From patchwork Wed May 27 07:14:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 11572119 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A25F2159A for ; Wed, 27 May 2020 07:14:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8E732207ED for ; Wed, 27 May 2020 07:14:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729021AbgE0HOp (ORCPT ); Wed, 27 May 2020 03:14:45 -0400 Received: from mx2.suse.de ([195.135.220.15]:56336 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728611AbgE0HOo (ORCPT ); Wed, 27 May 2020 03:14:44 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 76ED5ACD5; Wed, 27 May 2020 07:14:44 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , Petr Cervinka , Cyril Hrubis , linux-integrity@vger.kernel.org Subject: [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate Date: Wed, 27 May 2020 09:14:34 +0200 Message-Id: <20200527071434.28574-1-pvorel@suse.cz> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Fixes test for kernel commit: 6f1a1d103b48 ima: ("Switch to ima_hash_algo for boot aggregate") from current linux-integrity tree. Tests was failing, because it expect SHA1 hash, but for TPM 2.0 is now used IMA default hash algorithm (by default default SHA256). This is similar for entries in IMA measurement list so we can reuse already existing code. Signed-off-by: Petr Vorel --- changes v1->v2: * removing global variables from get_algorithm_digest (hopefully it's less ugly) Tested only on VM. Can anybody test it on real HW? Kind regards, Petr .../integrity/ima/tests/ima_measurements.sh | 62 ++--------------- .../security/integrity/ima/tests/ima_setup.sh | 69 +++++++++++++++++++ .../security/integrity/ima/tests/ima_tpm.sh | 29 +++++--- 3 files changed, 96 insertions(+), 64 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh index 54237d688..50de4df98 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh @@ -6,7 +6,7 @@ # # Verify that measurements are added to the measurement list based on policy. -TST_NEEDS_CMDS="awk cut" +TST_NEEDS_CMDS="awk cut sed" TST_SETUP="setup" TST_CNT=3 TST_NEEDS_DEVICE=1 @@ -20,30 +20,8 @@ setup() TEST_FILE="$PWD/test.txt" POLICY="$IMA_DIR/policy" [ -f "$POLICY" ] || tst_res TINFO "not using default policy" - DIGEST_INDEX= - - local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)" - local i - - # parse digest index - # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use - case "$template" in - ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; - *) - # using ima_template_fmt kernel parameter - local IFS="|" - i=4 - for word in $template; do - if [ "$word" = 'd' -o "$word" = 'd-ng' ]; then - DIGEST_INDEX=$i - break - fi - i=$((i+1)) - done - esac - [ -z "$DIGEST_INDEX" ] && tst_brk TCONF \ - "Cannot find digest index (template: '$template')" + set_digest_index } # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160 @@ -82,44 +60,18 @@ compute_digest() ima_check() { - local delimiter=':' - local algorithm digest expected_digest line + local algorithm digest expected_digest line tmp # need to read file to get updated $ASCII_MEASUREMENTS cat $TEST_FILE > /dev/null line="$(grep $TEST_FILE $ASCII_MEASUREMENTS | tail -1)" - if [ -z "$line" ]; then - tst_res TFAIL "cannot find measurement record for '$TEST_FILE'" - return - fi - tst_res TINFO "measurement record: '$line'" - - digest=$(echo "$line" | cut -d' ' -f $DIGEST_INDEX) - if [ -z "$digest" ]; then - tst_res TFAIL "cannot find digest (index: $DIGEST_INDEX)" - return - fi - if [ "${digest#*$delimiter}" != "$digest" ]; then - algorithm=$(echo "$digest" | cut -d $delimiter -f 1) - digest=$(echo "$digest" | cut -d $delimiter -f 2) + if tmp=$(get_algorithm_digest "$line"); then + algorithm=$(echo "$tmp" | cut -d'|' -f1) + digest=$(echo "$tmp" | cut -d'|' -f2) else - case "${#digest}" in - 32) algorithm="md5" ;; - 40) algorithm="sha1" ;; - *) - tst_res TFAIL "algorithm must be either md5 or sha1 (digest: '$digest')" - return ;; - esac - fi - if [ -z "$algorithm" ]; then - tst_res