mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-04-27 22:32:31 +02:00
cf832d72f9
Verify that operations on files with EVM portable signatures succeed and that the new kernel patch set does not break the existing kernel integrity expectations. Build and install mount-idmapped for ci/fedora.sh, to additionally test idmapped mounts. To run the tests, pass the path of the kernel private key with the TST_KEY_PATH environment variable. If not provided, search first in the ima-evm-utils top directory, and then in /lib/modules/$(uname -r)/source/certs/signing_key.pem and /lib/modules/$(uname -r)/build/certs/signing_key.pem. Root privileges are required to mount the image, configure IMA/EVM and set xattrs. Set TST_ENV to 'um', to relaunch the script in a new environment after booting an UML kernel. The UML kernel path must be specified with the TST_KERNEL environment variable. Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the current EVM mode, if a test needs a different one. Otherwise, execute only the tests compatible with the current EVM mode. Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before launching the script, to run the check_evm_revalidate() test. Execute: echo 4 > /sys/kernel/security/evm The last two environment variables above affect which tests will run the next time the script is executed. Without setting TST_ENV, changes to the current EVM mode will be irreversibly done in the host. Next time, unless the host is rebooted, only tests compatible with the last EVM mode set will run. The others will be skipped. By setting TST_ENV, this problem does not arise as, every time the environment is created, it will be clean with no flags set in the EVM mode. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
135 lines
3.1 KiB
Bash
Executable File
135 lines
3.1 KiB
Bash
Executable File
#!/bin/sh
|
|
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
|
|
|
|
if [ -n "$CI" ]; then
|
|
# If we under CI only thing we can analyze is logs so better to enable
|
|
# verbosity to a maximum.
|
|
set -x
|
|
# This is to make stdout and stderr synchronous in the logs.
|
|
exec 2>&1
|
|
|
|
mount -t securityfs -o rw securityfs /sys/kernel/security
|
|
fi
|
|
|
|
set -e
|
|
|
|
CC="${CC:-gcc}"
|
|
CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}"
|
|
PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}"
|
|
|
|
export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
|
|
export PATH="$PREFIX/bin:/usr/local/bin:$PATH"
|
|
|
|
title()
|
|
{
|
|
echo "===== $1 ====="
|
|
}
|
|
|
|
log_exit()
|
|
{
|
|
local ret="${3:-$?}"
|
|
local log="$1"
|
|
local msg="$2"
|
|
local prefix
|
|
|
|
echo "=== $log ==="
|
|
[ $ret -eq 0 ] || prefix="FAIL: "
|
|
cat $log
|
|
echo
|
|
echo "$prefix$msg, see output of $log above"
|
|
exit $ret
|
|
}
|
|
|
|
cd `dirname $0`
|
|
|
|
if [ "$COMPILE_SSL" ]; then
|
|
echo "COMPILE_SSL: $COMPILE_SSL"
|
|
export CFLAGS="-I/opt/openssl3/include $CFLAGS"
|
|
export LD_LIBRARY_PATH="/opt/openssl3/lib64:/opt/openssl3/lib:$HOME/src/ima-evm-utils/src/.libs:$LD_LIBRARY_PATH"
|
|
export LDFLAGS="-L/opt/openssl3/lib64 -L/opt/openssl3/lib $LDFLAGS"
|
|
export PATH="/opt/openssl3/bin:$HOME/src/ima-evm-utils/src/.libs:$PATH"
|
|
fi
|
|
|
|
case "$VARIANT" in
|
|
i386)
|
|
echo "32-bit compilation"
|
|
export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS"
|
|
export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig
|
|
;;
|
|
cross-compile)
|
|
host="${CC%-gcc}"
|
|
export CROSS_COMPILE="${host}-"
|
|
host="--host=$host"
|
|
echo "cross compilation: $host"
|
|
echo "CROSS_COMPILE: '$CROSS_COMPILE'"
|
|
;;
|
|
*)
|
|
if [ "$VARIANT" ]; then
|
|
echo "Wrong VARIANT: '$VARIANT'" >&2
|
|
exit 1
|
|
fi
|
|
echo "native build"
|
|
;;
|
|
esac
|
|
|
|
title "compiler version"
|
|
$CC --version
|
|
echo "CFLAGS: '$CFLAGS'"
|
|
echo "LDFLAGS: '$LDFLAGS'"
|
|
echo "PREFIX: '$PREFIX'"
|
|
|
|
title "configure"
|
|
./autogen.sh
|
|
./configure --prefix=$PREFIX $host || log_exit config.log "configure failed"
|
|
|
|
title "make"
|
|
make -j$(nproc)
|
|
make install
|
|
|
|
title "test"
|
|
if [ "$VARIANT" = "cross-compile" ]; then
|
|
echo "skip make check on cross compilation"
|
|
exit 0
|
|
fi
|
|
|
|
ret=0
|
|
VERBOSE=1 make check || ret=$?
|
|
|
|
title "logs"
|
|
if [ $ret -eq 0 ]; then
|
|
if [ -f tests/ima_hash.log ]; then
|
|
tail -3 tests/ima_hash.log
|
|
grep "skipped" tests/ima_hash.log && \
|
|
grep "skipped" tests/ima_hash.log | wc -l
|
|
fi
|
|
if [ -f tests/sign_verify.log ]; then
|
|
tail -3 tests/sign_verify.log
|
|
grep "skipped" tests/sign_verify.log && \
|
|
grep "skipped" tests/sign_verify.log | wc -l
|
|
fi
|
|
tail -20 tests/boot_aggregate.log
|
|
|
|
if [ -f tests/fsverity.log ]; then
|
|
[ -n "$CI" ] && cat tests/fsverity.log || tail tests/fsverity.log
|
|
grep "skipped" tests/fsverity.log && \
|
|
grep "skipped" tests/fsverity.log | wc -l
|
|
fi
|
|
if [ -f tests/portable_signatures.log ]; then
|
|
[ -n "$CI" ] && cat tests/portable_signatures.log || tail tests/portable_signatures.log
|
|
grep "skipped" tests/portable_signatures.log && \
|
|
grep "skipped" tests/portable_signatures.log | wc -l
|
|
fi
|
|
exit 0
|
|
fi
|
|
|
|
cat tests/test-suite.log
|
|
|
|
if [ $ret -eq 77 ]; then
|
|
msg="WARN: some tests skipped"
|
|
ret=0
|
|
else
|
|
msg="FAIL: tests exited: $ret"
|
|
fi
|
|
|
|
log_exit tests/test-suite.log "$msg" $ret
|