From patchwork Mon Aug 3 18:47:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lachlan Sneff X-Patchwork-Id: 11698585 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A156F913 for ; Mon, 3 Aug 2020 18:47:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E086922B45 for ; Mon, 3 Aug 2020 18:47:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="kaZTpnPb" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726847AbgHCSrj (ORCPT ); Mon, 3 Aug 2020 14:47:39 -0400 Received: from linux.microsoft.com ([13.77.154.182]:35710 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725945AbgHCSri (ORCPT ); Mon, 3 Aug 2020 14:47:38 -0400 Received: from localhost.localdomain (c-73-187-218-229.hsd1.pa.comcast.net [73.187.218.229]) by linux.microsoft.com (Postfix) with ESMTPSA id 24B1620B490A; Mon, 3 Aug 2020 11:47:37 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 24B1620B490A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1596480458; bh=+dFj7dCuj0185ShJTiqY0XRK9Voy3eIJ3vAQPDuPtos=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kaZTpnPbHnpMMqb8G6dPIzsQ6J7Ajbsy2aqI2Iqzn7bmJDF8tiHYVBI/BOYRc87yP /PmE277/2Zf3agQO0mBOLEbB1Q0Nx/AIF6Ozzdj6ajAxBGOpvgWng07qQeca5tABIr OHk+1WiFDqsgca5uK3wVXdt8hqzRnF35oKWpzm4w= From: Lachlan Sneff To: pvorel@suse.cz, zohar@linux.ibm.com, ltp@lists.linux.it Cc: nramas@linux.microsoft.com, balajib@linux.microsoft.com, linux-integrity@vger.kernel.org, tyhicks@linux.microsoft.com, yaneurabeya@gmail.com, zhang.jia@linux.alibaba.com Subject: [PATCH 1/3] IMA: Update key test documentation Date: Mon, 3 Aug 2020 14:47:24 -0400 Message-Id: <20200803184726.2416-2-t-josne@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200803184726.2416-1-t-josne@linux.microsoft.com> References: <20200803184726.2416-1-t-josne@linux.microsoft.com> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The current documentation for the existing IMA key test was left in by accident by a previous merge. It does not apply to the test that is currently included in the LTP. Update the documentation for the IMA key test. Signed-off-by: Lachlan Sneff Reviewed-by: Petr Vorel --- .../kernel/security/integrity/ima/README.md | 22 +++++-------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index d4644ba39..2956ac7fd 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -15,27 +15,15 @@ Although a custom policy, loaded via dracut, systemd or manually from user space, may contain equivalent measurement tcb rules, detecting them would require `IMA_READ_POLICY=y` therefore ignore this option. -### IMA key import test -`ima_keys.sh` requires a x509 public key, by default in `/etc/keys/x509_ima.der` -(defined in `CONFIG_IMA_X509_PATH` kernel config option). -The key must be signed by the private key you generate. Follow these instructions: -https://manpages.ubuntu.com/manpages/disco/man1/evmctl.1.html#generate%20trusted%20keys - -The test cannot be set-up automatically because the x509 public key must be -built into the kernel and loaded onto a trusted keyring -(e.g. `.builtin_trusted_keys`, `.secondary_trusted_keyring`). - -As well as what's required for the IMA tests, the following are also required -in the kernel configuration: +### IMA key test +`ima_keys.sh` requires a readable IMA policy, as well as a loaded policy +with `func=KEY_CHECK keyrings=...`, see example in `keycheck.policy`. + +Mandatory kernel configuration for IMA: ``` CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="/etc/keys/ima-local-ca.pem" ``` -Test also requires loaded policy with `func=KEY_CHECK`, see example in `keycheck.policy`. - ### IMA kexec test `ima_kexec.sh` requires loaded policy which contains `measure func=KEXEC_CMDLINE`, From patchwork Mon Aug 3 18:47:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lachlan Sneff X-Patchwork-Id: 11698587 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1BD13138C for ; Mon, 3 Aug 2020 18:47:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 65CD322BF3 for ; Mon, 3 Aug 2020 18:47:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="jETg+Efy" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726906AbgHCSrk (ORCPT ); Mon, 3 Aug 2020 14:47:40 -0400 Received: from linux.microsoft.com ([13.77.154.182]:35722 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725945AbgHCSrk (ORCPT ); Mon, 3 Aug 2020 14:47:40 -0400 Received: from localhost.localdomain (c-73-187-218-229.hsd1.pa.comcast.net [73.187.218.229]) by linux.microsoft.com (Postfix) with ESMTPSA id 619D320B490D; Mon, 3 Aug 2020 11:47:38 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 619D320B490D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1596480459; bh=t37vbbkV2z9+1aMrcwUrVpxll3W/L7/rzcbHNTTSmC8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jETg+EfykGt1QTUH3qQCuTVtk+ClTgXWa7geSlB0bSrdkqk5xgQ0FPMBpbP059YLs hIauZJ19TbeFvbJZlGVQER8wGGl5aVZ8IEB83ha6aW+vxZ4jReaudkOa5CPt1m42yN sZ93xNKAFqOkJDyx/rcA0RiylEPZZIGm2msvMWiA= From: Lachlan Sneff To: pvorel@suse.cz, zohar@linux.ibm.com, ltp@lists.linux.it Cc: nramas@linux.microsoft.com, balajib@linux.microsoft.com, linux-integrity@vger.kernel.org, tyhicks@linux.microsoft.com, yaneurabeya@gmail.com, zhang.jia@linux.alibaba.com Subject: [PATCH 2/3] IMA: Refactor datafiles directory Date: Mon, 3 Aug 2020 14:47:25 -0400 Message-Id: <20200803184726.2416-3-t-josne@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200803184726.2416-1-t-josne@linux.microsoft.com> References: <20200803184726.2416-1-t-josne@linux.microsoft.com> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The IMA datafiles directory is structured so that it cannot be directly expanded to include datafiles for tests other than `ima_policy.sh`. Move the contents of the IMA datafiles directory into an IMA datafiles/policy directory. Signed-off-by: Lachlan Sneff Reviewed-by: Petr Vorel --- .../security/integrity/ima/datafiles/Makefile | 6 ++---- .../integrity/ima/datafiles/policy/Makefile | 15 +++++++++++++++ .../ima/datafiles/{ => policy}/kexec.policy | 0 .../ima/datafiles/{ => policy}/keycheck.policy | 0 .../ima/datafiles/{ => policy}/measure.policy | 0 .../datafiles/{ => policy}/measure.policy-invalid | 0 6 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/policy/Makefile rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/kexec.policy (100%) rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/keycheck.policy (100%) rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/measure.policy (100%) rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/measure.policy-invalid (100%) diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile index 369407112..3772e9a03 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile @@ -24,8 +24,6 @@ top_srcdir ?= ../../../../../.. include $(top_srcdir)/include/mk/env_pre.mk -INSTALL_DIR := testcases/data/ima_policy +SUBDIRS := policy -INSTALL_TARGETS := measure.policy-invalid *.policy - -include $(top_srcdir)/include/mk/generic_leaf_target.mk +include $(top_srcdir)/include/mk/generic_trunk_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/policy/Makefile b/testcases/kernel/security/integrity/ima/datafiles/policy/Makefile new file mode 100644 index 000000000..84d1424c6 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/policy/Makefile @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lachlan Sneff +# +# IMA datafiles/policy Makefile + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_policy + +INSTALL_TARGETS := measure.policy-invalid *.policy + +include $(top_srcdir)/include/mk/generic_leaf_target.mk \ No newline at end of file diff --git a/testcases/kernel/security/integrity/ima/datafiles/kexec.policy b/testcases/kernel/security/integrity/ima/datafiles/policy/kexec.policy similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/kexec.policy rename to testcases/kernel/security/integrity/ima/datafiles/policy/kexec.