TFAIL "cannot find algorithm" - return - fi - if [ -z "$digest" ]; then - tst_res TFAIL "cannot find digest" - return + tst_res TBROK "failed to get algorithm/digest for '$TEST_FILE': $tmp" fi tst_res TINFO "computing digest for $algorithm algorithm" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 58a12eda3..104088e52 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -112,6 +112,75 @@ ima_cleanup() fi } +set_digest_index() +{ + DIGEST_INDEX= + + local template="$(tail -1 $ASCII_MEASUREMENTS | cut -d' ' -f 3)" + local i word + + # parse digest index + # https://www.kernel.org/doc/html/latest/security/IMA-templates.html#use + case "$template" in + ima|ima-ng|ima-sig) DIGEST_INDEX=4 ;; + *) + # using ima_template_fmt kernel parameter + local IFS="|" + i=4 + for word in $template; do + if [ "$word" = 'd' -o "$word" = 'd-ng' ]; then + DIGEST_INDEX=$i + break + fi + i=$((i+1)) + done + esac + + [ -z "$DIGEST_INDEX" ] && tst_brk TCONF \ + "Cannot find digest index (template: '$template')" +} + +get_algorithm_digest() +{ + local line="$1" + local delimiter=':' + local algorithm digest + + if [ -z "$line" ]; then + echo "measurement record not found" + return 1 + fi + + digest=$(echo "$line" | cut -d' ' -f $DIGEST_INDEX) + if [ -z "$digest" ]; then + echo "digest not found (index: $DIGEST_INDEX, line: '$line')" + return 1 + fi + + if [ "${digest#*$delimiter}" != "$digest" ]; then + algorithm=$(echo "$digest" | cut -d $delimiter -f 1) + digest=$(echo "$digest" | cut -d $delimiter -f 2) + else + case "${#digest}" in + 32) algorithm="md5" ;; + 40) algorithm="sha1" ;; + *) + echo "algorithm must be either md5 or sha1 (digest: '$digest')" + return 1 ;; + esac + fi + if [ -z "$algorithm" ]; then + echo "algorithm not found" + return 1 + fi + if [ -z "$digest" ]; then + echo "digest not found" + return 1 + fi + + echo "$algorithm|$digest" +} + # loop device is needed to use only for tmpfs TMPDIR="${TMPDIR:-/tmp}" if [ "$(df -T $TMPDIR | tail -1 | awk '{print $2}')" != "tmpfs" -a -n "$TST_NEEDS_DEVICE" ]; then diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh index c69f891f1..444d76d62 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh @@ -7,6 +7,7 @@ # Verify the boot and PCR aggregates. TST_CNT=2 +TST_SETUP="set_digest_index" TST_NEEDS_CMDS="awk cut ima_boot_aggregate" . ima_setup.sh @@ -15,29 +16,39 @@ test1() { tst_res TINFO "verify boot aggregate" - local zero="0000000000000000000000000000000000000000" local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements" local ima_measurements="$ASCII_MEASUREMENTS" - local boot_aggregate boot_hash line + local algorithm boot_aggregate digest line tmp zero # IMA boot aggregate read line < $ima_measurements - boot_hash=$(echo $line | awk '{print $(NF-1)}' | cut -d':' -f2) + + if tmp=$(get_algorithm_digest "$line"); then + algorithm=$(echo "$tmp" | cut -d'|' -f1) + digest=$(echo "$tmp" | cut -d'|' -f2) + else + tst_res TBROK "failed to get algorithm/digest: $tmp" + fi + + tst_res TINFO "used algorithm: $algorithm" if [ ! -f "$tpm_bios" ]; then tst_res TINFO "TPM Hardware Support not enabled in kernel or no TPM chip found" - if [ "$boot_hash" = "$zero" ]; then - tst_res TPASS "bios boot aggregate is 0" + zero=$(echo $digest | awk '{gsub(/./, "0")}; {print}') + if [ "$digest" = "$zero" ]; then + tst_res TPASS "bios boot aggregate is $zero" else - tst_res TFAIL "bios boot aggregate is not 0" + tst_res TFAIL "bios boot aggregate is not $zero ($digest)" fi else boot_aggregate=$(ima_boot_aggregate $tpm_bios | grep "boot_aggregate:" | cut -d':' -f2) - if [ "$boot_hash" = "$boot_aggregate" ]; then - tst_res TPASS "bios aggregate matches IMA boot aggregate" + tst_res TINFO "IMA boot aggregate: '$boot_aggregate'" + + if [ "$digest" = "$boot_aggregate" ]; then + tst_res TPASS "bios boot aggregate matches IMA boot aggregate" else - tst_res TFAIL "bios aggregate does not match IMA boot aggregate" + tst_res TFAIL "bios boot aggregate does not match IMA boot aggregate ($digest)" fi fi }