ext4 -type f \\) -uid 0 -exec head -n 1
+'{}' >/dev/null \\;`
+
+### Labeling 'immutable' files with digital signatures
+
+'Immutable' files, such as ELF executables, can be digitally signed, storing the digital signature in the 'security.ima' xattr. Creating the digital signature requires generating an RSA private/public key pair. The private key is used to sign the file, while the public key is used to verify the signature. For example, to digitally sign all kernel modules, replace <RSA private key>, below, with the pathname to your RSA private key, and execute:
+
+`find /lib/modules -name "\*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' <RSA private key> \;`
+
+evmctl manual page is here [evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
+
+### Running with IMA-appraisal
+
+Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel.  Modify the [initramfs](#building-an-initramfs-to-load-keys) to load the RSA public key on the IMA keyring, using evmctl. Reboot with the 'ima_appraise_tcb' and, possibly, the 'rootflags=i_version' options.
+
+## Extending trusted and secure boot to the OS
+
+( Place holder )
+
+### Including file signatures in the measurement list
+
+The 'ima-sig' template, in addition to the file data hash and the full pathname, includes the file signature, as stored in the 'security.ima' extended attribute.
+
+    10 d27747646f317e3ca1205287d0615073fe676bc6 ima-sig sha1:08f8f20c14e89da468bb238
+    d2012c9458ae67f6a /usr/bin/mkdir 030202afab451100802b22e3ed9f6a70fb5babf030d1181
+    8152b493bd6bfd916005fad7fdcfd7f88d43f6cffaf6fd1ea3b75032dd702b661d4717729e4a3fa4
+    ee95a47f239955491fc8064eca8cb96302d305d59750ae4ffde0a5f615f910475eee72ae0306e4ae
+    0269d7d04af2a485898eec3286795d621e83b7dedc99f5019b7ee49b189f3ded0a2
+
+    # getfattr -m ^security --dump -e hex /usr/bin/mkdir
+    # file: usr/bin/mkdir
+    security.evm=0x0238b0cdd9e97d5bed3bcde5a4793ef8da6fe7c7cc
+    security.ima=0x030202afab451100802b22e3ed9f6a70fb5babf030d11818152b493bd6bfd916005fad
+    7fdcfd7f88d43f6cffaf6fd1ea3b75032dd702b661d4717729e4a3fa4ee95a47f239955491fc8064eca8cb
+    96302d305d59750ae4ffde0a5f615f910475eee72ae0306e4ae0269d7d04af2a485898eec3286795d621e8
+    3b7dedc99f5019b7ee49b189f3ded0a2
+
+
+### Signing IMA-appraisal keys
+
+( Place holder )
+
+## IMA-audit
+
+IMA-audit includes file hashes in the audit log, which can be used to augment existing system security analytics/forensics. IMA-audit extends the IMA policy ABI with the policy action keyword - "audit".
+
+Example policy to audit  executable file hashes
+
+    audit func=BPRM_CHECK
+
+
+
+## Linux Extended Verification Module (EVM)
+
+EVM detects offline tampering of the security extended attributes (e.g. security.selinux, security.SMACK64, security.ima), which is the basis for LSM permission decisions and, with the IMA-appraisal extension, integrity appraisal decisions. EVM provides a framework, and two methods for detecting offline tampering of the security extended attributes. The initial method maintains an HMAC-sha1 across a set of security extended attributes, storing the HMAC as the extended attribute 'security.evm'. The other method is based on a digital signature of the security extended attributes hash. To verify the integrity of an extended attribute, EVM exports evm_verifyxattr(), which re-calculates either the HMAC or the hash, and compares it with the version stored in 'security.evm'.
+
+### Enabling EVM
+
+EVM was upstreamed in Linux 3.2. EVM-digital-signatures is currently in the Linux 3.3 release candidate.
+
+Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled), for directions on configuring and building a new kernel with EVM support.
+
+### Running EVM
+
+EVM is configured automatically to protect standard “security” extended attributes:
+
+-   security.ima (IMA's stored “good” hash for the file)
+-   security.selinux (the selinux label/context on the file)
+-   security.SMACK64 (Smack's label on the file)
+-   security.capability (Capability's label on executables)
+
+EVM protects the configured extended attributes with an HMAC across their data, keyed with an EVM key provided at boot time. EVM looks for this key named 'evm-key' on root's key ring. Refer to [trusted and EVM encrypted keys](#creating-trusted-and-evm-encrypted-keys), for directions on creating EVM keys. Once loaded, EVM can be activated by writing a '1' to the evm securityfs file: `**echo "1" >/sys/kernel/security/evm**`
+
+Before EVM is activated, any requested integrity appraisals are unknown, so the EVM startup should be done early in the boot process, preferably entirely within the kernel and initramfs (which are measured by trusted grub) and before any reference to the real root filesystem. To build an initramfs with EVM enabled, build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), which contains the trusted and EVM dracut modules.
+
+### Labeling the filesystem with 'security.evm'
+
+A new boot parameter 'evm=fix' has been defined in order to label existing file systems with the 'security.evm' extended attribute.
+
+After building a kernel with EVM, IMA-appraisal, and trusted and encrypted keys enabled, installed the trusted and EVM dracut modules, created the EVM key, and verified that the filesystems are mounted, including root, with [i_version](#ima-re-measuring-files) support, to label the filesystem, reboot with the command line options 'ima_tcb', 'ima_appraise_tcb', 'ima_appraise=fix', 'evm=fix' and, possibly, 'rootflags=i_version'.
+
+Once EVM is started, as existing file metadata changes or as new files are created, EVM assumes that the LSM has approved such changes, and automatically updates the HMACs accordingly, assuming the existing value is valid. In fix mode, opening a file owned by root, will fix the 'security.ima' extended attribute, causing the 'security.evm' extended attribute to be written as well, regardless if the existing security 'ima' or 'evm' extended attributes are valid. To label the entire filesystem, execute:
+
+`find / -fstype ext4 -type f -uid 0 -exec head -n 1 '{}' >/dev/null \;`
+
+The following sign_file script can be used to label all 'ELF' files with EVM and IMA digital signatures, and all other files with just an EVM digital signature.
+
+sign_file:
+
+    #!/bin/sh
+    #label "immutable" files with EVM/IMA digital signatures
+    #label everything else with just EVM digital signatures
+
+    file $1 | grep 'ELF' > /dev/null
+    if [ $? -eq 0 ]; then
+         evmctl sign --imasig $1 /home/zohar/privkey_evm.pem
+    else
+         evmctl sign --imahash $1 /home/zohar/privkey_evm.pem
+    fi
+
+Instead of opening the file using head, digitally sign the files:
+
+`find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec sign_file.sh {} \;`
+
+
+Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel. Modify the initramfs to load the RSA public keys on the EVM and IMA keyring. Reboot with just the 'ima_tcb', 'ima_appraise_tcb' and, possibly, 'rootflags=i_version' options.
+
+## Compiling the kernel with EVM/IMA-appraisal enabled
+
+For those unfamiliar with building a linux kernel, here is a short list of existing websites.
+
+-   [http://kernelnewbies.org/KernelBuild](http://kernelnewbies.org/KernelBuild "http://kernelnewbies.org/KernelBuild")
+-   [http://fedoraproject.org/wiki/BuildingUpstreamKernel](http://fedoraproject.org/wiki/BuildingUpstreamKernel "http://fedoraproject.org/wiki/BuildingUpstreamKernel")
+-   [https://wiki.ubuntu.com/KernelTeam/GitKernelBuild](https://wiki.ubuntu.com/KernelTeam/GitKernelBuild "https://wiki.ubuntu.com/KernelTeam/GitKernelBuild")
+
+###  Configuring the kernel
+
+Depending on the distro, some of these options might already be enabled, but not necessarily as builtin.  For distros with recent kernels, download the distro's kernel source and recompile the kernel with the additional .config options, below.  (Refer to the distro's documentation for building and installing the kernel from source.)
+
+For IMA, enable the following .config options:
+
+    CONFIG_INTEGRITY=y
+    CONFIG_IMA=y
+    CONFIG_IMA_MEASURE_PCR_IDX=10
+    CONFIG_IMA_AUDIT=y
+    CONFIG_IMA_LSM_RULES=y
+
+For IMA-appraisal, enable the following .config options:
+
+    CONFIG_INTEGRITY_SIGNATURE=y
+    CONFIG_INTEGRITY=y
+    CONFIG_IMA_APPRAISE=y
+
+EVM has a dependency on encrypted keys, which should be encrypted/decrypted using a trusted key. For those systems without a TPM, the EVM key could be encrypted/decrypted with a user-defined key instead.  For EVM, enable the following .config options:
+
+    CONFIG_TCG_TPM=y
+
+    CONFIG_KEYS=y
+    CONFIG_TRUSTED_KEYS=y
+    CONFIG_ENCRYPTED_KEYS=y
+
+    CONFIG_INTEGRITY_SIGNATURE=y
+    CONFIG_INTEGRITY=y
+    CONFIG_EVM=y
+
+For the new 'ima-ng'/'ima-sig' template support(linux 3.13), clone the stable tree.
+
+    $ cd ~/src/kernel
+    $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
+
+    $ cd linux-stable
+    $ git remote update
+    $ git checkout --track -b linux-3.13.y origin/linux-3.13.y
+
+and enable these additional .config options:
+
+    CONFIG_IMA_NG_TEMPLATE=y
+    CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+    CONFIG_IMA_DEFAULT_HASH_SHA256=y
+
+
+###  Installing the new kernel
+
+If enabling EVM, before installing the new kernel, follow the directions for creating the EVM encrypted key (#creating_trusted_and_evm_encrypted keys) and EVM/IMA public keys (#creating_and_loading_the_evm_and_ima_publicprivate_keypairs).
+
+Install the kernel as normal.
+
+    $ su -c "make modules_install install"
+
+## Creating trusted and EVM encrypted keys
+
+Trusted and encrypted keys are two new key types (upstreamed in 2.6.38) added to the existing kernel key ring service. Both of these new types are variable length symmetic keys and, in both cases, are created in the kernel. User space sees, stores, and loads only encrypted blobs. Trusted Keys require the availability of a Trusted Platform Module (TPM) chip for greater security, while encrypted keys can be used on any system. All user level blobs, are displayed and loaded in hex ascii for convenience, and are integrity verified.
+
+Depending on the distro, trusted and encrypted keys might not be enabled. Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal_enabled), for directions on configuring and building a new kernel with trusted and encrypted key support.
+
+The trusted and EVM dracut modules, by default, looks for the trusted and EVM encrypted keys in /etc/keys. To create and save the kernel master and EVM keys,
+
+    $ su -c 'mkdir -p /etc/keys'
+
+    # To create and save the kernel master key (trusted type):
+    $ su -c 'modprobe trusted encrypted'
+    $ su -c 'keyctl add trusted kmk-trusted "new 32" @u'
+    $ su -c 'keyctl pipe `keyctl search @u trusted kmk-trusted` >/etc/keys/kmk-trusted.blob'
+
+    # Create the EVM encrypted key
+    $ su -c 'keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u'
+    $ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-trusted.blob'
+
+For those systems which don't have a TPM, but want to experiment with EVM, create a user key of 32 random bytes, and an EVM user encrypted key. Unlike trusted/encrypted keys, user type key data is visible to userspace.
+
+    $ su -c 'mkdir -p /etc/keys'
+
+    # To create and save the kernel master key (user type):
+    $ su -c 'modprobe trusted encrypted'
+    $ su -c 'keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u'
+    $ su -c 'keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob'
+
+    # Create the EVM encrypted key
+    $ su -c 'keyctl add encrypted evm-key "new user:kmk-user 32" @u'
+    $ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-user.blob'
+
+Update /etc/sysconfig/masterkey to reflect using a 'user-defined' master key type.
+
+    MULTIKERNELMODE="NO"
+    MASTERKEYTYPE="user"
+    MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob"
+
+Similarly update /etc/sysconfig/evm or on the boot command line specify the EVM key filename (eg. 'evmkey=/etc/keys/evm-user.blob'.)
+<br>
+## Creating and loading the EVM and IMA public/private keypairs
+### Digital Signatures: generating an RSA public/private key pair
+
+    # generate unencrypted private key
+    openssl genrsa -out privkey_evm.pem 1024
+
+    # or generate encrypted (password protected) private key
+    openssl genrsa -des3 -out privkey_evm.pem 1024
+
+    # or convert unencrypted key to encrypted on
+    openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+    or
+    openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
+
+    openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+
+### ima-evm-utils: installing the package from source
+
+ima-evem-utils is used to sign files, using the private key, and to load the public keys on the ima/evm keyrings.  ima-evm-utils can be cloned from git repo with the following command:
+
+    git clone git://linux-ima.git.sourceforge.net/gitroot/linux-ima/ima-evm-utils.git
+    cd ima-evm-utils
+    ./autogen.sh
+    ./configure
+    make
+    sudo make install
+
+evmctl manual page is here [evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
+
+### IMA/EVM keyrings: loading the public keys
+
+    ima_id=`keyctl newring _ima @u`
+    evmctl import /etc/keys/pubkey_ima.pem $ima_id
+
+    evm_id=`keyctl newring _evm @u`
+    evmctl import /etc/keys/pubkey_evm.pem $evm_id
+
+## Building an initramfs to load keys
+
+Modify the initramfs to load the EVM encrypted key and the EVM/IMA public keys on their respective keyrings.
+
+### dracut
+
+Dracut commits 0c71fb6 and e1ed2a2 add support for loading the masterkey and the EVM encrypted key, not the EVM/IMA public keys (todo).
+
+    0c71fb6 dracut: added new module integrityy
+    e1ed2a2 dracut: added new module masterkey
+
+Clone dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git). By default, the masterkey and integrity modules are not enabled in the dracut git tree.  Edit module-setup in both directories, changing the check() return value to 0.  'make' and 'install' dracut.
+
+Create an initramfs:
+
+    # dracut -H -f /boot/initramfs-<kernel> <kernel> -M
+
+And add a grub2 menu entry:
+
+    # grub2-mkconfig -o /boot/grub2/grub.cfg
+
+
+### initramfs-tools
+
+To enable IMA/EVM in initramfs-tools it is necessary to add just 2 files to /etc/initramfs-tools directory.
+
+/etc/initramfs-tools/hooks/ima.sh:
+
+    #!/bin/sh
+
+    echo "Adding IMA binaries"
+
+    . /usr/share/initramfs-tools/hook-functions
+
+    copy_exec /etc/keys/evm-key
+    copy_exec /etc/keys/pubkey_evm.pem
+    copy_exec /etc/ima_policy
+    copy_exec /bin/keyctl
+    copy_exec /usr/bin/evmctl /bin/evmctl
+
+/etc/initramfs-tools/scripts/local-top/ima.sh:
+
+    #!/bin/sh -e
+
+    PREREQ=""
+
+    # Output pre-requisites
+    prereqs()
+    {
+            echo "$PREREQ"
+    }
+
+    case "$1" in
+        prereqs)
+            prereqs
+            exit 0
+            ;;
+    esac
+
+    grep -q "ima=off" /proc/cmdline && exit 1
+
+    mount -n -t securityfs securityfs /sys/kernel/security
+
+    IMA_POLICY=/sys/kernel/security/ima/policy
+    LSM_POLICY=/etc/ima_policy
+
+    grep -v "^#" $LSM_POLICY >$IMA_POLICY
+
+    # import EVM HMAC key
+    keyctl show |grep -q kmk || keyctl add user kmk "testing123" @u
+    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
+    #keyctl revoke kmk
+
+    # import Module public key
+    mod_id=`keyctl newring _module @u`
+    evmctl import /etc/keys/pubkey_evm.pem $mod_id
+
+    # import IMA public key
+    ima_id=`keyctl newring _ima @u`
+    evmctl import /etc/keys/pubkey_evm.pem $ima_id
+
+    # import EVM public key
+    evm_id=`keyctl newring _evm @u`
+    evmctl import /etc/keys/pubkey_evm.pem $evm_id
+
+    # enable EVM
+    echo "1" > /sys/kernel/security/evm
+
+    # enable module checking
+    #echo "1" > /sys/kernel/security/module_check
+
+
+generate new initramfs:
+
+    update-initramfs -k 3.4.0-rc5-kds+ -u
+
+Edit GRUB bootloader /boot/grub/custom.cfg:
+
+    menuentry 'IMA' {
+        set gfxpayload=$linux_gfx_mode
+        insmod gzio
+        insmod part_msdos
+        insmod ext2
+        set root='(hd0,msdos1)'
+        # add following string to kernel command line to enable "fix" mode: "ima_appraise=fix evm=fix"
+        linux   /boot/vmlinuz-3.4.0-rc5-kds+ root=/dev/sda1 ro nosplash ima_audit=1 ima_tcb=1 ima_appraise_tcb=1
+        initrd  /boot/initrd.img-3.4.0-rc5-kds+
+    }
+
+## IMA policy examples
+### Builtin policys
+
+**Enabled on the boot command line:**
+
+*ima_tcb* - measures all files read as root and all files executed
+*ima_appraise_tcb* - appraises all files owned by root
+
+### audit log all executables
+
+    # audit log all executables
+    audit func=BPRM_CHECK mask=MAY_EXEC
+
+### Measure nothing, appraise everything
+
+    #
+    # Integrity measure policy
+    #
+    # Do not measure anything, but appraise everything
+    #
+    # PROC_SUPER_MAGIC
+    dont_appraise fsmagic=0x9fa0
+    # SYSFS_MAGIC
+    dont_appraise fsmagic=0x62656572
+    # DEBUGFS_MAGIC
+    dont_appraise fsmagic=0x64626720
+    # TMPFS_MAGIC
+    dont_appraise fsmagic=0x01021994
+    # RAMFS_MAGIC
+    dont_appraise fsmagic=0x858458f6
+    # DEVPTS_SUPER_MAGIC
+    dont_appraise fsmagic=0x1cd1
+    # BIFMT
+    dont_appraise fsmagic=0x42494e4d
+    # SECURITYFS_MAGIC
+    dont_appraise fsmagic=0x73636673
+    # SELINUXFS_MAGIC
+    dont_appraise fsmagic=0xf97cff8c
+    appraise
+
+
+## ima-evm-utils
+
+ima-evm-utils package provides the *evmctl* utility that can be used for producing and verifying digital signatures, which are used by Linux kernel integrity subsystem. It can be also used to import keys into the kernel keyring.
+
+evmctl manual page is located here: [http://linux-ima.sourceforge.net/evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
+
+
+<br>
+
+## Using IMA/EVM on Android
+
+Enabling IMA/EVM is not very difficult task but involves few tricky steps related to file system creation and labeling.
+
+Android source code is kept in GIT repositories and usually downloaded using 'repo' tool.
+
+IMA/EVM support was implemented using Android 5.0.2 source tree and tested on Huawei P8.
+
+Set of patches is located [here](https://sourceforge.net/projects/linux-ima/files/Android%20patches/).
+
+### Kernel configuration
+
+Kernel source code is usually located in the 'kernel' folder in the root of the Android source tree.
+Huawei P8 runs on HiSilicon Kirin 930/935 64 bit ARM CPU.
+
+Default kernel configuration file is 'kernel/arch/arm64/configs/hisi_3635_defconfig'
+
+Following lines were added:
+
+	# Integrity
+	CONFIG_INTEGRITY=y
+	CONFIG_IMA=y
+	CONFIG_IMA_MEASURE_PCR_IDX=10
+	CONFIG_IMA_AUDIT=y
+	CONFIG_IMA_LSM_RULES=y
+	CONFIG_INTEGRITY_SIGNATURE=y
+	CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+	CONFIG_IMA_APPRAISE=y
+	CONFIG_EVM=y
+
+	# Keys
+	CONFIG_KEYS=y
+	CONFIG_KEYS_DEBUG_PROC_KEYS=y
+	CONFIG_TRUSTED_KEYS=y
+	CONFIG_ENCRYPTED_KEYS=y
+
+
+
+### Kernel command line parameters
+
+Kernel command line parameters are usually specified in board configuration files, such as BoardConfig.mk, for example, 'device/hisi/hi3635/BoardConfig.mk
+
+Add following lines to the file:
+
+	BOARD_KERNEL_CMDLINE += ima_audit=1
+	BOARD_KERNEL_CMDLINE += ima_tcb ima_appraise_tcb
+	# enable fix mode while testing
+	BOARD_KERNEL_CMDLINE += ima_appraise=fix evm=fix
+
+
+### IMA boot initialization
+
+To boot Android, devices usually have boot partition which is flashed with boot.img.
+boot.img consist of the kernel and compressed ramdisk which includes Android root filesystem.
+boot.img is usually protected using digital signature which is verified by the Android bootloader as a part of Secure Boot process.
+
+Root filesystem contains Android 'init' system and minimal set of tools, which is required to initialize and mount rest of filesystems, including '/system' and '/data'.
+
+Android uses own 'init' system (system/core/init) which reads configuration from '/init.rc' and multiple sourced '/init.*.rc' scripts located in the root folder.
+
+We used to use shell scripts to load IMA/EVM keys and policy. On desktop systems there is no limitation on ramdisk size, but on Android devices it is limited by the size of the boot partition. Android ramdisk/root filesystem does not include shell, but including adding shell, keyctl, evmctl makes ramdisk so big so that boot.img does not fit to the boot partition.
+
+For that reason it was necessary to implement IMA/EVM initialization functionality as native program 'ima-init'.
+
+This patch ([0004-ima_init-tool-to-load-IMA-EVM-keys-and-policy.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0004-ima_init-tool-to-load-IMA-EVM-keys-and-policy.patch/view)) adds 'system/extras/ima-init' project to the Android source tree. It builds '/ima-init' initialization program and generates private and public keys to sign filesystem image usign EVM signatures and verify them during runtime.
+
+ima-init project also includes 'ima_key_gen.sh' script to generate keys and certificates and also basic 'ima_policy', which needs to be changed based on the particular need.
+
+ima-init and public keys are included in the ramdisk root filesystem.
+
+In order to initialize IMA/EVM it is necessary add like following configuration to relevant init.rc file:
+
+	service ima /sbin/ima_init
+	    class main
+	    user root
+	    group root
+	    disabled
+	    seclabel u:r:init:s0
+	    oneshot
+
+Above example add 'ima' service which is used to initialize IMA.
+
+IMA service needs to be started using 'start ima' before mounting any real filesystem. For example it was added to the 'on fs' target before mounting 'system' partition.
+
+	on fs
+	    mount securityfs none /sys/kernel/security
+	    start ima
+
+	    wait /dev/block/mmcblk0p38
+	    mount ext4 /dev/block/mmcblk0p38 /system ro
+
+	    wait /dev/block/mmcblk0p40
+	    mount ext4 /dev/block/mmcblk0p40 /data nosuid nodev noatime data=ordered,i_version
+
+
+### Mounting filesystems (with iversion)
+
+In order IMA would update 'security.ima' when file changes, it is necessary to mount filesystems with i_version support. Android usually mounts all filesystems in init.rc scripts using 'mount' command. Notice in the example above that '/data' partition is mounted using 'i_version' options.
+
+Desktop mount tool from mount package recognizes iversion option and pass necessary flag to mount system call. Unrecognized options are passed as a string in the last argument of the mount system call to the kernel filesystem module. Kernel filesystem modules recognize 'i_version' option instead of 'iversion'. Thus on the desktop systems it is possible to use both iversion and i_version options.
+
+Android tools do not recognize 'iversion' option. It is necessary to use 'i_version' option.
+
+init.rc 'mount' command options are located after the mount point. All except last are 'init' builtin options and *only* the last option is passed as a string to the mount system call. Thus it is necessary to put 'i_version' option as a last option or to add it to the comma separated option list as above.
+
+
+### Filesystem labeling
+
+Filesystem labeling with digital signatures has to be done during image creation process. It can be done using two approaches.
+
+The easiest approach is to label ready image. It requires following steps:
+
+1. convert sparse image to normal image using simg2img tool
+1. 'loop mount' the image
+1. label filesystem using evmctl tool
+1. unmount image
+1. convert image back to sparse image using img2simg tool
+
+But mount operation would require root privileges to mount filesystem.
+
+Android 'make_ext4fs' tool is used to create filesystem image. It provides support for labeling filesystem using 'security labels' (SELinux). We extended make_ext4fs to compute and set IMA/EVM signatures while creating a filesystem. It uses extended version of 'evmctl' to compute signatures by passing all relevant file metadata using evmctl command line parameters.
+
+Here is a patch that adds IMA/EVM support to the make_ext4fs ([0003-IMA-EVM-labelling-support.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0003-IMA-EVM-labelling-support.patch/view)).
+
+
+### Additional tools
+
+It is convenient for testing and debugging to have additional tools such as keyctl and getfattr tools on the device.
+
+#### evmctl
+
+For Android, 'evmct' is a host only tool to compute IMA/EVM signatures and convert RSA keys to the kernel binary format.
+
+'evmctl' was extended to pass file metadata using command line parameters:
+
+      --ino          use custom inode for EVM
+      --uid          use custom UID for EVM
+      --gid          use custom GID for EVM
+      --mode         use custom Mode for EVM
+      --generation   use custom Generation for EVM(unspecified: from FS, empty: use 0)
+      --ima          use custom IMA signature for EVM
+      --selinux      use custom Selinux label for EVM
+      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
+
+
+#### keyctl
+
+This patch ([0002-keyctl-tool.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0002-keyctl-tool.patch/view)) adds project system/extras/keyctl.
+
+#### getfattr
+
+This patch ([0001-getfattr-tool.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0001-getfattr-tool.patch/view)) adds project system/extras/getfattr.
+
+<br>
+
+## Frequently asked questions
+
+-   Why is the first entry in the IMA measurement list (/sys/kernel/security ima/ascii_runtime_measurements) are 0's?
+
+    The first entry is the TPM boot aggregate containing PCR values 0 -
+    7. Enable the TPM in BIOS and take ownership.
+
+-   How do I take ownership of the TPM?
+
+    To take ownership of the TPM, download the tpm-tools, start tcsd (eg. 'service tcsd start'), and execute "tpm_takeownership -u -z". This will set the SRK key to the well-known secret(20 zeroes) and prompt for the TPM owner password.
+
+-   Why are there 0x00 entries in the measurement list?
+
+    The measurement list is invalidated, when a regular file is opened for read and, at the same time, opened for write. In the majority of cases, these files should not have been measured in the first place (eg. log files). In other cases, the application needs to be fixed.
+
+-   Why aren't files re-measured and added to the IMA measurement list
+    after being updated?
+
+    To detect files changing, the filesystem needs to be mounted with i_version support. For the root filesystem, either update /etc/rc.sysinit or add 'rootflags=i_version' boot command line option. For all other filesystems, modify /etc/fstab.
+
+-   Why doesn't the measurement list verify?
+
+    On some systems, after a suspend/resume, the TPM measurement list does not verify. On those systems, add the boot command line option "tpm.suspend_pcr=< unused PCR >".
+
+-   Why are there two /init entries in the measurement list?
+
+    The first '/init' is from the initramfs. The second /init is from the root filesystem (eg. /sbin/init). The IMA ng/nglong template patches will provide additional metadata to help correlate measurement entries and files.
+
+-   Why am I unable to boot the new EVM/IMA-appraisal enabled kernel?
+
+    After building a new kernel with EVM/IMA-appraisal enabled, the filesystem must be labeled with 'security.evm' and 'security.ima' extended attributes. After creating an [EVM
+    key](#creating_trusted_and_evm_encrypted_keys), boot the new kernel with the 'ima_tcb', 'evm=fix', 'ima_appraise_tcb', 'ima_appraise=fix', and, possibly, 'rootflags=i_version' boot
+    command line options. Refer to [labeling the filesystem](#labeling-the-filesystem-with-securityima-extended-attributes) with 'security.evm'.
+
+-   How do I enable the measurement policy for local/remote attestation, without enabling IMA-appraisal?
+
+    Boot with the 'ima_tcb' command line option.
+
+-   How do I enable the appraise policy, without the measurement policy?
+
+    Boot with the 'ima_appraise_tcb' command line option.
+
+## Links
+
+-   IMA/EVM utils man page:
+    [http://linux-ima.sourceforge.net/evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
+-   Linux IMA project page:
+    [https://sourceforge.net/projects/linux-ima/](https://sourceforge.net/projects/linux-ima/ "https://sourceforge.net/projects/linux-ima/")
+-   Old web site:
+    [http://linux-ima.sourceforge.net/](http://linux-ima.sourceforge.net/ "http://linux-ima.sourceforge.net/")
+-   GIT repositories:
+    [https://sourceforge.net/p/linux-ima/ima-evm-utils](https://sourceforge.net/p/linux-ima/ima-evm-utils/)
+
+[Old](/apps/mediawiki/linux-ima/index.php?title=Main_Page_OLD "Old")
+
+Converted from http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page_OLD
+
+[[project_screenshots]]
+[[project_admins]]
+[[download_button]]

