| Message ID | 20201019200803.35255-1-petr.vorel@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ima-evm-utils] boot_aggregate.test: Skip if CONFIG_IMA not enabled | expand |
[Cc'ing Dmitry Eremin-Solenikov] Hi Petr, On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote: > This is required, because when TPM HW available (i.e. -c /dev/tpm0), > evmctl ima_boot_aggregate returns sha1:xxxx. > > skip requires to move cleanup(). > > Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Nice. > --- > Hi Mimi, > > this Fixes problems on current Debian, which has still disabled CONFIG_IMA > (FYI [1]). I was not able to figure out how to get it working with > sample-* files, but maybe there is a way. > > Although it sound strange, people may want to build and check evmctl > even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have > outdated ima-evm-utils (1.1)). Oops, I need to keep Dmitry in the loop better. I'm hoping to release v1.3 shortly. > > Kind regards, > Petr > > [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA I wasn't aware that because of lockdown, IMA was disabled. Thank you for reporting and updating the IMA w/lockdown status. Mimi
Hi Mimi, Dmitry, > [Cc'ing Dmitry Eremin-Solenikov] > Hi Petr, > On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote: > > This is required, because when TPM HW available (i.e. -c /dev/tpm0), > > evmctl ima_boot_aggregate returns sha1:xxxx. > > skip requires to move cleanup(). > > Signed-off-by: Petr Vorel <petr.vorel@gmail.com> > Nice. > > --- > > Hi Mimi, > > this Fixes problems on current Debian, which has still disabled CONFIG_IMA > > (FYI [1]). I was not able to figure out how to get it working with > > sample-* files, but maybe there is a way. > > Although it sound strange, people may want to build and check evmctl > > even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have > > outdated ima-evm-utils (1.1)). > Oops, I need to keep Dmitry in the loop better. I'm hoping to release > v1.3 shortly. Thanks! @Dmitry do you wish to be Cc: before release or any other time? > > Kind regards, > > Petr > > [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA > I wasn't aware that because of lockdown, IMA was disabled. Thank you > for reporting and updating the IMA w/lockdown status. Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure about Ubuntu status). @Dmitry: do you plan to update Debian package? (you're the listed maintainer, although the package was signed by Wartan Hachaturow). > Mimi Kind regards, Petr
Hi Petr, On Mon, 2020-10-19 at 19:10 -0400, Mimi Zohar wrote: > On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote: > > This is required, because when TPM HW available (i.e. -c /dev/tpm0), > > evmctl ima_boot_aggregate returns sha1:xxxx. > > > > skip requires to move cleanup(). > > > > Signed-off-by: Petr Vorel <petr.vorel@gmail.com> > > Nice. > > --- > > Hi Mimi, > > > > this Fixes problems on current Debian, which has still disabled CONFIG_IMA > > (FYI [1]). I was not able to figure out how to get it working with > > sample-* files, but maybe there is a way. Moving the test down to within "if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then" will allow the sample tests to work. I've modified your patch and pushed it out to next-testing. thanks, Mimi
[Cc'ing Wartan Hachaturow] Hi Wartan, On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote: > > > [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA > > > I wasn't aware that because of lockdown, IMA was disabled. Thank you > > for reporting and updating the IMA w/lockdown status. > Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure > about Ubuntu status). > > @Dmitry: do you plan to update Debian package? (you're the listed maintainer, > although the package was signed by Wartan Hachaturow). Earlier this year Dmitry Eremin-Solenikov posted a patch to add libressl support to ima-evm-utils. Part of the reason for our adding travis support was in order to create a testing matrix for testing openssl, libressl, ibmtss and tpm2-tss, which further led to the travis-docker distro support. (Due to some issues, the libressl support was not upstreamed.) Do you know if there are any plans on updating the ima-evm-utils package on Debian? thanks, Mimi
On 2020-10-20 20:02:31, Petr Vorel wrote: > Hi Mimi, Dmitry, > > > [Cc'ing Dmitry Eremin-Solenikov] > > > Hi Petr, > > > On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote: > > > This is required, because when TPM HW available (i.e. -c /dev/tpm0), > > > evmctl ima_boot_aggregate returns sha1:xxxx. > > > > skip requires to move cleanup(). > > > > Signed-off-by: Petr Vorel <petr.vorel@gmail.com> > > > Nice. > > > --- > > > Hi Mimi, > > > > this Fixes problems on current Debian, which has still disabled CONFIG_IMA > > > (FYI [1]). I was not able to figure out how to get it working with > > > sample-* files, but maybe there is a way. > > > > Although it sound strange, people may want to build and check evmctl > > > even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have > > > outdated ima-evm-utils (1.1)). > > > Oops, I need to keep Dmitry in the loop better. I'm hoping to release > > v1.3 shortly. > Thanks! > @Dmitry do you wish to be Cc: before release or any other time? > > > > Kind regards, > > > Petr > > > > [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA > > > I wasn't aware that because of lockdown, IMA was disabled. Thank you > > for reporting and updating the IMA w/lockdown status. > Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure > about Ubuntu status). I can help with the Ubuntu status. IMA is still enabled there. You can see CONFIG_IMA set to 'y' in the 20.04 LTS (Focal) and most recent 20.10 release (Groovy): https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/tree/debian.master/config/annotations#n12861 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/groovy/tree/debian.master/config/annotations#n13173 Tyler > > @Dmitry: do you plan to update Debian package? (you're the listed maintainer, > although the package was signed by Wartan Hachaturow). > > > Mimi > > Kind regards, > Petr
