From patchwork Mon Sep 28 03:56:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11802773 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A8C1013B2 for ; Mon, 28 Sep 2020 03:56:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8CC8B23A33 for ; Mon, 28 Sep 2020 03:56:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="LQJezkr1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726380AbgI1D4V (ORCPT ); Sun, 27 Sep 2020 23:56:21 -0400 Received: from linux.microsoft.com ([13.77.154.182]:39234 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726396AbgI1D4V (ORCPT ); Sun, 27 Sep 2020 23:56:21 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id 1F3FD20B7179; Sun, 27 Sep 2020 20:56:19 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 1F3FD20B7179 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1601265379; bh=Q+AR4+wYqWDncmubPVjCyGk6Ulpg/QxqmyQCuo+LxaI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LQJezkr1R554wfVFhTs9isZ6ug3aXbQpySMHUxlZHtRsxbsuL+ob+s2RTwvBhhdD8 JfZdA+RRsk27v0uAbtNIBeBOusSV9nDMZ4fS1+kx1lqj9/pOchHwienE1TpdMFylCl /C8uhE0F8cIpREkpC/XLdK9rF4e+h6xazxFkQoVQ= From: Tushar Sugandhi To: zohar@linux.ibm.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com, pvorel@suse.cz Cc: nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, dm-devel@redhat.com, ltp@lists.linux.it Subject: [PATCH v2 1/2] IMA: generalize key measurement tests Date: Sun, 27 Sep 2020 20:56:04 -0700 Message-Id: <20200928035605.22701-2-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200928035605.22701-1-tusharsu@linux.microsoft.com> References: <20200928035605.22701-1-tusharsu@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org New functionality is being added in IMA to measure data provided by kernel components. Tests have to be added in LTP to validate this new feature. The functionality in ima_keys.sh can be reused to test this new feature if it is made generic. Refactor check_keys_policy() and test1() implemented in ima_keys.sh to make it generic, and move the functionality to ima_setup.sh as new functions - check_policy_pattern() and check_ima_ascii_log_for_policy(). Signed-off-by: Tushar Sugandhi Reviewed-by: Petr Vorel --- .../security/integrity/ima/tests/ima_keys.sh | 62 +++------------ .../security/integrity/ima/tests/ima_setup.sh | 79 +++++++++++++++++++ 2 files changed, 92 insertions(+), 49 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index c9eef4b68..c2120358a 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -6,7 +6,7 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="cmp cut grep sed xxd" +TST_NEEDS_CMDS="cmp cut grep xxd" TST_CNT=2 TST_NEEDS_DEVICE=1 TST_SETUP=setup @@ -28,64 +28,28 @@ cleanup() tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID } -check_keys_policy() -{ - local pattern="$1" - - if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then - tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK, $TEMPLATE_BUF" - return 1 - fi - return 0 -} - # Based on https://lkml.org/lkml/2019/12/13/564. # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") test1() { local keycheck_lines i keyrings templates local pattern='keyrings=[^[:space:]]+' - local test_file="file.txt" tmp_file="file2.txt" + local policy="keyrings" + local tmp_file="$TST_TMPDIR/keycheck_tmp_file.txt" + local res tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy" - check_keys_policy "$pattern" > $tmp_file || return - keycheck_lines=$(cat $tmp_file) - keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \ - sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') - if [ -z "$keyrings" ]; then - tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings" - return - fi - - templates=$(for i in $keycheck_lines; do echo "$i" | grep "template" | \ - cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') - - tst_res TINFO "keyrings: '$keyrings'" - tst_res TINFO "templates: '$templates'" - - grep -E "($templates).