Re: [PATCH v3 ima-evm-utils 4/4] Add simple tests to check EVM HMAC calculation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2023-06-23 at 13:45 +0200, Roberto Sassu wrote:
> On Fri, 2023-06-23 at 07:42 -0400, Mimi Zohar wrote:
> > Hi Roberto,
> > 
> > On Fri, 2023-06-16 at 21:23 +0200, Roberto Sassu wrote:
> > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > > 
> > > Add a simple test to ensure that the kernel and evmctl provide the same
> > > result for the HMAC calculation. Do it with SELinux or Smack, whichever is
> > > available (if the UML kernel is used, the test is done with both LSMs).
> > > 
> > > Also add another test to evaluate the HMAC on a directory for which Smack
> > > added the SMACK64TRANSMUTE xattr.
> > > 
> > > The second test fails without the kernel patch 'smack: Set the
> > > SMACK64TRANSMUTE xattr in smack_inode_init_security()', as Smack uses
> > > __vfs_setxattr() to set SMACK64TRANSMUTE, which does not go through EVM,
> > > and makes the HMAC invalid.
> > > 
> > > Require (unless the UML kernel is used) that the TST_EVM_CHANGE_MODE
> > > environment variable is set to 1, so that users acknowledge that they are
> > > initializing EVM with a well-known HMAC key, which can introduce obvious
> > > security concerns.
> > > 
> > > Finally, enable SELinux, the EVM additional xattrs, and encrypted keys with
> > > user-decrypted data in the kernel configuration for CI, and set
> > > TST_EVM_CHANGE_MODE to 1 in the Github Action workflow.
> > > 
> > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > 
> > The simple SELinux and Smack tests are working properly without kernel
> > changes.  Even the Smack transmute test is working is proplery
> > returning an error message, but is followed by a kernel panic.
> > 
> > Possibly missing patches:
> >  - smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security
> 
> Hi Mimi
> 
> that means that the test is failing.
> 
> A UML kernel panic is used to signal to the caller that a test in that
> environment failed.

Thank you for the clarification.  That explains why I couldn't
reproduce it locally.  Including a traceback like this though is kind
of ugly.

-- 
thanks,

Mimi
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux