@@ -7,4 +7,3 @@ ima_keys ima_keys.sh
ima_kexec ima_kexec.sh
ima_selinux ima_selinux.sh
ima_conditionals ima_conditionals.sh
-evm_overlay evm_overlay.sh
@@ -64,67 +64,3 @@ and reading the IMA policy allowed in the kernel configuration:
CONFIG_SECURITY_SELINUX=y
CONFIG_IMA_READ_POLICY=y
```
-
-## EVM tests
-
-`evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb`
-kernel parameter) which appraises the integrity of all files owned by root and EVM setup.
-Again, for simplicity ignore possibility to load requires rules via custom policy.
-
-Mandatory kernel configuration for EVM tests:
-```
-CONFIG_INTEGRITY=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_IMA=y
-CONFIG_IMA_APPRAISE=y
-CONFIG_EVM=y
-CONFIG_KEYS=y
-CONFIG_TRUSTED_KEYS=y
-CONFIG_ENCRYPTED_KEYS=y
-```
-
-Example of preparing environment on for EVM on openSUSE:
-
-* Boot install system with `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters
- (for IMA measurement, IMA appraisal and EVM protection)
-* Proceed with installation until summary screen, but do not start the installation yet
-* Select package `dracut-ima` (required for early boot EVM support) for installation
- (Debian based distros already contain IMA + EVM support in `dracut` package)
-* Change to a console window and run commands to generate keys required by EVM:
-```
-# mkdir /etc/keys
-# user_key=$(keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u)
-# keyctl pipe "$user_key" > /etc/keys/kmk-user.blob
-# evm_key=$(keyctl add encrypted evm-key "new user:kmk-user 64" @u)
-# keyctl pipe "$evm_key" >/etc/keys/evm.blob
-# cat <<END >/etc/sysconfig/masterkey
-MASTERKEYTYPE="user"
-MASTERKEY="/etc/keys/kmk-user.blob"
-END
-# cat <<END >/etc/sysconfig/evm
-EVMKEY="/etc/keys/evm.blob"
-END
-# mount -t securityfs security /sys/kernel/security
-# echo 1 >/sys/kernel/security/evm
-```
-
-* Go back to the installation summary screen and start the installation
-* During the installation execute the following commands from the console:
-```
-# cp -r /etc/keys /mnt/etc/ # Debian based distributions: use /target instead of /mnt
-# cp /etc/sysconfig/{evm,masterkey} /mnt/etc/sysconfig/
-```
-
-This should work on any distribution using dracut.
-Loading EVM keys is also possible with initramfs-tools (Debian based distributions).
-
-Of course it's possible to install OS usual way, add keys later and fix missing xattrs with:
-```
-evmctl -r ima_fix /
-```
-
-or with `find` if evmctl is not available:
-```
-find / \( -fstype rootfs -o -fstype ext4 -o -fstype btrfs -o -fstype xfs \) -exec sh -c "< '{}'" \;
-```
-Again, fixing requires `ima_policy=tcb|appraise_tcb ima_appraise=fix evm=fix` kernel parameters.
deleted file mode 100755
@@ -1,93 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: GPL-2.0-or-later
-# Copyright (c) 2019 Petr Vorel <pvorel@suse.cz>
-# Based on reproducer and further discussion with Ignaz Forster <iforster@suse.de>
-# Reproducer for not upstreamed patchset [1] and previous report [2].
-# [1] https://www.spinics.net/lists/linux-integrity/msg05926.html
-# [2] https://www.spinics.net/lists/linux-integrity/msg03593.html
-
-TST_SETUP="setup"
-TST_CLEANUP="cleanup"
-TST_CNT=4
-
-setup()
-{
- EVM_FILE="/sys/kernel/security/evm"
-
- [ -f "$EVM_FILE" ] || tst_brk TCONF "EVM not enabled in kernel"
- [ $(cat $EVM_FILE) -eq 1 ] || tst_brk TCONF "EVM not enabled for this boot"
-
- require_ima_policy_cmdline "appraise_tcb"
-
- lower="$TST_MNTPOINT/lower"
- upper="$TST_MNTPOINT/upper"
- work="$TST_MNTPOINT/work"
- merged="$TST_MNTPOINT/merged"
- mkdir -p $lower $upper $work $merged
-
- device_backup="$TST_DEVICE"
- TST_DEVICE="overlay"
-
- fs_type_backup="$TST_FS_TYPE"
- TST_FS_TYPE="overlay"
-
- mntpoint_backup="$TST_MNTPOINT"
- TST_MNTPOINT="$PWD/$merged"
-
- params_backup="$TST_MNT_PARAMS"
- TST_MNT_PARAMS="-o lowerdir=$lower,upperdir=$upper,workdir=$work"
-
- tst_mount
- mounted=1
-}
-
-test1()
-{
- local file="foo1.txt"
-
- tst_res TINFO "overwrite file in overlay"
- EXPECT_PASS echo lower \> $lower/$file
- EXPECT_PASS echo overlay \> $merged/$file
-}
-
-test2()
-{
- local file="foo2.txt"
-
- tst_res TINFO "append file in overlay"
- EXPECT_PASS echo lower \> $lower/$file
- EXPECT_PASS echo overlay \>\> $merged/$file
-}
-
-test3()
-{
- local file="foo3.txt"
-
- tst_res TINFO "create a new file in overlay"
- EXPECT_PASS echo overlay \> $merged/$file
-}
-
-test4()
-{
- local f
-
- tst_res TINFO "read all created files"
- for f in $(find $TST_MNTPOINT -type f); do
- EXPECT_PASS cat $f \> /dev/null 2\> /dev/null
- done
-}
-
-cleanup()
-{
- [ -n "$mounted" ] || return 0
-
- tst_umount $TST_MNTPOINT
-
- TST_DEVICE="$device_backup"
- TST_FS_TYPE="$fs_type_backup"
- TST_MNTPOINT="$mntpoint_backup"
- TST_MNT_PARAMS="$params_backup"
-}
-
-. ima_setup.sh
-tst_run
Proof of concept, it was never fixed in the kernel. Instead we should have some basic EVM tests. Signed-off-by: Petr Vorel <pvorel@suse.cz> --- runtest/ima | 1 - .../kernel/security/integrity/ima/README.md | 64 ------------- .../integrity/ima/tests/evm_overlay.sh | 93 ------------------- 3 files changed, 158 deletions(-) delete mode 100755 testcases/kernel/security/integrity/ima/tests/evm_overlay.sh