Hi Roberto, On Mon, 2023-06-05 at 18:55 +0200, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Add two simple tests to check whether or not the HMAC calculated by the > kernel and evmctl matches. Do the tests for a regular file, and for a > directory successfully transmuted with Smack. > > Also add two bug fixes to include the filesystem UUID and the inode > generation in the HMAC calculation, and the new option --hmackey to specify > an alternate location of the HMAC key. The main purpose for having a "Simple EVM HMAC" test is to ensure that nothing breaks. "evmctl --hmac" was only enabled in debug mode, since the hmac key was not exposed to userspace. It was never really used. With the ability of creating an encrypted key based on user-provided decrypted data, verifying the EVM hmac is now feasible. This is the justification for "Add --hmackey option for evmctl". The initial test should work with either SELinux or smack extended attributes. None of the CI tests have SELinux or Smack enabled, except for the UFI kernel. Verifying the EVM hmac with an SELinux extended attribute is not being tested. On my local machine, the EVM HMAC with SELinux xattr is failing. Is this related to SELinux returning different lengths in the kernel vs. userspace? Whatever the reason, it needs to be fixed. The prereqs needed for running the Smack transmute test should not prevent running the first test. -- thanks, Mimi