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/keycheck.policy b/testcases/kernel/security/integrity/ima/datafiles/policy/keycheck.policy similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/keycheck.policy rename to testcases/kernel/security/integrity/ima/datafiles/policy/keycheck.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy b/testcases/kernel/security/integrity/ima/datafiles/policy/measure.policy similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy rename to testcases/kernel/security/integrity/ima/datafiles/policy/measure.policy diff --git a/testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid b/testcases/kernel/security/integrity/ima/datafiles/policy/measure.policy-invalid similarity index 100% rename from testcases/kernel/security/integrity/ima/datafiles/measure.policy-invalid rename to testcases/kernel/security/integrity/ima/datafiles/policy/measure.policy-invalid From patchwork Mon Aug 3 18:47:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lachlan Sneff X-Patchwork-Id: 11698589 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 11F62138C for ; Mon, 3 Aug 2020 18:47:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 569A822BF3 for ; Mon, 3 Aug 2020 18:47:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="BImIpOSD" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726916AbgHCSrm (ORCPT ); Mon, 3 Aug 2020 14:47:42 -0400 Received: from linux.microsoft.com ([13.77.154.182]:35734 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725945AbgHCSrm (ORCPT ); Mon, 3 Aug 2020 14:47:42 -0400 Received: from localhost.localdomain (c-73-187-218-229.hsd1.pa.comcast.net [73.187.218.229]) by linux.microsoft.com (Postfix) with ESMTPSA id 9E06A20B490A; Mon, 3 Aug 2020 11:47:39 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9E06A20B490A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1596480460; bh=DLvQ4C4TeXE4TD6ysUpuenrcARQ84MejV5TONMhUnOQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BImIpOSDGEoR0fM4oMjjP1cUXGJHE3h7Sx2Kh9XnWHrYnc+oHWn9Uk3ROyQwIyCAO 7x0rG2St8IzcwwnY9KcvXbm6/x2reYm05Z2NUoR//YD/M5CorNGmuSZ9RIfP3VHMte zw+QfntZXHlhYlCmOeo1Xaqesa2hkgAXId6ONhE4= From: Lachlan Sneff To: pvorel@suse.cz, zohar@linux.ibm.com, ltp@lists.linux.it Cc: nramas@linux.microsoft.com, balajib@linux.microsoft.com, linux-integrity@vger.kernel.org, tyhicks@linux.microsoft.com, yaneurabeya@gmail.com, zhang.jia@linux.alibaba.com Subject: [PATCH 3/3] IMA: Add a test to verify measurement of certificate imported into a keyring Date: Mon, 3 Aug 2020 14:47:26 -0400 Message-Id: <20200803184726.2416-4-t-josne@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200803184726.2416-1-t-josne@linux.microsoft.com> References: <20200803184726.2416-1-t-josne@linux.microsoft.com> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The IMA subsystem supports measuring certificates that have been imported into either system built-in or user-defined keyrings. A test to verify measurement of a certificate imported into a keyring is required. Add an IMA measurement test that verifies that an x509 certificate can be imported into a newly-created, user-defined keyring and measured correctly by the IMA subsystem. A certificate used by the test is included in the `datafiles/keys` directory. There can be restrictions on importing a certificate into a builtin trusted keyring. For example, the `.ima` keyring requires that imported certs be signed by a kernel private key in certain kernel configurations. For this reason, this test defines a user-defined keyring and imports a certificate into that. Signed-off-by: Lachlan Sneff --- .../kernel/security/integrity/ima/README.md | 14 ++++++ .../security/integrity/ima/datafiles/Makefile | 2 +- .../integrity/ima/datafiles/keys/Makefile | 15 ++++++ .../integrity/ima/datafiles/keys/x509_ima.der | Bin 0 -> 650 bytes .../security/integrity/ima/tests/ima_keys.sh | 44 +++++++++++++++++- 5 files changed, 72 insertions(+), 3 deletions(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keys/Makefile create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keys/x509_ima.der diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 2956ac7fd..bfa015191 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -23,6 +23,20 @@ Mandatory kernel configuration for IMA: ``` CONFIG_IMA_READ_POLICY=y ``` +The certificate import test in `ima_keys.sh` also requires that +the `key_import_test` keyring is specified in the IMA policy. + +One way to do this is to modify an existing KEY_CHECK entry +in the IMA policy by adding `key_import_test` for keyrings: +``` +measure func=KEY_CHECK keyrings=.ima|.evm|key_import_test template=ima-buf +``` + +If KEY_CHECK entry does not exist in the IMA policy then by adding +the following line: +``` +measure func=KEY_CHECK keyrings=key_import_test template=ima-buf +``` ### IMA kexec test diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile index 3772e9a03..4b4c46b82 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile @@ -24,6 +24,6 @@ top_srcdir ?= ../../../../../.. include $(top_srcdir)/include/mk/env_pre.mk -SUBDIRS := policy +SUBDIRS := policy keys include $(top_srcdir)/include/mk/generic_trunk_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/keys/Makefile b/testcases/kernel/security/integrity/ima/datafiles/keys/Makefile new file mode 100644 index 000000000..a8ab7a1b5 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/keys/Makefile @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Lachlan Sneff +# +# IMA datafiles/keys Makefile + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_keys + +INSTALL_TARGETS := x509_ima.der + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/keys/x509_ima.der b/testcases/kernel/security/integrity/ima/datafiles/keys/x509_ima.der new file mode 100644 index 0000000000000000000000000000000000000000..92be058da22adffa9d6b6e51efa0c737ebbbbdcd GIT binary patch literal 650 zcmXqLVrnyJVtl`VnTe5!NhJD#vj69`9|BBf8}FEsx@^_9$Clp>c-c6$+C196^D;7W zvoaV27z!HjvoVLVaPe?t?=lA2Ij_I z27|^VOo=tim8DK0r^FsU zl)K`}`+CO4@4KBkoLmcj?fH`%wbDvU6-SMf6Eh}{&)1rdsOoNQ-1fgBQ1t{ zVTqGwuK95LlFE)6i{@=vlP6!2`Y}xDFAzh(;(UoMln9V>g;W#-LUGS7A`nYQKY WBem{7L5JThS+;$vggi%(*E;~nlJ80Y literal 0 HcmV?d00001 diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 3aea26056..f34f40132 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -6,9 +6,10 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="cut grep sed tr xxd" -TST_CNT=1 +TST_NEEDS_CMDS="grep cut sed tr xxd evmctl openssl keyctl" +TST_CNT=2 TST_NEEDS_DEVICE=1 +TST_NEEDS_ROOT=1 . ima_setup.sh @@ -58,4 +59,43 @@ test1() tst_res TPASS "specified keyrings were measured correctly" } +# Create a new keyring, import a certificate into it, and verify +# that the certificate is measured correctly by IMA. +test2() { + local new_keyring_id temp_file="file.txt" \ + cert_file="$TST_DATAROOT/x509_ima.der" + + if ! check_ima_policy_content '^measure.*func=KEY_CHECK.*keyrings=.*key_import_test'; then + tst_brk TCONF "the IMA policy does not include the key_import_test keyring. See the LTP IMA README." + fi + + # Assuming this test is executed in a separate shell, + # create a new session that will be cleaned up when + # the shell exits. + keyctl new_session > /dev/null + + new_keyring_id=$(keyctl newring key_import_test @s) || \ + tst_brk TCONF "unable to create a new keyring" + + tst_is_num "$new_keyring_id" || \ + tst_brk TCONF "unable to parse the new keyring id" + + evmctl import "$cert_file" "$new_keyring_id" > /dev/null || \ + tst_brk TCONF "unable to import a cert into a the key_import_test keyring" + + grep "key_import_test" "$ASCII_MEASUREMENTS" | tail -n1 | cut -d' ' -f6 | \ + xxd -r -p > "$temp_file" || \ + tst_brk TCONF "keyring not found in $ASCII_MEASUREMENTS" + + if ! openssl x509 -in "$temp_file" -inform der > /dev/null; then + tst_brk TCONF "the cert logged in $ASCII_MEASUREMENTS is not a valid x509 certificate" + fi + + if cmp -s "$temp_file" "$cert_file"; then + tst_res TPASS "logged cert matches original cert" + else + tst_res TFAIL "logged cert does not match original cert" + fi +} + tst_run