Hello, 27.10.2020 19:06, Mimi Zohar пишет: > [Cc'ing Wartan Hachaturow] > > Hi Wartan, > > On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote: >>>> [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA >>> I wasn't aware that because of lockdown, IMA was disabled. Thank you >>> for reporting and updating the IMA w/lockdown status. >> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure >> about Ubuntu status). >> >> @Dmitry: do you plan to update Debian package? (you're the listed maintainer, >> although the package was signed by Wartan Hachaturow). > Earlier this year Dmitry Eremin-Solenikov posted a patch to add > libressl support to ima-evm-utils. Part of the reason for our adding > travis support was in order to create a testing matrix for testing > openssl, libressl, ibmtss and tpm2-tss, which further led to the > travis-docker distro support. (Due to some issues, the libressl > support was not upstreamed.) Mimi, it was me who posted patch for LibreSSL ("[PATCH] ima-evm-utils: Fix compatibility with LibreSSL"), but unfortunately I did not have enough time to finish it properly (I am very sorry...). I was just going to try a newer version of ima-evm-utils and, if possible, continue upstreamizing support of LibreSSL. also, a colleague of mine made an additional patch which requires separate upstreamization. Was there another patch from Dmitry about which I do not know
27.10.2020 21:49, Tyler Hicks пишет: > I can help with the Ubuntu status. IMA is still enabled there. You can > see CONFIG_IMA set to 'y' in the 20.04 LTS (Focal) and most recent 20.10 > release (Groovy): > > https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/tree/debian.master/config/annotations#n12861 > https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/groovy/tree/debian.master/config/annotations#n13173 > > Tyler Sorry for a bit offtop, by the way, does any Linux distro ship packages with IMA-signed files? I know that work was done to support it in DEB and RPM and at least in RPM it was upstreamized. We are going to try shipping IMA-signed packages in ROSA, it would be nice to study experience of other distros if there is any.
On Tue, 2020-10-27 at 21:51 +0300, Mikhail Novosyolov wrote: > Hello, > > 27.10.2020 19:06, Mimi Zohar пишет: > > [Cc'ing Wartan Hachaturow] > > > > Hi Wartan, > > > > On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote: > >>>> [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA > >>> I wasn't aware that because of lockdown, IMA was disabled. Thank you > >>> for reporting and updating the IMA w/lockdown status. > >> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure > >> about Ubuntu status). > >> > >> @Dmitry: do you plan to update Debian package? (you're the listed maintainer, > >> although the package was signed by Wartan Hachaturow). > > Earlier this year Dmitry Eremin-Solenikov posted a patch to add > > libressl support to ima-evm-utils. Part of the reason for our adding > > travis support was in order to create a testing matrix for testing > > openssl, libressl, ibmtss and tpm2-tss, which further led to the > > travis-docker distro support. (Due to some issues, the libressl > > support was not upstreamed.) > > Mimi, it was me who posted patch for LibreSSL ("[PATCH] ima-evm- > utils: Fix compatibility with LibreSSL"), but unfortunately I did not > have enough time to finish it properly (I am very sorry...). > > I was just going to try a newer version of ima-evm-utils and, if > possible, continue upstreamizing support of LibreSSL. also, a > colleague of mine made an additional patch which requires separate > upstreamization. Was there another patch from Dmitry about which I do > not know Mikhail, my mistake. Thank you for the correction! Testing the libressl changes should be a lot easier now. Please remember to include a distro travis.yml example. thanks, Mimi