kernel-configs/base

@@ -0,0 +1,213 @@
+CONFIG_LOCALVERSION="-dont-use"
+CONFIG_WATCH_QUEUE=y
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_HZ_PERIODIC=y
+CONFIG_LOG_BUF_SHIFT=17
+CONFIG_USER_NS=y
+CONFIG_PID_NS=y
+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
+CONFIG_KALLSYMS_ALL=y
+CONFIG_SYSTEM_DATA_VERIFICATION=y
+CONFIG_TRACEPOINTS=y
+CONFIG_CON_CHAN="xterm"
+CONFIG_SSL_CHAN="pty"
+CONFIG_MODULE_SIG_FORMAT=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_SHA1=y
+CONFIG_MODULE_SIG_HASH="sha1"
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLK_DEBUG_FS=y
+CONFIG_ASN1=y
+CONFIG_UNINLINE_SPIN_UNLOCK=y
+CONFIG_SLUB=y
+CONFIG_COMPACTION=y
+CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
+CONFIG_MIGRATION=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_LEGACY_PTY_COUNT=256
+CONFIG_NULL_TTY=y
+CONFIG_SERIAL_DEV_BUS=y
+CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
+CONFIG_VALIDATE_FS_PARSER=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_EXT4_DEBUG=y
+CONFIG_REISERFS_FS_XATTR=y
+CONFIG_REISERFS_FS_POSIX_ACL=y
+CONFIG_REISERFS_FS_SECURITY=y
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FS_VERITY=y
+CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_CONFIGFS_FS=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_PATH=y
+CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SKCIPHER=y
+CONFIG_CRYPTO_SKCIPHER2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_ACOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_ECC=y
+CONFIG_CRYPTO_ECDSA=y
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_SHA1=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_WP512=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_ZSTD=y
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_HASH_INFO=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+CONFIG_PKCS7_TEST_KEY=y
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
+CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+CONFIG_SYSTEM_REVOCATION_LIST=y
+CONFIG_SYSTEM_REVOCATION_KEYS=""
+CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE=y
+CONFIG_BINARY_PRINTF=y
+CONFIG_CRYPTO_LIB_AES=y
+CONFIG_CRYPTO_LIB_SHA256=y
+CONFIG_CRC_CCITT=y
+CONFIG_XXHASH=y
+CONFIG_AUDIT_GENERIC=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_ZSTD_COMMON=y
+CONFIG_ZSTD_COMPRESS=y
+CONFIG_ZSTD_DECOMPRESS=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_SGL_ALLOC=y
+CONFIG_GLOB=y
+CONFIG_CLZ_TAB=y
+CONFIG_MPILIB=y
+CONFIG_SIGNATURE=y
+CONFIG_OID_REGISTRY=y
+CONFIG_STACKDEPOT=y
+CONFIG_STACKDEPOT_ALWAYS_INIT=y
+CONFIG_PRINTK_TIME=y
+CONFIG_PRINTK_CALLER=y
+CONFIG_DYNAMIC_DEBUG=y
+CONFIG_DYNAMIC_DEBUG_CORE=y
+CONFIG_DEBUG_INFO_DWARF5=y
+CONFIG_GDB_SCRIPTS=y
+CONFIG_FRAME_WARN=2048
+CONFIG_READABLE_ASM=y
+CONFIG_DEBUG_SECTION_MISMATCH=y
+CONFIG_DEBUG_FS=y
+CONFIG_DEBUG_FS_ALLOW_ALL=y
+CONFIG_UBSAN=y
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+CONFIG_UBSAN_DIV_ZERO=y
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+CONFIG_UBSAN_ALIGNMENT=y
+CONFIG_PAGE_EXTENSION=y
+CONFIG_DEBUG_PAGEALLOC=y
+CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
+CONFIG_SLUB_DEBUG=y
+CONFIG_SLUB_DEBUG_ON=y
+CONFIG_PAGE_OWNER=y
+CONFIG_PAGE_POISONING=y
+CONFIG_DEBUG_OBJECTS=y
+CONFIG_DEBUG_OBJECTS_FREE=y
+CONFIG_DEBUG_OBJECTS_TIMERS=y
+CONFIG_DEBUG_OBJECTS_WORK=y
+CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
+CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
+CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
+CONFIG_DEBUG_KMEMLEAK=y
+CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE=16000
+CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y
+CONFIG_DEBUG_STACK_USAGE=y
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_SHIRQ=y
+CONFIG_PANIC_ON_OOPS=y
+CONFIG_PANIC_ON_OOPS_VALUE=1
+CONFIG_LOCKUP_DETECTOR=y
+CONFIG_SOFTLOCKUP_DETECTOR=y
+CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
+CONFIG_WQ_WATCHDOG=y
+CONFIG_DEBUG_TIMEKEEPING=y
+CONFIG_PROVE_LOCKING=y
+CONFIG_PROVE_RAW_LOCK_NESTING=y
+CONFIG_LOCK_STAT=y
+CONFIG_DEBUG_RT_MUTEXES=y
+CONFIG_DEBUG_SPINLOCK=y
+CONFIG_DEBUG_MUTEXES=y
+CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
+CONFIG_DEBUG_RWSEMS=y
+CONFIG_DEBUG_LOCK_ALLOC=y
+CONFIG_LOCKDEP=y
+CONFIG_LOCKDEP_BITS=15
+CONFIG_LOCKDEP_CHAINS_BITS=16
+CONFIG_LOCKDEP_STACK_TRACE_BITS=19
+CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS=14
+CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS=12
+CONFIG_WW_MUTEX_SELFTEST=y
+CONFIG_CSD_LOCK_WAIT_DEBUG=y
+CONFIG_TRACE_IRQFLAGS=y
+CONFIG_DEBUG_IRQFLAGS=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_PLIST=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_PROVE_RCU=y
+CONFIG_RCU_TRACE=y
+CONFIG_NOP_TRACER=y
+CONFIG_TRACE_CLOCK=y
+CONFIG_RING_BUFFER=y
+CONFIG_EVENT_TRACING=y
+CONFIG_CONTEXT_SWITCH_TRACER=y
+CONFIG_PREEMPTIRQ_TRACEPOINTS=y
+CONFIG_TRACING=y
+CONFIG_DRM=n
+CONFIG_USB=n
+CONFIG_SOUND=n
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_9P_FS_SECURITY=y
+CONFIG_ETHERNET=n
+CONFIG_WLAN=n

kernel-configs/integrity

@@ -0,0 +1,29 @@
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_NG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_BLACKLIST_KEYRING=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_ADD_XATTRS=y
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"

m4/manpage-docbook-xsl.m4

@@ -7,7 +7,7 @@ AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
 
 	AC_PATH_PROGS(XMLCATALOG, xmlcatalog)
 	AC_ARG_WITH([xml-catalog],
-		AC_HELP_STRING([--with-xml-catalog=CATALOG],
+		AS_HELP_STRING([--with-xml-catalog=CATALOG],
 				[path to xml catalog to use]),,
 				[with_xml_catalog=/etc/xml/catalog])
 	XML_CATALOG_FILE="$with_xml_catalog"

packaging/ima-evm-utils.spec

@@ -1,5 +1,5 @@
 Name:		ima-evm-utils
-Version:	1.4
+Version:	1.5
 Release:	1%{?dist}
 Summary:	ima-evm-utils - IMA/EVM control utility
 Group:		System/Libraries

src/Makefile.am

@@ -4,9 +4,17 @@ libimaevm_la_SOURCES = libimaevm.c
 libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 # current[:revision[:age]]
 # result: [current-age].age.revision
-libimaevm_la_LDFLAGS = -version-info 3:0:0
+libimaevm_la_LDFLAGS = -version-info 4:0:0
 libimaevm_la_LIBADD =  $(LIBCRYPTO_LIBS)
 
+if CONFIG_SIGV1
+libimaevm_la_CFLAGS = -DCONFIG_SIGV1
+endif
+
+if CONFIG_IMA_EVM_ENGINE
+libimaevm_la_CFLAGS = -DCONFIG_IMA_EVM_ENGINE
+endif
+
 include_HEADERS = imaevm.h
 
 nodist_libimaevm_la_SOURCES = hash_info.h
@@ -22,6 +30,16 @@ evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 evmctl_LDFLAGS = $(LDFLAGS_READLINE)
 evmctl_LDADD =  $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
 
+# Enable IMA signature version 1
+if CONFIG_SIGV1
+evmctl_CFLAGS = -DCONFIG_SIGV1
+endif
+
+# Enable "--engine" support
+if CONFIG_IMA_EVM_ENGINE
+evmctl_CFLAGS = -DCONFIG_IMA_EVM_ENGINE
+endif
+
 # USE_PCRTSS uses the Intel TSS
 if USE_PCRTSS
  evmctl_SOURCES += pcr_tss.c

src/imaevm.h

@@ -48,7 +48,13 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <openssl/rsa.h>
+#ifdef CONFIG_IMA_EVM_ENGINE
 #include <openssl/engine.h>
+#endif
+
+#if defined(OPENSSL_NO_ENGINE) || defined(OPENSSL_NO_DYNAMIC_ENGINE)
+#undef CONFIG_IMA_EVM_ENGINE
+#endif
 
 #ifdef USE_FPRINTF
 #define do_log(level, fmt, args...)	\
@@ -85,6 +91,16 @@
 #define MAX_DIGEST_SIZE		64
 #define MAX_SIGNATURE_SIZE	1024
 
+/*
+ * The maximum template data size is dependent on the template format. For
+ * example the 'ima-modsig' template includes two signatures - one for the
+ * entire file, the other without the appended signature - and other fields
+ * (e.g. file digest, file name, file digest without the appended signature).
+ *
+ * Other template formats are much smaller.
+ */
+#define MAX_TEMPLATE_SIZE	(MAX_SIGNATURE_SIZE * 4)
+
 #define __packed __attribute__((packed))
 
 enum evm_ima_xattr_type {
@@ -93,6 +109,7 @@ enum evm_ima_xattr_type {
 	EVM_IMA_XATTR_DIGSIG,
 	IMA_XATTR_DIGEST_NG,
 	EVM_XATTR_PORTABLE_DIGSIG,
+	IMA_VERITY_DIGSIG,
 };
 
 struct h_misc {
@@ -138,7 +155,8 @@ enum digest_algo {
 
 enum digsig_version {
 	DIGSIG_VERSION_1 = 1,
-	DIGSIG_VERSION_2
+	DIGSIG_VERSION_2,
+	DIGSIG_VERSION_3	/* hash of ima_file_id struct (portion used) */
 };
 
 struct pubkey_hdr {
@@ -233,5 +251,6 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsig
 void init_public_keys(const char *keyfiles);
 int imaevm_hash_algo_from_sig(unsigned char *sig);
 const char *imaevm_hash_algo_by_id(int algo);
+int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo, const unsigned char *in_hash, unsigned char *out_hash);
 
 #endif

src/libimaevm.c

@@ -250,6 +250,7 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 {
 	FILE *fp;
 	EVP_PKEY *pkey = NULL;
+	struct stat st;
 
 	if (!keyfile)
 		return NULL;
@@ -261,6 +262,17 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 		return NULL;
 	}
 
+	if (fstat(fileno(fp), &st) == -1) {
+		log_err("Failed to fstat key file: %s\n", keyfile);
+		goto out;
+	}
+
+	if ((st.st_mode & S_IFMT) != S_IFREG) {
+		if (imaevm_params.verbose > LOG_INFO)
+			log_err("Key file is not regular file: %s\n", keyfile);
+		goto out;
+	}
+
 	if (x509) {
 		X509 *crt = d2i_X509_fp(fp, NULL);
 
@@ -290,6 +302,7 @@ out:
 	return pkey;
 }
 
+#if CONFIG_SIGV1
 RSA *read_pub_key(const char *keyfile, int x509)
 {
 	EVP_PKEY *pkey;
@@ -349,6 +362,7 @@ static int verify_hash_v1(const char *file, const unsigned char *hash, int size,
 
 	return 0;
 }
+#endif  /* CONFIG_SIGV1 */
 
 struct public_key_entry {
 	struct public_key_entry *next;
@@ -422,10 +436,21 @@ void init_public_keys(const char *keyfiles)
 }
 
 /*
+ * Verify a signature, prefixed with the signature_v2_hdr, either based
+ * directly or indirectly on the file data hash.
+ *
+ * version 2: directly based on the file data hash (e.g. sha*sum)
+ * version 3: indirectly based on the hash of the struct ima_file_id, which
+ *	      contains the xattr type (enum evm_ima_xattr_type), the hash
+ *	      algorithm (enum hash_algo), and the file data hash
+ *	      (e.g. fsverity digest).
+ *
  * Return: 0 verification good, 1 verification bad, -1 error.
+ *
+ * (Note: signature_v2_hdr struct does not contain the 'type'.)
  */
-static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
-			  unsigned char *sig, int siglen)
+static int verify_hash_common(const char *file, const unsigned char *hash,
+			      int size, unsigned char *sig, int siglen)
 {
 	int ret = -1;
 	EVP_PKEY *pkey, *pkey_free = NULL;
@@ -495,6 +520,128 @@ err:
 	return ret;
 }
 