*($keyrings)" $ASCII_MEASUREMENTS | while read line - do - local digest expected_digest algorithm - - digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) - algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) - keyring=$(echo "$line" | cut -d' ' -f5) + check_policy_pattern "$pattern" $FUNC_KEYCHECK $TEMPLATE_BUF > $tmp_file || return - echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file + res="$(check_ima_ascii_log_for_policy $policy $tmp_file)" - if ! expected_digest="$(compute_digest $algorithm $test_file)"; then - tst_res TCONF "cannot compute digest for $algorithm" - return - fi - - if [ "$digest" != "$expected_digest" ]; then - tst_res TFAIL "incorrect digest was found for $keyring keyring" - return - fi - done + if [ "$res" = "0" ]; then + tst_res TPASS "specified keyrings were measured correctly" + else + tst_res TFAIL "failed to measure specified keyrings" + fi - tst_res TPASS "specified keyrings were measured correctly" } # Create a new keyring, import a certificate into it, and verify @@ -97,11 +61,11 @@ test2() local cert_file="$TST_DATAROOT/x509_ima.der" local keyring_name="key_import_test" local pattern="keyrings=[^[:space:]]*$keyring_name" - local temp_file="file.txt" + local temp_file="$TST_TMPDIR/key_import_test_file.txt" tst_res TINFO "verify measurement of certificate imported into a keyring" - check_keys_policy "$pattern" >/dev/null || return + check_policy_pattern "$pattern" $FUNC_KEYCHECK $TEMPLATE_BUF >/dev/null || return KEYRING_ID=$(keyctl newring $keyring_name @s) || \ tst_brk TBROK "unable to create a new keyring" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 1f17aa707..2841d7df5 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -54,6 +54,85 @@ compute_digest() return 1 } +check_policy_pattern() +{ + local pattern="$1" + local func="$2" + local template="$3" + + if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then + tst_res TCONF "IMA policy must specify $pattern, $func, $template" + return 1 + fi + return 0 +} + +check_ima_ascii_log_for_policy() +{ + local test_file="$TST_TMPDIR/ascii_log_test_file.txt" + local grep_file="$TST_TMPDIR/ascii_log_grep_file.txt" + local func_lines sources templates i src + local input_digest_res=1 + local policy_option="$1" + local input_digest="$3" + + func_lines=$(cat $2) + + sources=$(for i in $func_lines; do echo "$i" | grep "$policy_option" | \ + sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') + if [ -z "$sources" ]; then + tst_res TCONF "IMA policy $policy_option is a key-value specifier, but no values specified" + echo "1" + return + fi + + templates=$(for i in $func_lines; do echo "$i" | grep "template" | \ + cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') + + tst_res TINFO "policy sources: '$sources'" + tst_res TINFO "templates: '$templates'" + + grep -E "($templates).*($sources)" $ASCII_MEASUREMENTS > $grep_file + + while read line + do + local digest expected_digest algorithm + + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + src_line=$(echo "$line" | cut -d' ' -f5) + + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file + + if ! expected_digest="$(compute_digest $algorithm $test_file)"; then + tst_res TCONF "cannot compute digest for $algorithm" + echo "1" + return + fi + + if [ "$digest" != "$expected_digest" ]; then + tst_res TINFO "incorrect digest was found for $src_line $policy_option" + echo "1" + return + fi + + if [ "$input_digest" ]; then + if [ "$digest" = "$input_digest" ]; then + input_digest_res=0 + fi + fi + + done < $grep_file + + if [ "$input_digest" ]; then + echo "$input_digest_res" + return + else + echo "0" + return + fi +} + check_policy_readable() { if [ ! -f $IMA_POLICY ]; then From patchwork Mon Sep 28 03:56:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11802771 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3B56E139F for ; Mon, 28 Sep 2020 03:56:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2064A221EC for ; Mon, 28 Sep 2020 03:56:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="S+ur5vCf" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726440AbgI1D4U (ORCPT ); Sun, 27 Sep 2020 23:56:20 -0400 Received: from linux.microsoft.com ([13.77.154.182]:39246 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726380AbgI1D4U (ORCPT ); Sun, 27 Sep 2020 23:56:20 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id 73DD9208ABC7; Sun, 27 Sep 2020 20:56:19 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 73DD9208ABC7 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1601265379; bh=rzh9do29mmz5gxBiNXt0gG2p7pXuvKOF0Ny99h/ur8o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S+ur5vCfr4zMrfzvWHeoy9ro+gwLce9UZ0zvY+d69GNtc5cnHfEgjfx8lZQJWoRkE dMtizeiTeu4zbjfz57Fpq4vXEysjsn6QVzFaYmKBp9Oo2q6HHiGfr4ZcWX2avFzIY9 ESM+6vBee947haVG4G2oWmzN+HMK2IrwJFbOBWxM= From: Tushar Sugandhi To: zohar@linux.ibm.