On Thu, 2018-04-19 at 21:54 +0200, Petr Vorel wrote: > Hi, > > changes v2->v3: > * Fixed some of errors caused by test order. > > * ima_boot_aggregate > - max event size is now 1MB according to spec > > * ima_mmap > - reduce sleep + log it > - rewritten into new API > > * ima_measurements.sh > - don't require iversion for kernel >= 4.16 > - avoid using tmpfs This is working nicely! > > * ima_policy.sh > - improved detection of policy writability > - merge test2 and test3 > > * ima_violations.sh > - avoid using tmpfs > - improved grepping logs (no sleep is needed) > > * ima_tpm.sh > - Improve error messages > > TODO: > * fix problems with violations tests (see patch 02/10). > * detect whether policy must be signed (currently tests assume the > policy does not need to be signed): > https://lists.linux.it/pipermail/ltp/2018-April/007702.html > http://lists.linux.it/pipermail/ltp/2018-January/006970.html test: cmdline="ima_policy.sh" contacts="" analysis=exit <<<test_output>>> ima_policy 1 TINFO: verify that invalid policy isn't loaded ima_policy 1 TPASS: didn't load invalid policy ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times ima_policy 2 TFAIL: problem with loading policy (policy should be able to load multiple times) For now, could we change "problem with loading policy (policy should be able to load multiple times)" to say, "problem loading or extending policy (may require policy to be signed)"? I'm also seeing, test: ima_tpm <<<test_output>>> ima_tpm 1 TINFO: verify boot aggregate ima_tpm 1 TPASS: bios aggregate matches IMA boot aggregate ima_tpm 2 TINFO: verify PCR values ima_tpm 2 TINFO: evmctl version: evmctl 1.0 ima_tpm 2 TINFO: new PCRS path, evmctl >= 1.1 required ima_tpm 2 TINFO: verify PCR (Process Control Register) ima_tpm 2 TFAIL: failed to get PCR-10 ima_tpm 2 TPASS: aggregate PCR value matches real PCR value It's unclear how the script could fail to get PCR-10, but pass the following test. Mimi