27.10.2020 22:06, Mimi Zohar пишет: > On Tue, 2020-10-27 at 21:51 +0300, Mikhail Novosyolov wrote: >> Hello, >> >> 27.10.2020 19:06, Mimi Zohar пишет: >>> [Cc'ing Wartan Hachaturow] >>> >>> Hi Wartan, >>> >>> On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote: >>>>>> [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA >>>>> I wasn't aware that because of lockdown, IMA was disabled. Thank you >>>>> for reporting and updating the IMA w/lockdown status. >>>> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure >>>> about Ubuntu status). >>>> >>>> @Dmitry: do you plan to update Debian package? (you're the listed maintainer, >>>> although the package was signed by Wartan Hachaturow). >>> Earlier this year Dmitry Eremin-Solenikov posted a patch to add >>> libressl support to ima-evm-utils. Part of the reason for our adding >>> travis support was in order to create a testing matrix for testing >>> openssl, libressl, ibmtss and tpm2-tss, which further led to the >>> travis-docker distro support. (Due to some issues, the libressl >>> support was not upstreamed.) >> Mimi, it was me who posted patch for LibreSSL ("[PATCH] ima-evm- >> utils: Fix compatibility with LibreSSL"), but unfortunately I did not >> have enough time to finish it properly (I am very sorry...). >> >> I was just going to try a newer version of ima-evm-utils and, if >> possible, continue upstreamizing support of LibreSSL. also, a >> colleague of mine made an additional patch which requires separate >> upstreamization. Was there another patch from Dmitry about which I do >> not know > Mikhail, my mistake. Thank you for the correction! Testing the > libressl changes should be a lot easier now. Please remember to > include a distro travis.yml example. What do you mean? Do you mean adding testing of building ima-evm-utils against LibreSSL? Which environment is used there and which ones are available? There are not many dsitros where LibreSSL is pre-packaged [1], in many of them it is not updated often enough. I would choose either ROSA where I myself maintain LibreSSL and ima-evm-utils or Arch Linux, is at least Arch Linux available in CI/CD environment? Won't we have to deal with often breakages of other parts of the rolling Arch Linux? Also, I can just build LibreSSL from source in any available distro, e.g. Ubuntu, but the pipeline will take a lot more time. How do we better deal with it? [1] https://repology.org/project/libressl/versions
Hi all, ... > > Mikhail, my mistake. Thank you for the correction! Testing the > > libressl changes should be a lot easier now. Please remember to > > include a distro travis.yml example. > What do you mean? Do you mean adding testing of building ima-evm-utils against LibreSSL? Yes, I understand Mimi wants this. > Which environment is used there and which ones are available? There are not many dsitros where LibreSSL is pre-packaged [1], in many of them it is not updated often enough. Look at the supported distros in travis/ in next or next-testing branch. Could you use some bleeding edge distro (Tumbleweed or Fedora?) You could handl LibreSSL vs. openSSL with variable, similarly like IBM TSS and Intel TSS are handled (with $TSS variable). > I would choose either ROSA where I myself maintain LibreSSL and ima-evm-utils or Arch Linux, is at least Arch Linux available in CI/CD environment? > Won't we have to deal with often breakages of other parts of the rolling Arch Linux? > Also, I can just build LibreSSL from source in any available distro, e.g. Ubuntu, but the pipeline will take a lot more time. Please use distro package. Not only it's faster (as you noted), but it also covers more users (IMHO most of the people use distro package, not a git version). > How do we better deal with it? Kind regards, Petr > [1] https://repology.org/project/libressl/versions
diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test index 42ed7b4..5fd4204 100755 --- a/tests/boot_aggregate.test +++ b/tests/boot_aggregate.test @@ -26,21 +26,6 @@ TSSDIR="$(dirname -- "$(which tssstartup)")" PCRFILE="/sys/class/tpm/tpm0/device/pcrs" MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs" -if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then - ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements" -else - BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9" - ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9" - export TPM_INTERFACE_TYPE="socsim" - export TPM_COMMAND_PORT=2321 - export TPM_PLATFORM_PORT=2322 - export TPM_SERVER_NAME="localhost" - - # swtpm uses the raw, unencapsulated packet format - export TPM_SERVER_TYPE="raw" - -fi - # Only stop this test's software TPM cleanup() { if [ -n "${SWTPM_PID}" ]; then @@ -165,6 +150,26 @@ check() { return "$FAIL" } +if [ ! -d "/sys/kernel/security/ima" ]; then + echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}" + exit "$SKIP" +fi + +if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then + ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements" +else + BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9" + ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9" + export TPM_INTERFACE_TYPE="socsim" + export TPM_COMMAND_PORT=2321 + export TPM_PLATFORM_PORT=2322 + export TPM_SERVER_NAME="localhost" + + # swtpm uses the raw, unencapsulated packet format + export TPM_SERVER_TYPE="raw" + +fi + # Start and initialize a software TPM as needed if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then
This is required, because when TPM HW available (i.e. -c /dev/tpm0), evmctl ima_boot_aggregate returns sha1:xxxx. skip requires to move cleanup(). Signed-off-by: Petr Vorel <petr.vorel@gmail.com> --- Hi Mimi, this Fixes problems on current Debian, which has still disabled CONFIG_IMA (FYI [1]). I was not able to figure out how to get it working with sample-* files, but maybe there is a way. Although it sound strange, people may want to build and check evmctl even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have outdated ima-evm-utils (1.1)). Kind regards, Petr [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA tests/boot_aggregate.test | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-)