Received: by 2002:ac0:8c9a:0:0:0:0:0 with SMTP id r26csp3865428ima; Mon, 4 Feb 2019 06:31:09 -0800 (PST) X-Google-Smtp-Source: AHgI3IY2zPU7jS6gCr6ruRZ/1khvnr12AApJOyapp7yoI/XljchGmPo6mwKoEUYMx9X+k/HxnCEd X-Received: by 2002:a17:902:aa07:: with SMTP id be7mr8759875plb.63.1549290668967; Mon, 04 Feb 2019 06:31:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549290668; cv=none; d=google.com; s=arc-20160816; b=HFieq4F+rt8Y+iMJdC1Be0sY5EzejAIRMxILU4pFyO70VoKiV2XXAwrpgljPTtWsY8 oMfOlL3C/w/RqTfCnphO0n/828WqxSIDFTyFbQ+c21JRuc10HoTQ8u7zyD2GN+mi4qWl KMQFRXqlyVu26sutqnQ7iDlBumcvNALhKpON1HNVbmto1iGxhwt/9aBv8/MWfDNWJri2 aMYSVmfaz/vbiSzeq3mzR4Waqf3yqtdjYiwdfjG2vRTEihS78d/HuFhscHxHbyC2uOik omBSUZjjLfddlV9k7SprfsdJOu+EwVYiGjKGWkwCed7B5jQ1c9Ghd0aTwQrf7Ar6MggF wIuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=4pSMRaCVA0PZYD6xhnyuUrjxFU3pglWXQvwIixk+GqM=; b=o/x1tvgmpGofsjkXF6V/SSKEjUmnKctXyHCJZ3xvmdAioHK1PAdm/JXLsY39JLI5XF rk2TYSU9h+x2G3VA1Uliv/Zti2RjXYD742D0fjpOAUPVdGe+YU5pEo6AMhKlU+ZvLnXp sf7RQptGe9VocYHs8SRkUvKnzSpfOSUNRfKvWyyaaHV+1maurJ5Quy6bWBxY3XIivgET VauRwaTI1wwvO8/dhIdkoRhM0jRrRbu7Cgeyz9NJs/0Sjqlprbm2omP3F6gApKSAUy6g 6sDz/T1iFa6olzK6FzwYSThwjKrxoZgncJ6rX4T6aM13MBEelQ50pd3fYM5Qtc1VwV57 3slQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h85si191101pfd.27.2019.02.04.06.30.52; Mon, 04 Feb 2019 06:31:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731383AbfBDNtz (ORCPT + 99 others); Mon, 4 Feb 2019 08:49:55 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60488 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729207AbfBDNtz (ORCPT ); Mon, 4 Feb 2019 08:49:55 -0500 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x14DkBgp052113 for ; Mon, 4 Feb 2019 08:49:53 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0b-001b2d01.pphosted.com with ESMTP id 2qemvewbxx-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 04 Feb 2019 08:49:46 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 4 Feb 2019 13:49:42 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 4 Feb 2019 13:49:39 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x14Dnc2D1769970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 4 Feb 2019 13:49:38 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6561042045; Mon, 4 Feb 2019 13:49:38 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 467B24203F; Mon, 4 Feb 2019 13:49:37 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.107.242]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 4 Feb 2019 13:49:37 +0000 (GMT) Subject: Re: [PATCH 3/3] selftests/ima: kexec_file_load syscall test From: Mimi Zohar To: Petr Vorel Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, kexec@lists.infradead.org, David Howells , Dave Young , Eric Biederman , Shuah Khan Date: Mon, 04 Feb 2019 08:49:26 -0500 In-Reply-To: <20190203220258.GC4022@x230> References: <1548960936-7800-1-git-send-email-zohar@linux.ibm.com> <1548960936-7800-4-git-send-email-zohar@linux.ibm.com> <20190203220258.GC4022@x230> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19020413-0028-0000-0000-00000343EB05 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19020413-0029-0000-0000-00002401F022 Message-Id: <1549288166.4146.80.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-04_10:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902040110 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2019-02-03 at 23:02 +0100, Petr Vorel wrote: > Hi Mimi, > > > The kernel can be configured to verify PE signed kernel images, IMA > > kernel image signatures, both types of signatures, or none. This test > > verifies only properly signed kernel images are loaded into memory, > > based on the kernel configuration and runtime policies. > > > Signed-off-by: Mimi Zohar > Reviewed-by: Petr Vorel Thank you for the specific and generic suggestions to simplify/clean up the tests!  The suggestions, below, and the "print" helpers will really make a difference. Mimi > > ... > > +++ b/tools/testing/selftests/ima/test_kexec_file_load.sh > > @@ -0,0 +1,250 @@ > > +#!