+/*
+ * Verify a signature, prefixed with the signature_v2_hdr, directly based
+ * on the file data hash.
+ *
+ * Return: 0 verification good, 1 verification bad, -1 error.
+ */
+static int verify_hash_v2(const char *file, const unsigned char *hash,
+			  int size, unsigned char *sig, int siglen)
+{
+	/* note: signature_v2_hdr does not contain 'type', use sig + 1 */
+	return verify_hash_common(file, hash, size, sig + 1, siglen - 1);
+}
+
+/*
+ * Verify a signature, prefixed with the signature_v2_hdr, indirectly based
+ * on the file data hash.
+ *
+ * Return: 0 verification good, 1 verification bad, -1 error.
+ */
+static int verify_hash_v3(const char *file, const unsigned char *hash,
+			  int size, unsigned char *sig, int siglen)
+{
+	unsigned char sigv3_hash[MAX_DIGEST_SIZE];
+	int ret;
+
+	ret = calc_hash_sigv3(sig[0], NULL, hash, sigv3_hash);
+	if (ret < 0)
+		return ret;
+
+	/* note: signature_v2_hdr does not contain 'type', use sig + 1 */
+	return verify_hash_common(file, sigv3_hash, size, sig + 1, siglen - 1);
+}
+
+#define HASH_MAX_DIGESTSIZE 64	/* kernel HASH_MAX_DIGESTSIZE is 64 bytes */
+
+struct ima_file_id {
+	__u8 hash_type;		/* xattr type [enum evm_ima_xattr_type] */
+	__u8 hash_algorithm;	/* Digest algorithm [enum hash_algo] */
+	__u8 hash[HASH_MAX_DIGESTSIZE];
+} __packed;
+
+/*
+ * Calculate the signature format version 3 hash based on the portion
+ * of the ima_file_id structure used, not the entire structure.
+ *
+ * On success, return the hash length, otherwise for openssl errors
+ * return 1, other errors return -EINVAL.
+ */
+int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo,
+		    const unsigned char *in_hash, unsigned char *out_hash)
+{
+	struct ima_file_id file_id = { .hash_type = IMA_VERITY_DIGSIG };
+	uint8_t *data = (uint8_t *) &file_id;
+
+	const EVP_MD *md;
+	EVP_MD_CTX *pctx;
+	unsigned int mdlen;
+	int err;
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+	EVP_MD_CTX ctx;
+	pctx = &ctx;
+#else
+	pctx = EVP_MD_CTX_new();
+#endif
+	int hash_algo;
+	int hash_size;
+	unsigned int unused;
+
+	if (type != IMA_VERITY_DIGSIG) {
+		log_err("Only fsverity supports signature format v3 (sigv3)\n");
+		return -EINVAL;
+	}
+
+	if (!algo)
+		algo = imaevm_params.hash_algo;
+
+	if ((hash_algo = imaevm_get_hash_algo(algo)) < 0) {
+		log_err("Hash algorithm %s not supported\n", algo);
+		return -EINVAL;
+	}
+	file_id.hash_algorithm = hash_algo;
+
+	md = EVP_get_digestbyname(algo);
+	if (!md) {
+		log_err("EVP_get_digestbyname(%s) failed\n", algo);
+		err = 1;
+		goto err;
+	}
+
+	hash_size = EVP_MD_size(md);
+	memcpy(file_id.hash, in_hash, hash_size);
+
+	err = EVP_DigestInit(pctx, md);
+	if (!err) {
+		log_err("EVP_DigestInit() failed\n");
+		err = 1;
+		goto err;
+	}
+
+	unused = HASH_MAX_DIGESTSIZE - hash_size;
+	if (!EVP_DigestUpdate(pctx, data, sizeof(file_id) - unused)) {
+		log_err("EVP_DigestUpdate() failed\n");
+		err = 1;
+		goto err;
+	}
+
+	err = EVP_DigestFinal(pctx, out_hash, &mdlen);
+	if (!err) {
+		log_err("EVP_DigestFinal() failed\n");
+		err = 1;
+		goto err;
+	}
+	err = mdlen;
+err:
+	if (err == 1)
+		output_openssl_errors();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+	EVP_MD_CTX_free(pctx);
+#endif
+	return err;
+}
+
 int imaevm_get_hash_algo(const char *algo)
 {
 	int i;
@@ -537,7 +684,7 @@ int imaevm_hash_algo_from_sig(unsigned char *sig)
 		default:
 			return -1;
 		}
-	} else if (sig[0] == DIGSIG_VERSION_2) {
+	} else if (sig[0] == DIGSIG_VERSION_2 || sig[0] == DIGSIG_VERSION_3) {
 		hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
 		if (hashalgo >= PKEY_HASH__LAST)
 			return -1;
@@ -546,11 +693,12 @@ int imaevm_hash_algo_from_sig(unsigned char *sig)
 		return -1;
 }
 
-int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
-		int siglen)
+int verify_hash(const char *file, const unsigned char *hash, int size,
+		unsigned char *sig, int siglen)
 {
 	/* Get signature type from sig header */
-	if (sig[0] == DIGSIG_VERSION_1) {
+	if (sig[1] == DIGSIG_VERSION_1) {
+#if CONFIG_SIGV1
 		const char *key = NULL;
 
 		/* Read pubkey from RSA key */
@@ -558,9 +706,16 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
 			key = "/etc/keys/pubkey_evm.pem";
 		else
 			key = imaevm_params.keyfile;
-		return verify_hash_v1(file, hash, size, sig, siglen, key);
-	} else if (sig[0] == DIGSIG_VERSION_2) {
+		return verify_hash_v1(file, hash, size, sig + 1, siglen - 1,
+					 key);
+#else
+		log_info("Signature version 1 deprecated.");
+		return -1;
+#endif
+	} else if (sig[1] == DIGSIG_VERSION_2) {
 		return verify_hash_v2(file, hash, size, sig, siglen);
+	} else if (sig[1] == DIGSIG_VERSION_3) {
+		return verify_hash_v3(file, hash, size, sig, siglen);
 	} else
 		return -1;
 }
@@ -571,11 +726,16 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 	unsigned char hash[MAX_DIGEST_SIZE];
 	int hashlen, sig_hash_algo;
 
-	if (sig[0] != EVM_IMA_XATTR_DIGSIG) {
+	if (sig[0] != EVM_IMA_XATTR_DIGSIG && sig[0] != IMA_VERITY_DIGSIG) {
 		log_err("%s: xattr ima has no signature\n", file);
 		return -1;
 	}
 
+	if (!digest && sig[0] == IMA_VERITY_DIGSIG) {
+		log_err("%s: calculating the fs-verity digest is not supported\n", file);
+		return -1;
+	}
+
 	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
 	if (sig_hash_algo < 0) {
 		log_err("%s: Invalid signature\n", file);
@@ -588,17 +748,18 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 	 * Validate the signature based on the digest included in the
 	 * measurement list, not by calculating the local file digest.
 	 */
-	if (digestlen > 0)
-	    return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
+	if (digest && digestlen > 0)
+		return verify_hash(file, digest, digestlen, sig, siglen);
 
 	hashlen = ima_calc_hash(file, hash);
 	if (hashlen <= 1)
 		return hashlen;
 	assert(hashlen <= sizeof(hash));
 
-	return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
+	return verify_hash(file, hash, hashlen, sig, siglen);
 }
 
+#if CONFIG_SIGV1
 /*
  * Create binary key representation suitable for kernel
  */
@@ -657,6 +818,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 	if (imaevm_params.verbose > LOG_INFO)
 		log_info("keyid-v1: %s\n", str);
 }
+#endif /* CONFIG_SIGV1 */
 
 /*
  * Calculate keyid of the public_key part of EVP_PKEY
@@ -761,6 +923,7 @@ static int read_keyid_from_cert(uint32_t *keyid_be, const char *certfile, int tr
 		ERR_print_errors_fp(stderr);
 		log_err("read keyid: %s: Error reading x509 certificate\n",
 			certfile);
+		return -1;
 	}
 
 	if (!(skid = x509_get_skid(x, &skid_len))) {
@@ -803,9 +966,10 @@ uint32_t imaevm_read_keyid(const char *certfile)
 static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
 {
 	FILE *fp;
-	EVP_PKEY *pkey;
+	EVP_PKEY *pkey = NULL;
 
 	if (!strncmp(keyfile, "pkcs11:", 7)) {
+#ifdef CONFIG_IMA_EVM_ENGINE
 		if (!imaevm_params.keyid) {
 			log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
 			return NULL;
@@ -822,6 +986,10 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
 			log_err("Failed to load private key %s\n", keyfile);
 			goto err_engine;
 		}
+#else
+		log_err("OpenSSL \"engine\" support is disabled\n");
+		goto err_engine;
+#endif
 	} else {
 		fp = fopen(keyfile, "r");
 		if (!fp) {
@@ -845,6 +1013,7 @@ err_engine:
 	return NULL;
 }
 
+#if CONFIG_SIGV1
 static RSA *read_priv_key(const char *keyfile, const char *keypass)
 {
 	EVP_PKEY *pkey;
@@ -955,6 +1124,7 @@ out:
 	RSA_free(key);
 	return len;
 }
+#endif /* CONFIG_SIGV1 */
 
 /*
  * @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size
@@ -1069,9 +1239,14 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c
 	if (keypass)
 		imaevm_params.keypass = keypass;
 
-	return imaevm_params.x509 ?
-		sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
-		sign_hash_v1(hashalgo, hash, size, keyfile, sig);
+	if (imaevm_params.x509)
+		return sign_hash_v2(hashalgo, hash, size, keyfile, sig);
+#if CONFIG_SIGV1
+	else
+		return sign_hash_v1(hashalgo, hash, size, keyfile, sig);
+#endif
+	log_info("Signature version 1 deprecated.");
+	return -1;
 }
 
 static void libinit()

src/pcr_ibmtss.c

@@ -20,21 +20,11 @@
 #undef MAX_DIGEST_SIZE	/* imaevm uses a different value than the TSS */
 #include <ibmtss/tss.h>
 
-#define CMD "tsspcrread"
-
-static char path[PATH_MAX];
-
 int tpm2_pcr_supported(void)
 {
 	if (imaevm_params.verbose > LOG_INFO)
-		log_info("Using %s to read PCRs.\n", CMD);
+		log_info("Using ibmtss to read PCRs\n");
 
-	if (get_cmd_path(CMD, path, sizeof(path))) {
-		log_debug("Couldn't find '%s' in $PATH\n", CMD);
-		return 0;
-	}
-
-	log_debug("Found '%s' in $PATH\n", CMD);
 	return 1;
 }
 

src/pcr_tsspcrread.c

@@ -60,11 +60,11 @@ int tpm2_pcr_supported(void)
 		log_info("Using %s to read PCRs.\n", CMD);
 
 	if (get_cmd_path(CMD, path, sizeof(path))) {
-		log_debug("Couldn't find '%s' in $PATH\n", CMD);
+		log_info("Couldn't find '%s' in %s\n", CMD, path);
 		return 0;
 	}
 
-	log_debug("Found '%s' in $PATH\n", CMD);
+	log_debug("Found '%s' in %s\n", CMD, path);
 	return 1;
 }
 

tests/Makefile.am

@@ -1,7 +1,24 @@
 check_SCRIPTS =
 TESTS = $(check_SCRIPTS)
 
-check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test
+check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
+		 fsverity.test portable_signatures.test ima_policy_check.test \
+		 mmap_check.test
+
+check_PROGRAMS := test_mmap
+
+.PHONY: check_logs
+check_logs:
+	@for log in $(TEST_LOGS); do \
+	   echo -e "\n***" $$log "***" ; \
+	   case $$log in \
+	   ima_hash.log | sign_verify.log ) \
+	       tail -3 $$log ; \
+	       grep "skipped" $$log && grep "skipped" $$log | wc -l ;; \
+	   *) \
+	       cat $$log ;; \
+	   esac ; \
+	done
 
 clean-local:
 	-rm -f *.txt *.out *.sig *.sig2

tests/boot_aggregate.test

@@ -12,7 +12,7 @@
 # for verifying the calculated boot_aggregate is included in this
 # directory as well.
 
