Hi Roberto, On Fri, 2023-06-16 at 21:23 +0200, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Add a simple test to ensure that the kernel and evmctl provide the same > result for the HMAC calculation. Do it with SELinux or Smack, whichever is > available (if the UML kernel is used, the test is done with both LSMs). > > Also add another test to evaluate the HMAC on a directory for which Smack > added the SMACK64TRANSMUTE xattr. > > The second test fails without the kernel patch 'smack: Set the > SMACK64TRANSMUTE xattr in smack_inode_init_security()', as Smack uses > __vfs_setxattr() to set SMACK64TRANSMUTE, which does not go through EVM, > and makes the HMAC invalid. > > Require (unless the UML kernel is used) that the TST_EVM_CHANGE_MODE > environment variable is set to 1, so that users acknowledge that they are > initializing EVM with a well-known HMAC key, which can introduce obvious > security concerns. > > Finally, enable SELinux, the EVM additional xattrs, and encrypted keys with > user-decrypted data in the kernel configuration for CI, and set > TST_EVM_CHANGE_MODE to 1 in the Github Action workflow. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> The simple SELinux and Smack tests are working properly without kernel changes. Even the Smack transmute test is working is proplery returning an error message, but is followed by a kernel panic. Possibly missing patches: - smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security 14.620000][ T1] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 14.620000][ T1] CPU: 0 PID: 1 Comm: evm_hmac.test Not tainted 6.4.0-rc2-dont-use-g95526d13038c #1 [ 14.620000][ T1] Stack: [ 14.620000][ T1] 60900a17 e1803be0 e1803c20 606f7598 [ 14.620000][ T1] 63240701 60043a50 60900a17 00000000 [ 14.620000][ T1] 60dfc308 00000000 e1803c60 60762e4b [ 14.620000][ T1] Call Trace: [ 14.620000][ T1] [<6072ad82>] ? _printk+0x0/0x98 [ 14.620000][ T1] [<6072274d>] show_stack.cold+0x9d/0xf4 [ 14.620000][ T1] [<606f7598>] ? dump_stack_print_info+0xd8/0xf0 [ 14.620000][ T1] [<60043a50>] ? um_set_signals+0x0/0x60 [ 14.620000][ T1] [<60762e4b>] dump_stack_lvl+0x66/0x9a [ 14.620000][ T1] [<607715d0>] ? _raw_spin_unlock_irq+0x0/0x60 [ 14.620000][ T1] [<60762e9d>] dump_stack+0x1e/0x20 [ 14.620000][ T1] [<6072429d>] panic+0x1a6/0x3a6 [ 14.620000][ T1] [<607240f7>] ? panic+0x0/0x3a6 [ 14.620000][ T1] [<600aec6a>] ? lock_release+0xca/0x180 [ 14.620000][ T1] [<60043a50>] ? um_set_signals+0x0/0x60 [ 14.620000][ T1] [<60764fe0>] ? debug_lockdep_rcu_enabled+0x0/0x50 [ 14.620000][ T1] [<60043a9f>] ? um_set_signals+0x4f/0x60 [ 14.620000][ T1] [<60764fe0>] ? debug_lockdep_rcu_enabled+0x0/0x50 [ 14.620000][ T1] [<60043a50>] ? um_set_signals+0x0/0x60 [ 14.620000][ T1] [<60064d79>] ? exit_signals+0x139/0x500 [ 14.620000][ T1] [<60771210>] ? _raw_spin_lock_irq+0x0/0xd0 [ 14.620000][ T1] [<607715d0>] ? _raw_spin_unlock_irq+0x0/0x60 [ 14.620000][ T1] [<607249c0>] make_task_dead.cold+0x0/0x9d [ 14.620000][ T1] [<600557e7>] do_group_exit+0x47/0xe0 [ 14.620000][ T1] [<6004a0f0>] ? get_fp_registers+0x0/0x80 [ 14.620000][ T1] [<6005589a>] sys_exit_group+0x1a/0x20 [ 14.620000][ T1] [<600302a0>] handle_syscall+0xa0/0xd0 [ 14.620000][ T1] [<60046969>] handle_trap+0xe9/0x1a0 [ 14.620000][ T1] [<6004a0f0>] ? get_fp_registers+0x0/0x80 [ 14.620000][ T1] [<6004709f>] userspace+0x29f/0x530 [ 14.620000][ T1] [<6002c374>] new_thread_handler+0xb4/0xc0 ./functions.sh: line 72: 8546 Aborted (core dumped) "$@" ================================= Run with FAILEARLY=1 ./evm_hmac.test _cleanup_env cleanup To stop after first failure -- thanks, Mimi
