On Tue, 2020-11-24 at 15:12 +0000, KP Singh wrote: > diff --git a/tools/testing/selftests/bpf/ima_setup.sh b/tools/testing/selftests/bpf/ima_setup.sh > new file mode 100644 > index 000000000000..15490ccc5e55 > --- /dev/null > +++ b/tools/testing/selftests/bpf/ima_setup.sh > @@ -0,0 +1,80 @@ > +#!/bin/bash > +# SPDX-License-Identifier: GPL-2.0 > + > +set -e > +set -u > + > +IMA_POLICY_FILE="/sys/kernel/security/ima/policy" > +TEST_BINARY="/bin/true" > + > +usage() > +{ > + echo "Usage: $0 <setup|cleanup|run> <existing_tmp_dir>" > + exit 1 > +} > + > +setup() > +{ > + local tmp_dir="$1" > + local mount_img="${tmp_dir}/test.img" > + local mount_dir="${tmp_dir}/mnt" > + local copied_bin_path="${mount_dir}/$(basename ${TEST_BINARY})" > + mkdir -p ${mount_dir} > + > + dd if=/dev/zero of="${mount_img}" bs=1M count=10 > + > + local loop_device="$(losetup --find --show ${mount_img})" > + > + mkfs.ext4 "${loop_device}" > + mount "${loop_device}" "${mount_dir}" > + > + cp "${TEST_BINARY}" "${mount_dir}" > + local mount_uuid="$(blkid -s UUID -o value ${loop_device})" > + echo "measure func=BPRM_CHECK fsuuid=${mount_uuid}" > ${IMA_POLICY_FILE} Anyone using IMA, normally define policy rules requiring the policy itself to be signed. Instead of writing the policy rules, write the signed policy file pathname. Refer to dracut commit 479b5cd9 ("98integrity: support validating the IMA policy file signature"). Both enabling IMA_APPRAISE_REQUIRE_POLICY_SIGS and the builtin "appraise_tcb" policy require loading a signed policy. Mimi