-trap cleanup SIGINT SIGTERM EXIT
+trap '_report_exit_and_cleanup cleanup' SIGINT SIGTERM EXIT
 
 # Base VERBOSE on the environment variable, if set.
 VERBOSE="${VERBOSE:-0}"
@@ -126,8 +126,10 @@ display_pcrs() {
 # Verify that the last "boot_aggregate" record in the IMA measurement
 # list matches.
 check() {
+	local options=$1
+
 	echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks"
-	bootaggr=$(evmctl ima_boot_aggregate)
+	bootaggr=$(evmctl ima_boot_aggregate ${options})
 	if [ $? -ne 0 ]; then
 		echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}"
 		exit "$SKIP"
@@ -151,6 +153,7 @@ check() {
 }
 
 if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
+	BOOTAGGR_OPTIONS="--hwtpm"
 	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
 	if [ ! -d "/sys/kernel/security/ima" ]; then
 		echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}"
@@ -194,4 +197,4 @@ if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
 	fi
 fi
 
-expect_pass check
+expect_pass check $BOOTAGGR_OPTIONS

tests/fsverity.test

@@ -0,0 +1,385 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Test IMA support for including fs-verity enabled files measurements
+# in the IMA measurement list.
+#
+# Define policy rules showing the different types of IMA and fs-verity
+# records in the IMA measurement list.  Include examples of files that
+# are suppose to be fs-verity enabled, but aren't.
+#
+# test 1: IMA policy rule using the new ima-ngv2 template
+# - Hash prefixed with "ima:"
+#
+# test 2: fs-verity IMA policy rule using the new ima-ngv2 template
+# - fs-verity hash prefixed with "verity:"
+# - Non fs-verity enabled file, zeros prefixed with "verity:"
+#
+# test 3: IMA policy rule using the new ima-sigv2 template
+# - Hash prefixed with "ima:"
+# - Appended signature, when available.
+#
+# test 4: fs-verity IMA policy rule using the new ima-sigv2 template
+# - fs-verity hash prefixed with "verity:"
+# - Non fs-verity enabled file, zeros prefixed with "verity:"
+# - Appended IMA signature of fs-verity file hash, when available.
+
+# To avoid affecting the system's IMA custom policy or requiring a
+# reboot between tests, define policy rules based on UUID.  However,
+# since the policy rules are walked sequentially, the system's IMA
+# custom policy rules might take precedence.
+
+cd "$(dirname "$0")" || exit 1
+PATH=../src:../fsverity-utils:$PATH
+source ./functions.sh
+
+# Base VERBOSE on the environment variable, if set.
+VERBOSE="${VERBOSE:-0}"
+
+IMA_POLICY_FILE="/sys/kernel/security/integrity/ima/policy"
+IMA_MEASUREMENT_LIST="/sys/kernel/security/integrity/ima/ascii_runtime_measurements"
+TST_MNT="/tmp/fsverity-test"
+TST_IMG="/tmp/test.img"
+
+LOOPBACK_MOUNTED=0
+FSVERITY="$(which fsverity)"
+
+_require dd mkfs blkid e2fsck tune2fs evmctl setfattr
+./gen-keys.sh >/dev/null 2>&1
+
+trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM EXIT
+
+cleanup() {
+        if [ -e $TST_MNT ]; then
+		if [ $LOOPBACK_MOUNTED -eq 1 ]; then
+			umount $TST_MNT
+		fi
+		if [ -f "$TST_IMG" ]; then
+			rm "$TST_IMG"
+		fi
+	fi
+}
+
+# Loopback mount a file
+mount_loopback_file() {
+	local ret
+
+	if [ ! -d $TST_MNT ]; then
+		mkdir $TST_MNT
+	fi
+
+#	if modprobe loop; then
+#		echo "${CYAN}INFO: modprobe loop failed${NORM}"
+#	fi
+
+	if ! losetup -f &> /dev/null; then
+		echo "${RED}FAILURE: losetup${NORM}"
+		exit "$FAIL"
+	fi
+
+	mount -v -o loop ${TST_IMG} $TST_MNT
+	ret=$?
+
+	if [ "${ret}" -eq 0 ]; then
+		LOOPBACK_MOUNTED=1
+	fi
+
+	return "$ret"
+}
+
+# Change the loopback mounted filesystem's UUID in between tests
+change_loopback_file_uuid() {
+	echo " "
+	[ "$VERBOSE" -ge 1 ] && echo "INFO: Changing loopback file uuid"
+
+	umount $TST_MNT
+	if ! e2fsck -y -f ${TST_IMG} &> /dev/null; then
+		echo "${RED}FAILURE: e2fsck${NORM}"
+		exit "$FAIL"
+	fi
+
+	if ! tune2fs -f ${TST_IMG} -U random &> /dev/null; then
+		echo "${RED}FAILURE: change UUID${NORM}"
+		exit "$FAIL"
+	fi
+
+	[ "$VERBOSE" -ge 1 ] && echo "INFO: Remounting loopback filesystem"
+	if ! mount_loopback_file; then
+		echo "${RED}FAILURE: re-mounting loopback filesystem${NORM}"
+		exit "$FAIL"
+	fi
+	return 0
+}
+
+# Create a file to be loopback mounted
+create_loopback_file() {
+	local fs_type=$1
+	local options=""
+
+	echo "INFO: Creating loopback filesystem"
+	case $fs_type in
+	ext4|f2fs)
+		options="-O verity"
+		;;
+	btrfs)
+		;;
+	*)
+		echo "${RED}FAILURE: unsupported fs-verity filesystem${NORM}"
+		exit "${FAIL}"
+		;;
+	esac
+
+	[ "$VERBOSE" -ge 2 ] && echo "INFO: Creating a file to be loopback mounted with options: $options"
+	if ! dd if=/dev/zero of="${TST_IMG}" bs=100M count=6 &> /dev/null; then
+		echo "${RED}FAILURE: creating ${TST_IMG}${NORM}"
+		exit "$FAIL"
+	fi
+
+	echo "INFO: Building an $fs_type filesystem"
+	if ! mkfs -t "$fs_type" -q "${TST_IMG}" "$options"; then
+		echo "${RED}FAILURE: Creating $fs_type filesystem${NORM}"
+		exit "$FAIL"
+	fi
+
+	echo "INFO: Mounting loopback filesystem"
+	if ! mount_loopback_file; then
+		echo "${RED}FAILURE: mounting loopback filesystem${NORM}"
+		exit "$FAIL"
+	fi
+	return 0
+}
+
+get_current_uuid() {
+	[ "$VERBOSE" -ge 2 ] && echo "INFO: Getting loopback file uuid"
+	if ! UUID=$(blkid -s UUID -o value ${TST_IMG}); then
+		echo "${RED}FAILURE: to get UUID${NORM}"
+		return "$FAIL"
+	fi
+	return 0
+}
+
+unqualified_bprm_rule() {
+	local test=$1
+	local rule=$2
+	local rule_match="measure func=BPRM_CHECK"
+	local rule_dontmatch="fsuuid"
+
+	if [ -z "${rule##*$digest_type=verity*}" ]; then
+		if grep "$rule_match" $IMA_POLICY_FILE | grep -v "$rule_dontmatch"  &> /dev/null; then
+			return "$SKIP"
+		fi
+	fi
+	return 0
+}
+
+load_policy_rule() {
+	local test=$1
+	local rule=$2
+
+	if ! get_current_uuid; then
+		echo "${RED}FAILURE:FAILED getting uuid${NORM}"
+		exit "$FAIL"
+	fi
+
+	unqualified_bprm_rule "${test}" "${rule}"
+	if [ $? -eq "${SKIP}" ]; then
+		echo "${CYAN}SKIP: fsuuid unqualified \"BPRM_CHECK\" rule exists${NORM}"
+		return "$SKIP"
+	fi
+
+	echo "$test: rule: $rule fsuuid=$UUID"
+	if ! echo "$rule fsuuid=$UUID" > $IMA_POLICY_FILE; then
+		echo "${CYAN}SKIP: Loading policy rule failed, skipping test${NORM}"
+		return "$SKIP"
+	fi
+	return 0
+}
+
+create_file() {
+	local test=$1
+	local type=$2
+
+	TST_FILE=$(mktemp -p $TST_MNT -t "${type}".XXXXXX)
+	[ "$VERBOSE" -ge 1 ] && echo "INFO: creating $TST_FILE"
+
+	# heredoc to create a script
+	cat <<-EOF > "$TST_FILE"
+	#!/bin/bash
+	echo "Hello" &> /dev/null
+	EOF
+
+	chmod a+x "$TST_FILE"
+}
+
+measure-verity() {
+	local test=$1
+	local verity="${2:-disabled}"
+	local digest_filename
+	local error="$OK"
+	local KEY=$PWD/test-rsa2048.key
+
+	create_file "$test" verity-hash
+	if [ "$verity" = "enabled" ]; then
+		msg="Measuring fs-verity enabled file $TST_FILE"
+		if ! "$FSVERITY" enable "$TST_FILE" &> /dev/null; then
+			echo "${CYAN}SKIP: Failed enabling fs-verity on $TST_FILE${NORM}"
+			return "$SKIP"
+		fi
+	else
+		msg="Measuring non fs-verity enabled file $TST_FILE"
+	fi
+
+	# Sign the fsverity digest and write it as security.ima xattr.
+	# "evmctl sign_hash" input: <digest> <filename>
+	# "evmctl sign_hash" output: <digest> <filename> <signature>
+	[ "$VERBOSE" -ge 2 ] && echo "INFO: Signing the fsverity digest"
+	xattr=$("$FSVERITY" digest "$TST_FILE" | evmctl sign_hash --veritysig --key "$KEY" 2> /dev/null)
+	sig=$(echo "$xattr" | cut -d' ' -f3)
+
+	# On failure to write security.ima xattr, the signature will simply
+	# not be appended to the measurement list record.
+	if ! setfattr -n security.ima -v "0x$sig" "$TST_FILE"; then
+		echo "${CYAN}INFO: Failed to write security.ima xattr${NORM}"
+	fi
+	"$TST_FILE"
+
+	# "fsverity digest" calculates the fsverity hash, even for
+	# non fs-verity enabled files.
+	digest_filename=$("$FSVERITY" digest "$TST_FILE")
+	[ "$VERBOSE" -ge 2 ] && echo "INFO: verity:$digest_filename"
+
+	grep "verity:$digest_filename" $IMA_MEASUREMENT_LIST &> /dev/null
+	ret=$?
+
+	# Not finding the "fsverity digest" result in the IMA measurement
+	# list is expected for non fs-verity enabled files.  The measurement
+	# list will contain zeros for the file hash.
+	if [ $ret -eq 1 ]; then
+		error="$FAIL"
+		if [ "$verity" = "enabled" ]; then
+			echo "${RED}FAILURE: ${msg} ${NORM}"
+		else
+			echo "${GREEN}SUCCESS: ${msg}, fsverity digest not found${NORM}"
+		fi
+	else
+		if [ "$verity" = "enabled" ]; then
+			echo "${GREEN}SUCCESS: ${msg} ${NORM}"
+		else
+			error="$FAIL"
+			echo "${RED}FAILURE: ${msg} ${NORM}"
+		fi
+	fi
+	return "$error"
+}
+
+measure-ima() {
+	local test=$1
+	local digest_filename
+	local error="$OK"
+	local hashalg
+	local digestsum
+
+	create_file "$test" ima-hash
+	"$TST_FILE"
+
+	hashalg=$(grep "${TST_FILE}" $IMA_MEASUREMENT_LIST | cut -d':' -f2)
+	if [ -z "${hashalg}" ]; then
+		echo "${CYAN}SKIP: Measurement record with algorithm not found${NORM}"
+		return "$SKIP"
+	fi
+
+	digestsum=$(which "${hashalg}"sum)
+	if [ -z "${digestsum}" ]; then
+		echo "${CYAN}SKIP: ${hashalg}sum is not installed${NORM}"
+		return "$SKIP"
+	fi
+
+	# sha1sum,sha256sum return: <digest> <2 spaces> <filename>
+	# Remove the extra space before the filename
+	digest_filename=$(${digestsum} "$TST_FILE" | sed "s/\ \ /\ /")
+	[ "$VERBOSE" -ge 2 ] && echo "$test: $digest_filename"
+	if grep "$digest_filename" $IMA_MEASUREMENT_LIST &> /dev/null; then
+		echo "${GREEN}SUCCESS: Measuring $TST_FILE ${NORM}"
+	else
+		error="$FAIL"
+		echo "${RED}FAILURE: Measuring $TST_FILE ${NORM}"
+	fi
+
+	return "$error"
+}
+
+# Run in the new environment if TST_ENV is set.
+_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
+
+# Exit from the creator of the new environment.
+_exit_env "$TST_KERNEL"
+
+# Mount filesystems in the new environment.
+_init_env
+
+# Dependency on being able to read and write the IMA policy file.
+# Requires both CONFIG_IMA_WRITE_POLICY, CONFIG_IMA_READ_POLICY be
+# enabled.
+if [ -e "$IMA_POLICY_FILE" ]; then
+	mode=$(stat -c "%a" $IMA_POLICY_FILE)
+	if [ "$mode" != "600" ]; then
+		echo "${CYAN}SKIP: IMA policy file must be read-write${NORM}"
+		exit "$SKIP"
+	fi
+else
+	echo "${CYAN}SKIP: $IMA_POLICY_FILE does not exist${NORM}"
+	exit "$SKIP"
+fi
+
+# Skip the test if fsverity is not found; using _require fails the test.
+if [ -z "$FSVERITY" ]; then
+	echo "${CYAN}SKIP: fsverity is not installed${NORM}"
+	exit "$SKIP"
+fi
+
+if [ "x$(id -u)" != "x0" ]; then
+	echo "${CYAN}SKIP: Must be root to execute this test${NORM}"
+	exit "$SKIP"
+fi
+
+create_loopback_file ext4
+
+# Commit 989dc72511f7 ("ima: define a new template field named 'd-ngv2' and
+# templates") introduced ima-ngv2 and ima-sigv2 in linux-5.19.
+__skip() { return "$SKIP"; }
+
+# IMA policy rule using the ima-ngv2 template
+if load_policy_rule test1 "measure func=BPRM_CHECK template=ima-ngv2"; then
+	expect_pass measure-ima test1
+else
+	expect_pass __skip
+fi
+
+# fsverity IMA policy rule using the ima-ngv2 template
+change_loopback_file_uuid
+if load_policy_rule test2 "measure func=BPRM_CHECK template=ima-ngv2 digest_type=verity"; then
+	expect_fail measure-verity test2
+	expect_pass measure-verity test2 enabled
+else
+	expect_pass __skip
+	expect_pass __skip
+fi
+
+# IMA policy rule using the ima-sigv2 template
+change_loopback_file_uuid
+if load_policy_rule test3 "measure func=BPRM_CHECK template=ima-sigv2"; then
+	expect_pass measure-ima test3
+else
+	expect_pass __skip
+fi
+
+# fsverity IMA policy rule using the ima-sigv2 template
+change_loopback_file_uuid
+if load_policy_rule test4 "measure func=BPRM_CHECK template=ima-sigv2 digest_type=verity"; then
+	expect_fail measure-verity test4
+	expect_pass measure-verity test4 enabled
+else
+	expect_pass __skip
+	expect_pass __skip
+fi
+exit

tests/functions.sh

@@ -72,6 +72,12 @@ declare -i TNESTED=0 # just for sanity checking
 expect_pass() {
   local -i ret
 
+  if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
+    [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
+    testsskip+=1
+    return "$SKIP"
+  fi
+
   if [ $TNESTED -gt 0 ]; then
     echo $RED"expect_pass should not be run nested"$NORM
     testsfail+=1
@@ -94,10 +100,35 @@ expect_pass() {
   return $ret
 }
 
+expect_pass_if() {
+  local indexes="$1"
+  local ret idx
+
+  shift
+
+  expect_pass "$@"
+  ret=$?
+
+  if [ $ret -ne 0 ] && [ $ret -ne 77 ] && [ -n "$PATCHES" ]; then
+    echo $YELLOW"Possibly missing patches:"$NORM
+    for idx in $indexes; do
+      echo $YELLOW" - ${PATCHES[$((idx))]}"$NORM
+    done
+  fi
+
+  return $ret
+}
+
 # Eval negative test (one that should fail) and account its result
 expect_fail() {
   local ret
 
+  if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
+    [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
+    testsskip+=1
+    return "$SKIP"
+  fi
+
   if [ $TNESTED -gt 0 ]; then
     echo $RED"expect_fail should not be run nested"$NORM
     testsfail+=1
@@ -125,6 +156,25 @@ expect_fail() {
   return $ret
 }
 
+expect_fail_if() {
+  local indexes="$1"
+  local ret idx
+
+  shift
+
+  expect_fail "$@"
+  ret=$?
+
+  if { [ $ret -eq 0 ] || [ $ret -eq 99 ]; } && [ -n "$PATCHES" ]; then
+    echo $YELLOW"Possibly missing patches:"$NORM
+    for idx in $indexes; do
+      echo $YELLOW" - ${PATCHES[$((idx))]}"$NORM
+    done
+  fi
+
+  return $ret
+}
+
 # return true if current test is positive
 _test_expected_to_pass() {
   [ ! $TFAIL ]
@@ -250,10 +300,14 @@ _enable_gost_engine() {
 # Show test stats and exit into automake test system
 # with proper exit code (same as ours). Do cleanups.
 _report_exit_and_cleanup() {
+  local exit_code=$?
+
   if [ -n "${WORKDIR}" ]; then
     rm -rf "${WORKDIR}"
   fi
 
+  "$@"
+
   if [ $testsfail -gt 0 ]; then
     echo "================================="
     echo " Run with FAILEARLY=1 $0 $*"
@@ -267,12 +321,33 @@ _report_exit_and_cleanup() {
   [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
   echo " FAIL: $testsfail"
   echo "$NORM"
+  # Signal failure to the testing environment creator with an unclean shutdown.
+  if [ -n "$TST_ENV" ] && [ $$ -eq 1 ]; then
+    if [ -z "$(command -v poweroff)" ]; then
+      echo "Warning: cannot properly shutdown system"
+    fi
+
+    # If no test was executed and the script was successful,
+    # do a clean shutdown.
+    if [ $testsfail -eq 0 ] && [ $testspass -eq 0 ] && [ $testsskip -eq 0 ] &&
+       [ $exit_code -ne "$FAIL" ] && [ $exit_code -ne "$HARDFAIL" ]; then
+      poweroff -f
+    fi
+
+    # If tests were executed and no test failed, do a clean shutdown.
+    if { [ $testspass -gt 0 ] || [ $testsskip -gt 0 ]; } &&
+       [ $testsfail -eq 0 ]; then
+      poweroff -f
+    fi
+  fi
   if [ $testsfail -gt 0 ]; then
     exit "$FAIL"
   elif [ $testspass -gt 0 ]; then
     exit "$OK"
-  else
+  elif [ $testsskip -gt 0 ]; then
     exit "$SKIP"
+  else
+    exit "$exit_code"
   fi
 }
 
@@ -313,3 +388,75 @@ _softhsm_teardown() {
   unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
     EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
 }
+
+# Syntax: _run_env <kernel> <init> <additional kernel parameters>
+_run_env() {
+  if [ -z "$TST_ENV" ]; then
+    return
+  fi
+
+  if [ $$ -eq 1 ]; then
+    return
+  fi
+
+  if [ "$TST_ENV" = "um" ]; then
+    expect_pass "$1" rootfstype=hostfs rw init="$2" quiet mem=2048M "$3"
+  else
+    echo $RED"Testing environment $TST_ENV not supported"$NORM
+    exit "$FAIL"
+  fi
+}
+
+# Syntax: _exit_env <kernel>
+_exit_env() {
+  if [ -z "$TST_ENV" ]; then
+    return
+  fi
+
+  if [ $$ -eq 1 ]; then
+    return
+  fi
+
+  exit "$OK"
+}
+
+# Syntax: _init_env
+_init_env() {
+  if [ -z "$TST_ENV" ]; then
+    return
+  fi
+
+  if [ $$ -ne 1 ]; then
+    return
+  fi
+
+  mount -t tmpfs tmpfs /tmp
+  mount -t proc proc /proc
+  mount -t sysfs sysfs /sys
+  mount -t securityfs securityfs /sys/kernel/security
+
+  if [ -n "$(command -v haveged 2> /dev/null)" ]; then
+    $(command -v haveged) -w 1024 &> /dev/null
+  fi
+
+  pushd "$PWD" > /dev/null || exit "$FAIL"
+}
+
+# Syntax: _cleanup_env <cleanup function>
+_cleanup_env() {
+  if [ -z "$TST_ENV" ]; then
+    $1
+    return
+  fi
+
+  if [ $$ -ne 1 ]; then
+    return
+  fi
+
+  $1
+
+  umount /sys/kernel/security
+  umount /sys
+  umount /proc
+  umount /tmp
+}

tests/gen-keys.sh

@@ -71,7 +71,7 @@ for m in 1024 1024_skid 2048; do
     ext=
   fi
   if [ ! -e test-rsa$m.key ]; then
-    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
+    log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \
       -config test-ca.conf \
       -newkey rsa:$bits \
       -out test-rsa$m.cer -outform DER \
@@ -93,7 +93,7 @@ for curve in prime192v1 prime256v1; do
     continue
   fi
   if [ ! -e test-$curve.key ]; then
-    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+    log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \
       -config test-ca.conf \
       -newkey ec \
       -pkeyopt ec_paramgen_curve:$curve \

tests/ima_policy_check.awk

@@ -0,0 +1,211 @@
+#! /usr/bin/gawk -f
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2023 Roberto Sassu <roberto.sassu@huawei.com>
+#
+# Check a new rule against the loaded IMA policy.
+#
+# Documentation/ABI/testing/ima_policy (Linux kernel)
+# base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
+#	[uid=] [euid=] [gid=] [egid=]
+#	[fowner=] [fgroup=]]
+# lsm:	[[subj_user=] [subj_role=] [subj_type=]
+#	[obj_user=] [obj_role=] [obj_type=]]
+# option:	[digest_type=] [template=] [permit_directio]
+#		[appraise_type=] [appraise_flag=]
+#		[appraise_algos=] [keyrings=]
+#
+# Rules don't overlap if their actions are unrelated (cannot be matched without
+# dont_) and there is no combination of appraise with another do action (e.g.
+# measure, audit, hash). The second condition is due to the fact that appraise
+# might still forbid other actions expected to be performed by a test that did
+# not setup appraisal. Checking appraise for new rules is not sufficient,
+# because that rule could be added anyway. By checking existing rules as well,
+# a warning will be displayed when tests inserting rules with other do actions
+# are reexecuted.
+#
+# Also, rules don't overlap if both include the same policy keyword(s) (in base
+# or lsm, except func), at least one, with a different value. Different func
+# values don't imply non-overlap, due to the fact that a test command might
+# cause the execution of multiple hooks (e.g. FILE_CHECK in addition to
+# MMAP_CHECK). Despite one test is willing to test a particular hook, this could
+# have side effects on other tests (e.g. one test sets: appraise func=MMAP_CHECK
+# and another: measure func=FILE_CHECK; the second test might see an unexpected
+# measurement due to the first test being executed; or the second test cannot
+# unexpectedly do mmap).
+#
+# Currently, the < > operators are not supported and overlapping is asserted
+# even if intervals are disjoint. If supported, non-overlapping conditions could
+# be found. With the ^ modifier, no disjoint intervals can be found. Overlapping
+# is always reported.
+#
+# Rule equivalence is determined by checking each key/value pair, regardless of
+# their order. However, the action must always be at the beginning of the rules.
+# Rules with aliases are considered equivalent to those with their source (e.g.
+# rules with PATH_CHECK and FILE_MMAP are considered as equivalent to rules with
+# FILE_CHECK and MMAP_CHECK).
+#
+# Return a bit mask with the following values:
+# - 1: invalid new rule;
+# - 2: overlap of the new rule with an existing rule in the IMA policy;
+# - 4: new rule exists in the IMA policy.
+
+BEGIN {
+	# Policy definitions.
+	actions_str="measure dont_measure appraise dont_appraise audit hash dont_hash"
+	split(actions_str, actions_array);
+	keywords_str="func mask fsmagic fsuuid fsname uid euid gid egid fowner fgroup subj_user subj_role subj_type obj_user obj_role obj_type";
+	split(keywords_str, keywords_array);
+	options_str="digest_type template permit_directio appraise_type appraise_flag appraise_algos keyrings";
+	split(options_str, options_array);
+
+	# Key types.
+	key_type_unknown=0;
+	key_type_action=1;
+	key_type_keyword=2;
+	key_type_option=3;
+
+	# Result values.
+	ret_invalid_rule=1;
+	ret_rule_overlap=2;
+	ret_same_rule_exists=4;
+
+	for (action_idx in actions_array)
+		key_types[actions_array[action_idx]]=key_type_action;
+	for (keyword_idx in keywords_array)
+		key_types[keywords_array[keyword_idx]]=key_type_keyword;
+	for (option_idx in options_array)
+		key_types[options_array[option_idx]]=key_type_option;
+
+	new_rule=1;
+	result=0;
+}
+{
+	# Delete arrays from previous rule.
+	if (!new_rule) {
+		delete current_rule_array;
+		delete current_rule_operator_array;
+	}
+
+	# Check empty rules.
+	if (!length($0)) {
+		if (new_rule) {
+			result=or(result, ret_invalid_rule);
+			exit;
+		}
+		next;
+	}
+
+	for (i=1; i<=NF; i++) {
+		# Parse key/value pair.
+		split($i, key_value_array, /[=,>,<]/, separator_array);
+		key=key_value_array[1];
+		value=key_value_array[2];
+
+		if (key == "func") {
+			# Normalize values of IMA hooks to what IMA will print.
+			if (value == "FILE_MMAP")
+				value="MMAP_CHECK";
+			else if (value == "PATH_CHECK")
+				value="FILE_CHECK";
+		}
+
+		# Basic validity check (not necessary in general for the IMA policy, but useful to find typos in the tests).
+		if (key_types[key] == key_type_unknown ||
+		    (i == 1 && key_types[key] != key_type_action)) {
+			result=or(result, ret_invalid_rule);
+			exit;
+		}
+
+		# Store key/value pair and operator into an array.
+		if (new_rule) {
+			new_rule_array[key]=value;
+			new_rule_operator_array[key]=separator_array[1];
+		} else {
+			current_rule_array[key]=value;
+			current_rule_operator_array[key]=separator_array[1];
+		}
+
+		# Store original action and action without dont_.
+		if (i == 1) {
+			if (new_rule) {
+				new_rule_action=key;
+				new_rule_action_sub=key;
+				gsub(/dont_/, "", new_rule_action_sub);
+			} else {
+				current_rule_action=key;
+				current_rule_action_sub=key;
+				gsub(/dont_/, "", current_rule_action_sub);
+			}
+		}
+	}
+
+	# Go to the next line, to compare the new rule with rules in the IMA policy.
+	if (new_rule) {
+		new_rule=0;
+		next;
+	}
+
+	# No overlap by action (unrelated rules and no combination appraise - <do action>), new rule safe to add to the IMA policy.
+	if (current_rule_action_sub != new_rule_action_sub &&
+	    (current_rule_action != "appraise" || new_rule_action ~ /^dont_/) &&
+	    (new_rule_action != "appraise" || current_rule_action ~ /^dont_/))
+		next;
+
+	same_rule=1;
+	overlap_rule=1;
+
+	for (key in key_types) {
+		if (!(key in new_rule_array)) {
+			# Key in current rule but not in new rule.
+			if (key in current_rule_array)
+				same_rule=0;
+			# Key not in new rule and not in current rule.
+			continue;
+		}
+
+		if (!(key in current_rule_array)) {
+			# Key in new rule but not in current rule.
+			if (key in new_rule_array)
+				same_rule=0;
+			# Key not in current rule and not in new rule.
+			continue;
+		}
+
+		# Same value and operator.
+		if (new_rule_array[key] == current_rule_array[key] &&
+		    new_rule_operator_array[key] == current_rule_operator_array[key])
+			continue;
+
+		# Different value and/or operator.
+		same_rule=0;
+
+		# Not a policy keyword, not useful to determine overlap.
+		if (key_types[key] != key_type_keyword)
+			continue;
+
+		# > < operators are not supported, cannot determine overlap.
+		if (new_rule_operator_array[key] != "=" || current_rule_operator_array[key] != "=")
+			continue;
+
+		# ^ modifier does not make disjoint sets, cannot determine overlap.
+		if (new_rule_array[key] ~ /^\^/ || current_rule_array[key] ~ /^\^/)
+			continue;
+
+		# One test command can invoke multiple hooks, cannot determine overlap from func.
+		if (key == "func")
+			continue;
+
+		# No overlap by policy keyword, new rule safe to add to the IMA policy.
+		overlap_rule=0;
+		next;
+	}
+
+	if (same_rule)
+		result=or(result, ret_same_rule_exists);
+	else if (overlap_rule)
+		result=or(result, ret_rule_overlap);
+}
+END {
+	exit result;
+}

