On Wed, 2023-06-14 at 15:29 -0400, Mimi Zohar wrote: > Hi Roberto, > > On Mon, 2023-06-05 at 18:55 +0200, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > > > Add two simple tests to check whether or not the HMAC calculated by the > > kernel and evmctl matches. Do the tests for a regular file, and for a > > directory successfully transmuted with Smack. > > > > Also add two bug fixes to include the filesystem UUID and the inode > > generation in the HMAC calculation, and the new option --hmackey to specify > > an alternate location of the HMAC key. > > The main purpose for having a "Simple EVM HMAC" test is to ensure that > nothing breaks. > > "evmctl --hmac" was only enabled in debug mode, since the hmac key was > not exposed to userspace. It was never really used. With the ability > of creating an encrypted key based on user-provided decrypted data, > verifying the EVM hmac is now feasible. This is the justification for > "Add --hmackey option for evmctl". > > The initial test should work with either SELinux or smack extended > attributes. None of the CI tests have SELinux or Smack enabled, except > for the UFI kernel. Verifying the EVM hmac with an SELinux extended > attribute is not being tested. On my local machine, the EVM HMAC with > SELinux xattr is failing. Is this related to SELinux returning > different lengths in the kernel vs. userspace? Whatever the reason, it > needs to be fixed. Testing the EVM hmac w/SELinux xattr is now working properly on a test system, both with and without the "evm: Do HMAC of multiple per LSM xattrs for new inodes" patch set. > > The prereqs needed for running the Smack transmute test should not > prevent running the first test. > -- thanks, Mimi