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com, pvorel@suse.cz Cc: nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, dm-devel@redhat.com, ltp@lists.linux.it Subject: [PATCH v2 2/2] IMA: Add test for dm-crypt measurement Date: Sun, 27 Sep 2020 20:56:05 -0700 Message-Id: <20200928035605.22701-3-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200928035605.22701-1-tusharsu@linux.microsoft.com> References: <20200928035605.22701-1-tusharsu@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org New functionality is being added to IMA to measure data provided by kernel components. With this feature, IMA policy can be set to enable measuring data provided by device-mapper targets. Currently one such device-mapper target - dm-crypt, is being updated to use this functionality. This new functionality needs test automation in LTP. Add a testcase which verifies that the IMA subsystem correctly measures the data coming from a device-mapper target - dm-crypt. Signed-off-by: Tushar Sugandhi --- runtest/ima | 1 + .../kernel/security/integrity/ima/README.md | 20 +++++++ .../integrity/ima/tests/ima_dm_crypt.sh | 60 +++++++++++++++++++ 3 files changed, 81 insertions(+) create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh diff --git a/runtest/ima b/runtest/ima index 5f4b4a7a1..123b6c8b0 100644 --- a/runtest/ima +++ b/runtest/ima @@ -5,4 +5,5 @@ ima_tpm ima_tpm.sh ima_violations ima_violations.sh ima_keys ima_keys.sh ima_kexec ima_kexec.sh +ima_dm_crypt ima_dm_crypt.sh evm_overlay evm_overlay.sh diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 68d046678..007662fae 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -37,6 +37,26 @@ see example in `kexec.policy`. The test attempts to kexec the existing running kernel image. To kexec a different kernel image export `IMA_KEXEC_IMAGE=`. +### IMA DM target (dm-crypt) measurement test + +To enable IMA to measure device-mapper target - dm-crypt, +`ima_dm_crypt.sh` requires a readable IMA policy, as well as +a loaded measure policy with +`func=CRITICAL_DATA data_sources=dm-crypt` + +As well as what's required for the IMA tests, dm-crypt measurement test require +reading the IMA policy allowed in the kernel configuration: +``` +CONFIG_IMA_READ_POLICY=y +``` + +The following kernel configuration is also required. It enables compiling +the device-mapper target module dm-crypt, which allows to create a device +that transparently encrypts the data on it. +``` +CONFIG_DM_CRYPT +``` + ## EVM tests `evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` diff --git a/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh new file mode 100755 index 000000000..396033f8d --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2020 Microsoft Corporation +# Author: Tushar Sugandhi +# +# Verify that DM target dm-crypt are measured correctly based on policy. + +TST_NEEDS_CMDS="dmsetup" +TST_CNT=1 +TST_NEEDS_DEVICE=1 +TST_SETUP=setup +TST_CLEANUP=cleanup + +. ima_setup.sh + +FUNC_CRIT_DATA='func=CRITICAL_DATA' +TEMPLATE_BUF='template=ima-buf' +REQUIRED_POLICY="^measure.*($FUNC_CRIT_DATA.*$TEMPLATE_BUF|$TEMPLATE_BUF.*$FUNC_CRIT_DATA)" + +setup() +{ + require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt +} + +cleanup() +{ + ROD "dmsetup remove test-crypt" +} + +test1() +{ + local input_digest="039d8ff71918608d585adca3e5aab2e3f41f84d6" + local pattern='data_sources=[^[:space:]]+' + local tmp_file="$TST_TMPDIR/dm_crypt_tmp.txt" + local policy="data_sources" + local arg key res + + tst_res TINFO "verifying dm target - dmcrypt gets measured correctly" + + check_policy_pattern "$pattern" $FUNC_CRIT_DATA $TEMPLATE_BUF > $tmp_file || return + + tgt="crypt" + key="faf453b4ee938cff2f0d2c869a0b743f59125c0a37f5bcd8f1dbbd911a78abaa" + + arg="'0 1953125 crypt aes-xts-plain64 " + arg="$arg $key 0 " + arg="$arg /dev/loop0 0 1 allow_discards'" + + ROD "dmsetup create test-crypt --table $arg" + + res="$(check_ima_ascii_log_for_policy $policy $tmp_file $input_digest)" + + if [ $res = "0" ]; then + tst_res TPASS "dm-crypt target verification passed" + else + tst_res TFAIL "dm-crypt target verification failed" + fi +} + +tst_run