tests/ima_policy_check.test

@@ -0,0 +1,245 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2023 Roberto Sassu <roberto.sassu@huawei.com>
+#
+# Test for ima_policy_check.awk
+
+trap '_report_exit_and_cleanup' SIGINT SIGTERM EXIT
+
+cd "$(dirname "$0")" || exit 1
+. ./functions.sh
+
+export PATH=$PWD:$PATH
+
+check_result() {
+	local result
+
+	echo -e "\nTest: $1"
+	echo "New rule: $2"
+	echo "IMA policy: $3"
+
+	echo -n "Result (expect $4): "
+
+	echo -e "$2\n$3" | ima_policy_check.awk
+	result=$?
+
+	if [ "$result" -ne "$4" ]; then
+		echo "${RED}$result${NORM}"
+		return "$FAIL"
+	fi
+
+	echo "${GREEN}$result${NORM}"
+	return "$OK"
+}
+
+# ima_policy_check.awk returns a bit mask with the following values:
+# - 1: invalid new rule;
+# - 2: overlap of the new rule with an existing rule in the IMA policy;
+# - 4: new rule exists in the IMA policy.
+
+# Basic checks.
+desc="empty IMA policy"
+rule="measure func=FILE_CHECK"
+ima_policy=""
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Empty new rule"
+rule=""
+ima_policy=""
+expect_pass check_result "$desc" "$rule" "$ima_policy" 1
+
+desc="Unknown policy keyword fun"
+rule="measure fun=FILE_CHECK"
+ima_policy=""
+expect_pass check_result "$desc" "$rule" "$ima_policy" 1
+
+desc="Missing action"
+rule="func=FILE_CHECK"
+ima_policy=""
+expect_pass check_result "$desc" "$rule" "$ima_policy" 1
+
+# Non-overlapping rules.
+desc="Non-overlapping by action measure/dont_appraise, same func"
+rule="measure func=FILE_CHECK"
+ima_policy="dont_appraise func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Non-overlapping by action audit/dont_appraise, same func"
+rule="audit func=FILE_CHECK"
+ima_policy="dont_appraise func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Non-overlapping by action appraise/dont_measure, same func"
+rule="appraise func=FILE_CHECK"
+ima_policy="dont_measure func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Non-overlapping by action dont_measure/hash, same func"
+rule="dont_measure func=FILE_CHECK"
+ima_policy="hash func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Non-overlapping by uid, func is equal"
+rule="measure func=FILE_CHECK uid=0"
+ima_policy="measure uid=1 func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Non-overlapping by uid, func is equal, same policy options"
+rule="measure func=FILE_CHECK uid=0 permit_directio"
+ima_policy="measure uid=1 func=FILE_CHECK permit_directio"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Non-overlapping by mask, func and uid are equal, same policy options"
+rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
+ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK permit_directio"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="Non-overlapping by mask, func and uid are equal, different policy options"
+rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
+ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+# Overlapping and different rules.
+desc="same actions, different keywords"
+rule="appraise func=FILE_CHECK"
+ima_policy="appraise uid=0"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="unrelated actions with appraise and a do action, same func"
+rule="appraise func=FILE_CHECK"
+ima_policy="measure func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="unrelated actions with appraise and a do action, different func"
+rule="appraise func=FILE_CHECK"
+ima_policy="measure func=MMAP_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="related actions, same func"
+rule="measure func=FILE_CHECK"
+ima_policy="dont_measure func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="related actions, same func, different policy options"
+rule="measure func=FILE_CHECK"
+ima_policy="dont_measure func=FILE_CHECK permit_directio"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="related actions, same func, different policy options"
+rule="measure func=FILE_CHECK permit_directio"
+ima_policy="dont_measure func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="same actions, same func, same mask with different modifier (no disjoint sets with the ^ modifier)"
+rule="measure func=FILE_CHECK mask=MAY_EXEC"
+ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="same actions, same func, different mask with same modifier (no disjoint sets with the ^ modifier)"
+rule="measure func=FILE_CHECK mask=^MAY_READ"
+ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="same actions, same func, different policy options"
+rule="measure func=FILE_CHECK"
+ima_policy="measure func=FILE_CHECK permit_directio"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="same actions, same func, different policy options"
+rule="measure func=FILE_CHECK permit_directio"
+ima_policy="measure func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="same actions, MMAP_CHECK and MMAP_CHECK_REQPROT hooks"
+rule="measure func=MMAP_CHECK"
+ima_policy="measure func=MMAP_CHECK_REQPROT"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="related actions, same func, same mask with same modifier"
+rule="measure func=FILE_CHECK mask=^MAY_EXEC"
+ima_policy="dont_measure func=FILE_CHECK mask=^MAY_EXEC"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="same actions, same func, different uid with same operator (overlap because operators are not supported)"
+rule="measure func=FILE_CHECK uid>0"
+ima_policy="measure func=FILE_CHECK uid>1"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+desc="same actions, same func, same uid with different operator (overlap because operators are not supported)"
+rule="measure func=FILE_CHECK uid>1"
+ima_policy="measure func=FILE_CHECK uid<1"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 2
+
+# Overlapping and same rules.
+desc="same actions, same func"
+rule="appraise func=FILE_CHECK"
+ima_policy="appraise func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+desc="same actions, same func, same mask"
+rule="appraise mask=MAY_READ func=FILE_CHECK"
+ima_policy="appraise func=FILE_CHECK mask=MAY_READ"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+desc="same actions, same func, same mask, same policy options"
+rule="appraise mask=MAY_READ func=FILE_CHECK permit_directio appraise_type=imasig"
+ima_policy="appraise func=FILE_CHECK mask=MAY_READ permit_directio appraise_type=imasig"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+desc="same actions, same func"
+rule="measure func=MMAP_CHECK_REQPROT"
+ima_policy="measure func=MMAP_CHECK_REQPROT"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK)"
+rule="measure func=FILE_CHECK"
+ima_policy="measure func=PATH_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask with same modifiers"
+rule="measure mask=^MAY_READ func=FILE_CHECK"
+ima_policy="measure func=PATH_CHECK mask=^MAY_READ"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators"
+rule="measure mask=^MAY_READ uid>0 func=FILE_CHECK"
+ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid>0"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators"
+rule="measure mask=^MAY_READ uid<1 func=FILE_CHECK"
+ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid<1"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4
+
+# Overlapping and two rules (one same, one different).
+desc="first: same actions, same func, second: unrelated actions with appraise and a do action"
+rule="appraise func=FILE_CHECK"
+ima_policy="appraise func=FILE_CHECK\nmeasure func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 6
+
+desc="first: unrelated actions with appraise and a do action, same func, second: same actions"
+rule="appraise func=FILE_CHECK"
+ima_policy="measure func=FILE_CHECK\nappraise func=FILE_CHECK"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 6
+
+desc="first: same actions, same func, same mask, second: different policy options"
+rule="appraise mask=MAY_READ func=FILE_CHECK"
+ima_policy="appraise func=FILE_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 6
+
+desc="first: same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask, second: different policy options"
+rule="appraise mask=MAY_READ func=FILE_CHECK"
+ima_policy="appraise func=PATH_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 6
+
+# Non-overlapping and three rules.
+desc="same actions, same func and mask, different uid"
+rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
+ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=2\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 0
+
+desc="same actions, same func and mask, different uid, except one that is the same"
+rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
+ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=0\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
+expect_pass check_result "$desc" "$rule" "$ima_policy" 4

tests/install-fsverity.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+git clone https://git.kernel.org/pub/scm/fs/fsverity/fsverity-utils.git
+cd fsverity-utils
+CC=gcc make -j$(nproc)
+cd ..

tests/install-mount-idmapped.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+git clone https://github.com/brauner/mount-idmapped.git
+cd mount-idmapped
+gcc -o mount-idmapped mount-idmapped.c
+cd ..

tests/install-openssl3.sh

@@ -13,7 +13,14 @@ wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags
 tar --no-same-owner -xzf ${version}.tar.gz
 cd openssl-${version}
 
-./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
+if [ "$VARIANT" = "i386" ]; then
+	echo "32-bit compilation"
+	FLAGS="-m32 linux-generic32"
+fi
+
+./Configure $FLAGS no-engine no-dynamic-engine --prefix=/opt/openssl3 --openssldir=/opt/openssl3
+# Uncomment for debugging
+# perl configdata.pm --dump | grep engine
 make -j$(nproc)
 # only install apps and library
 sudo make install_sw

tests/install-swtpm.sh

@@ -9,7 +9,7 @@ else
 	SUDO=sudo
 fi
 
-version=1637
+version=1682
 
 wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download
 mkdir ibmtpm$version

