The IMA subsystem supports measuring certificates that have been loaded into
user-defined keyrings and system built-in keyrings. A test to verify that
those measurements are correct is required.
The first two patches in this patchset fix up left-over documentation and
move some datafiles around to prepare for more datafiles in the 3rd patch.
The third patch adds a new test to the `ima_keys.sh` file, which imports
a certificate into a user-defined keyring, and then verifies that the
certificate has been measured correctly by the IMA subsystem.
Lachlan Sneff (3):
IMA: Update key test documentation
IMA: Refactor datafiles directory
IMA: Add a test to verify measurement of certificate imported into a
keyring
.../kernel/security/integrity/ima/README.md | 32 +++++++------
.../security/integrity/ima/datafiles/Makefile | 6 +--
.../integrity/ima/datafiles/keys/Makefile | 15 ++++++
.../integrity/ima/datafiles/keys/x509_ima.der | Bin 0 -> 650 bytes
.../integrity/ima/datafiles/policy/Makefile | 15 ++++++
.../ima/datafiles/{ => policy}/kexec.policy | 0
.../datafiles/{ => policy}/keycheck.policy | 0
.../ima/datafiles/{ => policy}/measure.policy | 0
.../{ => policy}/measure.policy-invalid | 0
.../security/integrity/ima/tests/ima_keys.sh | 44 +++++++++++++++++-
10 files changed, 91 insertions(+), 21 deletions(-)
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keys/Makefile
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/keys/x509_ima.der
create mode 100644 testcases/kernel/security/integrity/ima/datafiles/policy/Makefile
rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/kexec.policy (100%)
rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/keycheck.policy (100%)
rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/measure.policy (100%)
rename testcases/kernel/security/integrity/ima/datafiles/{ => policy}/measure.policy-invalid (100%)
--
2.25.1
