For each kexec, an additional "boot_aggregate" will appear in the
measurement list, assuming the previous measurement list is carried
across kexec.
Verify that the last "boot_aggregate" record in the IMA measurement list
matches. The "boot_aggregate" is either the last field (e.g. "ima-ng")
or the second to last field (e.g. "ima-sig") in the measurement list
record.
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
tests/boot_aggregate.test | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test
index 307a309433fe..73af423e30a1 100755
--- a/tests/boot_aggregate.test
+++ b/tests/boot_aggregate.test
@@ -98,6 +98,12 @@ display_pcrs() {
}
# The first entry in the IMA measuremnet list is the "boot_aggregate".
+# For each kexec, an additional "boot_aggregate" will appear in the
+# measurement list, assuming the previous measurement list is carried
+# across the kexec.
+#
+# Verify that the last "boot_aggregate" record in the IMA measurement
+# list matches.
check() {
echo "INFO: Calculating the boot_aggregate (PCRs 0 - 7) for multiple banks"
bootaggr=$(evmctl ima_boot_aggregate)
@@ -113,7 +119,7 @@ check() {
if [ "$VERBOSE" != "0" ]; then
echo "$hash"
fi
- if grep -q "${hash}" "${ASCII_RUNTIME_MEASUREMENTS}"; then
+ if grep -e "boot_aggregate$" -e "boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then
echo "SUCCESS: boot_aggregate ${hash} found"
return $OK
fi
--
2.7.5