tests/mmap_check.test

@@ -0,0 +1,407 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2022-2023 Roberto Sassu <roberto.sassu@huawei.com>
+#
+# Check the behavior of MMAP_CHECK and MMAP_CHECK_REQPROT
+
+trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM SIGSEGV EXIT
+
+PATCHES=(
+'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
+'ima: Introduce MMAP_CHECK_REQPROT hook'
+)
+
+RET_INVALID_RULE=$((0x0001))
+RET_RULE_OVERLAP=$((0x0002))
+RET_SAME_RULE_EXISTS=$((0x0004))
+
+EVM_INIT_HMAC=$((0x0001))
+EVM_INIT_X509=$((0x0002))
+
+# Base VERBOSE on the environment variable, if set.
+VERBOSE="${VERBOSE:-0}"
+
+# Errors defined in test_mmap
+ERR_SETUP=1
+ERR_TEST=2
+
+cd "$(dirname "$0")" || exit 1
+export PATH=$PWD/../src:$PWD:$PATH
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+. ./functions.sh
+_require evmctl
+
+cleanup() {
+	if [ "$g_loop_mounted" = "1" ]; then
+		popd > /dev/null || exit "$FAIL"
+		umount "$g_mountpoint"
+	fi
+
+	if [ -n "$g_dev" ]; then
+		losetup -d "$g_dev"
+	fi
+
+	if [ -n "$g_image" ]; then
+		rm -f "$g_image"
+	fi
+
+	if [ -n "$g_mountpoint" ]; then
+		rm -Rf "$g_mountpoint"
+	fi
+
+	if [ -n "$g_key_path_der" ]; then
+		rm -f "$g_key_path_der"
+	fi
+}
+
+# Use the fsuuid= IMA policy keyword to select only files created/used by the
+# tests below. Also use fowner= to differentiate between files created/used by
+# individual tests.
+IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26e"
+MEASURE_MMAP_CHECK_FOWNER=2000
+MEASURE_MMAP_CHECK_REQPROT_FOWNER=2001
+MEASURE_MMAP_CHECK_RULE="measure func=MMAP_CHECK fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$MEASURE_MMAP_CHECK_FOWNER"
+MEASURE_MMAP_CHECK_REQPROT_RULE="measure func=MMAP_CHECK_REQPROT fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$MEASURE_MMAP_CHECK_REQPROT_FOWNER"
+APPRAISE_MMAP_CHECK_FOWNER=2002
+APPRAISE_MMAP_CHECK_REQPROT_FOWNER=2003
+APPRAISE_MMAP_CHECK_RULE="appraise func=MMAP_CHECK fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$APPRAISE_MMAP_CHECK_FOWNER"
+APPRAISE_MMAP_CHECK_REQPROT_RULE="appraise func=MMAP_CHECK_REQPROT fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$APPRAISE_MMAP_CHECK_REQPROT_FOWNER"
+
+check_load_ima_rule() {
+	local result new_policy color
+
+	echo -e "$1\n$(cat /sys/kernel/security/ima/policy)" | ima_policy_check.awk
+	result=$?
+
+	if [ $((result & RET_INVALID_RULE)) -eq $RET_INVALID_RULE ]; then
+		echo "${RED}Invalid rule${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	if [ $((result & RET_RULE_OVERLAP)) -eq $RET_RULE_OVERLAP ]; then
+		color=${YELLOW}
+		if [ -n "$TST_ENV" ]; then
+			color=${RED}
+		fi
+
+		echo "${color}Possible interference with existing IMA policy rule${NORM}"
+		if [ -n "$TST_ENV" ]; then
+			return "$HARDFAIL"
+		fi
+	fi
+
+	if [ $((result & RET_SAME_RULE_EXISTS)) -eq $RET_SAME_RULE_EXISTS ]; then
+		return "$OK"
+	fi
+
+	new_policy=$(mktemp -p "$g_mountpoint")
+	echo "$1" > "$new_policy"
+	echo "$new_policy" > /sys/kernel/security/ima/policy
+	result=$?
+	rm -f "$new_policy"
+
+	if [ "$result" -ne 0 ]; then
+		echo "${RED}Failed to set IMA policy${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	return "$OK"
+}
+
+check_mmap() {
+	local hook="$1"
+	local arg="$2"
+	local test_file fowner rule result test_file_entry
+
+	echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")"
+
+	if ! test_file=$(mktemp -p "$PWD"); then
+		echo "${RED}Cannot create $test_file${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	if ! echo "test" > "$test_file"; then
+		echo "${RED}Cannot write $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	fowner="$MEASURE_MMAP_CHECK_FOWNER"
+	rule="$MEASURE_MMAP_CHECK_RULE"
+
+	if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
+		fowner="$MEASURE_MMAP_CHECK_REQPROT_FOWNER"
+		rule="$MEASURE_MMAP_CHECK_REQPROT_RULE"
+	fi
+
+	if ! chown "$fowner" "$test_file"; then
+		echo "${RED}Cannot change owner of $test_file${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	check_load_ima_rule "$rule"
+	result=$?
+	if [ $result -ne "$OK" ]; then
+		return $result
+	fi
+
+	test_mmap "$test_file" "$arg"
+	result=$?
+
+	if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then
+		echo "${RED}Unexpected exit status $result from test_mmap${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	if [ "$TFAIL" != "yes" ]; then
+		echo -n "Result (expect found): "
+	else
+		echo -n "Result (expect not found): "
+	fi
+
+	test_file_entry=$(awk '$5 == "'"$test_file"'"' < /sys/kernel/security/ima/ascii_runtime_measurements)
+	if [ -z "$test_file_entry" ]; then
+		if [ "$TFAIL" != "yes" ]; then
+			echo "${RED}not found${NORM}"
+		else
+			echo "${GREEN}not found${NORM}"
+		fi
+		return "$FAIL"
+	fi
+
+	if [ "$TFAIL" != "yes" ]; then
+		echo "${GREEN}found${NORM}"
+	else
+		echo "${RED}found${NORM}"
+	fi
+
+	if [ "$VERBOSE" -gt 0 ]; then
+		echo "$test_file_entry"
+	fi
+
+	return "$OK"
+}
+
+check_deny() {
+	local hook="$1"
+	local arg="$2"
+	local test_file fowner rule result
+
+	echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")"
+
+	if ! test_file=$(mktemp -p "$PWD"); then
+		echo "${RED}Cannot create $test_file${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	if ! echo "test" > "$test_file"; then
+		echo "${RED}Cannot write $test_file${NORM}"
+		return "$FAIL"
+	fi
+
+	if ! evmctl ima_sign -a sha256 --key "$g_key_path" "$test_file" &> /dev/null; then
+		echo "${RED}Cannot sign $test_file${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	fowner="$APPRAISE_MMAP_CHECK_FOWNER"
+	rule="$APPRAISE_MMAP_CHECK_RULE"
+
+	if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
+		fowner="$APPRAISE_MMAP_CHECK_REQPROT_FOWNER"
+		rule="$APPRAISE_MMAP_CHECK_REQPROT_RULE"
+	fi
+
+	if ! chown "$fowner" "$test_file"; then
+		echo "${RED}Cannot change owner of $test_file${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	check_load_ima_rule "$rule"
+	result=$?
+	if [ $result -ne "$OK" ]; then
+		return $result
+	fi
+
+	test_mmap "$test_file" exec
+	result=$?
+
+	if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then
+		echo "${RED}Unexpected exit status $result from test_mmap${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	test_mmap "$test_file" "$arg"
+	result=$?
+
+	if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then
+		echo "${RED}Unexpected exit status $result from test_mmap${NORM}"
+		return "$HARDFAIL"
+	fi
+
+	if [ "$TFAIL" != "yes" ]; then
+		echo -n "Result (expect denied): "
+	else
+		echo -n "Result (expect allowed): "
+	fi
+
+	if [ $result -eq 0 ]; then
+		if [ "$TFAIL" != "yes" ]; then
+			echo "${RED}allowed${NORM}"
+		else
+			echo "${GREEN}allowed${NORM}"
+		fi
+		return "$FAIL"
+	fi
+
+	if [ "$TFAIL" != "yes" ]; then
+		echo "${GREEN}denied${NORM}"
+	else
+		echo "${RED}denied${NORM}"
+	fi
+
+	return "$OK"
+}
+
+# Run in the new environment if TST_ENV is set.
+_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_KEY_PATH=$TST_KEY_PATH"
+
+# Exit from the creator of the new environment.
+_exit_env "$TST_KERNEL"
+
+# Mount filesystems in the new environment.
+_init_env
+
+if [ "$(whoami)" != "root" ]; then
+	echo "${CYAN}This script must be executed as root${NORM}"
+	exit "$SKIP"
+fi
+
+if [ ! -f /sys/kernel/security/ima/policy ]; then
+	echo "${CYAN}IMA policy file not found${NORM}"
+	exit "$SKIP"
+fi
+
+if ! cat /sys/kernel/security/ima/policy &> /dev/null; then
+	echo "${CYAN}IMA policy file is not readable${NORM}"
+	exit "$SKIP"
+fi
+
+if [ -n "$TST_KEY_PATH" ]; then
+	if [ "${TST_KEY_PATH:0:1}" != "/" ]; then
+		echo "${RED}Absolute path required for the signing key${NORM}"
+		exit "$FAIL"
+	fi
+
+	if [ ! -f "$TST_KEY_PATH" ]; then
+		echo "${RED}Kernel signing key not found in $TST_KEY_PATH${NORM}"
+		exit "$FAIL"
+	fi
+
+	g_key_path="$TST_KEY_PATH"
+elif [ -f "$PWD/../signing_key.pem" ]; then
+	g_key_path="$PWD/../signing_key.pem"
+elif [ -f "/lib/modules/$(uname -r)/source/certs/signing_key.pem" ]; then
+	g_key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
+elif [ -f "/lib/modules/$(uname -r)/build/certs/signing_key.pem" ]; then
+	g_key_path="/lib/modules/$(uname -r)/build/certs/signing_key.pem"
+else
+	echo "${CYAN}Kernel signing key not found${NORM}"
+	exit "$SKIP"
+fi
+
+evm_value=$(cat /sys/kernel/security/evm)
+if [ $((evm_value & EVM_INIT_X509)) -eq "$EVM_INIT_X509" ]; then
+	if [ $((evm_value & EVM_INIT_HMAC)) -ne "$EVM_INIT_HMAC" ]; then
+		echo "${CYAN}Incompatible EVM mode $evm_value${NORM}"
+		exit "$SKIP"
+	fi
+fi
+
+g_key_path_der=$(mktemp)
+
+openssl x509 -in "$g_key_path" -out "$g_key_path_der" -outform der
+if ! keyctl padd asymmetric pubkey %keyring:.ima < "$g_key_path_der" &> /dev/null; then
+	echo "${RED}Public key cannot be added to the IMA keyring${NORM}"
+	exit "$FAIL"
+fi
+
+g_mountpoint=$(mktemp -d)
+g_image=$(mktemp)
+
+if [ -z "$g_mountpoint" ]; then
+	echo "${RED}Mountpoint directory not created${NORM}"
+	exit "$FAIL"
+fi
+
+if ! dd if=/dev/zero of="$g_image" bs=1M count=20 &> /dev/null; then
+	echo "${RED}Cannot create test image${NORM}"
+	exit "$FAIL"
+fi
+
+g_dev=$(losetup -f "$g_image" --show)
+if [ -z "$g_dev" ]; then
+	echo "${RED}Cannot create loop device${NORM}"
+	exit "$FAIL"
+fi
+
+if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then
+	echo "${RED}Cannot format $g_dev${NORM}"
+	exit "$FAIL"
+fi
+
+if ! mount -o iversion "$g_dev" "$g_mountpoint"; then
+	echo "${RED}Cannot mount loop device${NORM}"
+	exit "$FAIL"
+fi
+
+g_loop_mounted=1
+pushd "$g_mountpoint" > /dev/null || exit "$FAIL"
+
+# Ensure that IMA does not add a new measurement entry if an application calls
+# mmap() with PROT_READ, and a policy rule contains the MMAP_CHECK hook.
+# In this case, both the protections requested by the application and the final
+# protections applied by the kernel contain only PROT_READ, so there is no
+# match with the IMA rule, which expects PROT_EXEC to be set.
+expect_fail check_mmap "MMAP_CHECK" ""
+
+# Ensure that IMA adds a new measurement entry if an application calls mmap()
+# with PROT_READ | PROT_EXEC, and a policy rule contains the MMAP_CHECK hook.
+expect_pass check_mmap "MMAP_CHECK" "exec"
+
+# Same as in the first test, but in this case the application calls the
+# personality() system call with READ_IMPLIES_EXEC, which causes the kernel to
+# add PROT_EXEC in the final protections passed to the MMAP_CHECK hook.
+#
+# Ensure that the bug introduced by 98de59bfe4b2 ("take calculation of final
+# protections in security_mmap_file() into a helper") is fixed, by passing the
+# final protections again to the MMAP_CHECK hook. Due to the bug, the hook
+# received the protections requested by the application. Since those protections
+# don't have PROT_EXEC, IMA was not creating a measurement entry.
+expect_pass_if '0' check_mmap "MMAP_CHECK" "read_implies_exec"
+
+# Repeat the previous three tests, but with the new MMAP_CHECK_REQPROT hook,
+# which behaves like the buggy MMAP_CHECK hook. In the third test, expect that
+# no new measurement entry is created, since the MMAP_CHECK_REQPROT hook sees
+# the protections requested by the application (PROT_READ).
+expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" ""
+expect_pass_if '1' check_mmap "MMAP_CHECK_REQPROT" "exec"
+expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" "read_implies_exec"
+
+# Ensure that IMA refuses an mprotect() with PROT_EXEC on a memory area
+# obtained with an mmap() with PROT_READ. This is due to the inability of IMA
+# to measure/appraise the file for which mmap() was called (locking issue).
+expect_pass check_deny "MMAP_CHECK" "mprotect"
+
+# Ensure that MMAP_CHECK_REQPROT has the same behavior of MMAP_CHECK for the
+# previous test.
+expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "mprotect"
+
+# Ensure that there cannot be an mmap() with PROT_EXEC on a file with writable
+# mappings, due to the inability of IMA to make a reliable measurement of that
+# file.
+expect_pass check_deny "MMAP_CHECK" "exec_on_writable"
+
+# Ensure that MMAP_CHECK_REQPROT has the same behavior of MMAP_CHECK for the
+# previous test.
+expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "exec_on_writable"

tests/sign_verify.test

@@ -17,6 +17,10 @@
 
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
+
+# set the env SIGV1=1 to execute the signature v1 tests
+SIGV1=${SIGV1:-0}
+
 source ./functions.sh
 
 _require cmp evmctl getfattr openssl xxd
@@ -368,13 +372,18 @@ try_different_sigs() {
 
 ## Test v1 signatures
 # Signature v1 only supports sha1 and sha256 so any other should fail
-expect_fail \
+if [ $SIGV1 -eq 0 ]; then
+  __skip() { echo "IMA signature v1 tests are skipped: not supported"; return $SKIP; }
+  expect_pass __skip
+else
+   expect_fail \
       check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
 
-sign_verify  rsa1024  sha1    0x0301 --rsa
-sign_verify  rsa1024  sha256  0x0301 --rsa
+   sign_verify  rsa1024  sha1    0x0301 --rsa
+   sign_verify  rsa1024  sha256  0x0301 --rsa
       try_different_keys
       try_different_sigs
+fi
 
 ## Test v2 signatures with RSA PKCS#1
 # List of allowed hashes much greater but not all are supported.
@@ -407,9 +416,12 @@ sign_verify  prime256v1 sha384 0x030205:K:004[345678]
 sign_verify  prime256v1 sha512 0x030206:K:004[345678]
 
 # If openssl 3.0 is installed, test the SM2/3 algorithm combination
-if [ -x /opt/openssl3/bin/openssl ]; then
-  PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib \
+ssl_major_version=$(openssl version | sed -n 's/^OpenSSL \([^\.]\).*/\1/p')
+if [ "${ssl_major_version}" = 3 ]; then
    sign_verify  sm2    sm3    0x030211:K:004[345678]
+else
+	__skip() { echo "sm2/sm3 tests are skipped (ssl version)"; return $SKIP; }
+  expect_pass __skip
 fi
 
 # Test v2 signatures with EC-RDSA

tests/test_mmap.c

@@ -0,0 +1,128 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2023 Huawei Technologies Duesseldorf GmbH
+ *
+ * Tool to test IMA MMAP_CHECK and MMAP_CHECK_REQPROT hooks.
+ */
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sys/personality.h>
+
+/*
+ * Convention: return 1 for errors that should not occur, as they are
+ * setup-related, return 2 for errors that might occur due to testing
+ * conditions.
+ */
+#define ERR_SETUP 1
+#define ERR_TEST 2
+
+int main(int argc, char *argv[])
+{
+	struct stat st;
+	void *ptr, *ptr_write = NULL;
+	int ret, fd, fd_write, prot = PROT_READ;
+
+	if (!argv[1]) {
+		printf("Missing file parameter\n");
+		return ERR_SETUP;
+	}
+
+	if (argv[2] && !strcmp(argv[2], "read_implies_exec")) {
+		ret = personality(READ_IMPLIES_EXEC);
+		if (ret == -1) {
+			printf("Failed to set personality, err: %d (%s)\n",
+			       -errno, strerror(errno));
+			return ERR_SETUP;
+		}
+	}
+
+	if (stat(argv[1], &st) == -1) {
+		printf("Failed to access %s, err: %d (%s)\n", argv[1], -errno,
+		       strerror(errno));
+		return ERR_SETUP;
+	}
+
+	if (argv[2] && !strcmp(argv[2], "exec_on_writable")) {
+		fd_write = open(argv[1], O_RDWR);
+		if (fd_write == -1) {
+			printf("Failed to open %s in r/w, err: %d (%s)\n",
+			       argv[1], -errno, strerror(errno));
+			return ERR_SETUP;
+		}
+
+		ptr_write = mmap(0, st.st_size, PROT_WRITE, MAP_SHARED,
+				 fd_write, 0);
+		close(fd_write);
+
+		if (ptr_write == MAP_FAILED) {
+			printf("Failed mmap() with PROT_WRITE on %s, err: %d (%s)\n",
+			       argv[1], -errno, strerror(errno));
+			return ERR_SETUP;
+		}
+	}
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd == -1) {
+		printf("Failed to open %s in ro, err: %d (%s)\n", argv[1],
+		       -errno, strerror(errno));
+
+		if (ptr_write && munmap(ptr_write, st.st_size) == -1)
+			printf("Failed munmap() of writable mapping on %s, err: %d (%s)\n",
+			       argv[1], -errno, strerror(errno));
+
+		return ERR_SETUP;
+	}
+
+	if (argv[2] && !strncmp(argv[2], "exec", 4))
+		prot |= PROT_EXEC;
+
+	ptr = mmap(0, st.st_size, prot, MAP_PRIVATE, fd, 0);
+
+	close(fd);
+
+	if (ptr_write && munmap(ptr_write, st.st_size) == -1) {
+		printf("Failed munmap() of writable mapping on %s, err: %d (%s)\n",
+		       argv[1], -errno, strerror(errno));
+		return ERR_SETUP;
+	}
+
+	if (ptr == MAP_FAILED) {
+		ret = ERR_SETUP;
+		if (argv[2] && !strcmp(argv[2], "exec_on_writable") &&
+		    errno == EACCES)
+			ret = ERR_TEST;
+		else
+			printf("Failed mmap() with PROT_READ%s on %s, err: %d (%s)\n",
+			       (prot & PROT_EXEC) ? " | PROT_EXEC" : "",
+			       argv[1], -errno, strerror(errno));
+
+		return ret;
+	}
+
+	ret = 0;
+
+	if (argv[2] && !strcmp(argv[2], "mprotect")) {
+		ret = mprotect(ptr, st.st_size, PROT_EXEC);
+		if (ret == -1) {
+			ret = ERR_SETUP;
+			if (errno == EPERM)
+				ret = ERR_TEST;
+			else
+				printf("Unexpected mprotect() error on %s, err: %d (%s)\n",
+				       argv[1], -errno, strerror(errno));
+		}
+	}
+
+	if (munmap(ptr, st.st_size) == -1) {
+		printf("Failed munmap() of mapping on %s, err: %d (%s)\n",
+		       argv[1], -errno, strerror(errno));
+		return ERR_SETUP;
+	}
+
+	return ret;
+}