/bin/sh > > +# SPDX-License-Identifier: GPL-2.0+ > # SPDX-License-Identifier: GPL-2.0-or-later > > +# > > +# Loading a kernel image via the kexec_file_load syscall can verify either > > +# the IMA signature stored in the security.ima xattr or the PE signature, > > +# both signatures depending on the IMA policy, or none. > > +# > > +# To determine whether the kernel image is signed, this test depends > > +# on pesign and getfattr. This test also requires the kernel to be > > +# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC > > +# enabled or access to the extract-ikconfig script. > > + > > +VERBOSE=1 > Maybe allow to disable verbose without source change? > VERBOSE="${VERBOSE:-1}" > > > +EXTRACT_IKCONFIG=$(ls /lib/modules/`uname -r`/source/scripts/extract-ikconfig) > > +IKCONFIG=/tmp/config-`uname -r` > > +PROC_CONFIG="/proc/config.gz" > > +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" > > +PESIGN=/usr/bin/pesign > > +GETFATTR=/usr/bin/getfattr > > + > > +TEST="$0" > > +. ./common_lib.sh > > + > > +# Kselftest framework requirement - SKIP code is 4. > > +ksft_skip=4 > > + > > +kconfig_enabled() > > +{ > > + RC=0 > > + egrep -q $1 $IKCONFIG > > + if [ $? -eq 0 ]; then > > + RC=1 > > + fi > > + return $RC > > +} > This would be enough (grep with -e returns only 0 or 1): > kconfig_enabled() > { > grep -E -q $1 $IKCONFIG > } > > + > > +# policy rule format: action func= [appraise_type=] > > +check_ima_policy() > > +{ > > + IMA_POLICY=/sys/kernel/security/ima/policy > > + > > + RC=0 > > + if [ $# -eq 3 ]; then > > + grep -e $2 $IMA_POLICY | grep -e "^$1.*$3" 2>&1 >/dev/null > > + else > > + grep -e $2 $IMA_POLICY | grep -e "^$1" 2>&1 >/dev/null > > + fi > > + if [ $? -eq 0 ]; then > > + RC=1 > > + fi > > + return $RC > > +} > This would be enough and more descriptive: > check_ima_policy() > { > local action="$1" > local keyword="$2" > local type="$3" > > [ -n "$type" ] && type="appraise_type=$type" > grep -q "^$action.*func=$keyword.*$type" /sys/kernel/security/ima/policy > } > > > + > > +check_kconfig_options() > > +{ > > + # Attempt to get the kernel config first via proc, and then by > > + # extracting it from the kernel image using scripts/extract-ikconfig. > > + if [ ! -f $PROC_CONFIG ]; then > > + modprobe configs 2>/dev/null > > + fi > > + if [ -f $PROC_CONFIG ]; then > > + cat $PROC_CONFIG > $IKCONFIG > > + fi > > + > > + if [ ! -f $IKCONFIG ]; then > > + if [ ! -f $EXTRACT_IKCONFIG ]; then > > + echo "$TEST: requires access to extract-ikconfig" >&2 > > + exit $ksft_skip > > + fi > > + > > + $EXTRACT_IKCONFIG $KERNEL_IMAGE > $IKCONFIG > > + kconfig_enabled "CONFIG_IKCONFIG=y" > > + if [ $? -eq 0 ]; then > > + echo "$TEST: requires the kernel to be built with CONFIG_IKCONFIG" >&2 > > + exit $ksft_skip > > + fi > > + fi > > + > > + kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" > > + pe_sig_required=$? > > + if [ $VERBOSE -ne 0 ] && [ $pe_sig_required -eq 1 ]; then > > + echo "$TEST: [INFO] PE signed kernel image required" > > + fi > Checks for $VERBOSE here and in other kconfig_enabled usages bellow are a bit > redundant. And you check for assigned variable now and then later on, > you use these variables as global (and reset $ima_sig_required in > check_runtime(). > > How about using functions instead: > log_info() > { > echo "$TEST: [INFO] $1" > } > (Reducing some duplicity, IMHO helper functions in shell library used in all > selftest tests would be useful) > > kconfig_enabled() > { > local config="$1" > local msg="$2" > local ret > > grep -E -q $config $IKCONFIG > ret=$? > [ $VERBOSE -ne 0 ] && [ $ret -eq 1 ] && log_info "$msg" > return $ret > } > > ima_sig_enabled() > { > kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ > "PE signed kernel image required" > } > > ima_sig_enabled() > { > kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ > "IMA kernel image signature required" > } > Warning is printed each time, but that's deliberate. > If it's not wanted, it can be moved into setup. > > ... > > +check_kconfig_options > > +check_for_apps > > +check_runtime > > +check_for_sigs > > +kexec_file_load_test > > > +rc=$? > > +exit $rc > These two are redundant. > > Kind regards, > Petr >