Hi Mimi, > Hi Petr, > On Mon, 2020-12-14 at 23:19 +0100, Petr Vorel wrote: > > The only problem which bothers me is failure on ima_policy=tcb: > > evmctl ima_measurement /sys/kernel/security/integrity/ima/binary_runtime_measurements -vv > > ... > > sha256: PCRAgg 10: c19866f10132282d4cf20ca45f50078db843f95dc8d1ea8819d0e240cdf3b21c > > sha256: TPM PCR-10: df913daa0437a2365f710f6d93a4f2d37146414425d9aaa60740dc635d187158 > > sha256: PCRAgg 10 does not match TPM PCR-10 > > Failed to match per TPM bank or SHA1 padded TPM digest(s) (count 1446) > > errno: No such file or directory (2) > > Thus test get failure for the fist run without --ignore-violations > > ... > > ima_tpm 1 TINFO: using command: evmctl ima_boot_aggregate -v > > Using tss2-rc-decode to read PCRs. > > ima_tpm 1 TINFO: IMA boot aggregate: '0756853d9378ff6473966e20610a8d1cb97e4dc613cb87adf5e870c8eb93fd0f' > > ima_tpm 1 TPASS: bios boot aggregate matches IMA boot aggregate > > ima_tpm 2 TINFO: verify PCR values > > ima_tpm 2 TINFO: real PCR-10: '6d8aec6291c0c19efdee50e20899939135be073cd4d6e9063e53386f54f9487d' > > ima_tpm 2 TFAIL: evmctl failed, trying with --ignore-violations > > ima_tpm 2 TINFO: aggregate PCR-10: '6d8aec6291c0c19efdee50e20899939135be073cd4d6e9063e53386f54f9487d' > > ima_tpm 2 TPASS: aggregate PCR value matches real PCR value > > ima_tpm 3 TINFO: AppArmor enabled, this may affect test results > > ima_tpm 3 TINFO: it can be disabled with TST_DISABLE_APPARMOR=1 (requires super/root) > > ima_tpm 3 TINFO: loaded AppArmor profiles: none > > Summary: > > passed 2 > > failed 1 > > skipped 0 > > warnings 0 > > IMHO unless this is specific for this particular TPM we should skip test > > if ima_policy=tcb. > No, I don't think so. Violations are a result of a file being opened > for read and write at the same time. Opening a file for write, when it > is already open for read, results in a Time of Measure/Time of Use > (ToMToU) violation. Opening a file for read, when it is already open > for write, results in an open_writer violation. One of the more common > reasons for these violations are log files. > With the builtin TCB measurement policy enabled on the boot command > line, files are measured from the beginning, before a custom policy is > loaded. Normally a custom policy is loaded after an LSM policy has > been loaded, allowing IMA policy rules to be defined in terms of LSM > labels. > Verifying the IMA measurement list against the TPM PCRs is an important > test. Ignoring violations doesn't make sense either. Perhaps if a > custom policy has not been loaded, emit an informational message and > skip the test without "--ignore-violations". Thanks for an explanation. Agree, you're right. It's most likely wrong setup (there were some temporary files in /tmp and even postfix pid file in /var/run/), I need to properly setup dracut-ima. It'd be then good to document this, but I'd do it as separate effort. So, can I merge the patchset with your ack/review-by? Kind regards, Petr > thanks, > Mimi
