diff mbox series

[ima-evm-utils] boot_aggregate.test: Skip if CONFIG_IMA not enabled

Message ID 20201019200803.35255-1-petr.vorel@gmail.com (mailing list archive)
State New, archived
Headers show
Series [ima-evm-utils] boot_aggregate.test: Skip if CONFIG_IMA not enabled | expand

Commit Message

Petr Vorel Oct. 19, 2020, 8:08 p.m. UTC
This is required, because when TPM HW available (i.e. -c /dev/tpm0),
evmctl ima_boot_aggregate returns sha1:xxxx.

skip requires to move cleanup().

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
---
Hi Mimi,

this Fixes problems on current Debian, which has still disabled CONFIG_IMA
(FYI [1]). I was not able to figure out how to get it working with
sample-* files, but maybe there is a way.

Although it sound strange, people may want to build and check evmctl
even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have
outdated ima-evm-utils (1.1)).

Kind regards,
Petr

[1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA

 tests/boot_aggregate.test | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

Comments

Mimi Zohar Oct. 19, 2020, 11:10 p.m. UTC | #1
[Cc'ing Dmitry Eremin-Solenikov]

Hi Petr,

On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote:
> This is required, because when TPM HW available (i.e. -c /dev/tpm0),
> evmctl ima_boot_aggregate returns sha1:xxxx.
> 
> skip requires to move cleanup().
> 
> Signed-off-by: Petr Vorel <petr.vorel@gmail.com>

Nice.
> ---
> Hi Mimi,
> 
> this Fixes problems on current Debian, which has still disabled CONFIG_IMA
> (FYI [1]). I was not able to figure out how to get it working with
> sample-* files, but maybe there is a way.
> 
> Although it sound strange, people may want to build and check evmctl
> even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have
> outdated ima-evm-utils (1.1)).

Oops, I need to keep Dmitry in the loop better.  I'm hoping to release
v1.3 shortly.

> 
> Kind regards,
> Petr
> 
> [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA

I wasn't aware that because of lockdown, IMA was disabled.  Thank you
for reporting and updating the IMA w/lockdown status.

Mimi
Petr Vorel Oct. 20, 2020, 6:02 p.m. UTC | #2
Hi Mimi, Dmitry,

> [Cc'ing Dmitry Eremin-Solenikov]

> Hi Petr,

> On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote:
> > This is required, because when TPM HW available (i.e. -c /dev/tpm0),
> > evmctl ima_boot_aggregate returns sha1:xxxx.

> > skip requires to move cleanup().

> > Signed-off-by: Petr Vorel <petr.vorel@gmail.com>

> Nice.
> > ---
> > Hi Mimi,

> > this Fixes problems on current Debian, which has still disabled CONFIG_IMA
> > (FYI [1]). I was not able to figure out how to get it working with
> > sample-* files, but maybe there is a way.

> > Although it sound strange, people may want to build and check evmctl
> > even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have
> > outdated ima-evm-utils (1.1)).

> Oops, I need to keep Dmitry in the loop better.  I'm hoping to release
> v1.3 shortly.
Thanks!
@Dmitry do you wish to be Cc: before release or any other time?

> > Kind regards,
> > Petr

> > [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA

> I wasn't aware that because of lockdown, IMA was disabled.  Thank you
> for reporting and updating the IMA w/lockdown status.
Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure
about Ubuntu status).

@Dmitry: do you plan to update Debian package? (you're the listed maintainer,
although the package was signed by Wartan Hachaturow).

> Mimi

Kind regards,
Petr
Mimi Zohar Oct. 23, 2020, 12:46 p.m. UTC | #3
Hi Petr,

On Mon, 2020-10-19 at 19:10 -0400, Mimi Zohar wrote:
> On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote:
> > This is required, because when TPM HW available (i.e. -c /dev/tpm0),
> > evmctl ima_boot_aggregate returns sha1:xxxx.
> > 
> > skip requires to move cleanup().
> > 
> > Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
> 
> Nice.
> > ---
> > Hi Mimi,
> > 
> > this Fixes problems on current Debian, which has still disabled CONFIG_IMA
> > (FYI [1]). I was not able to figure out how to get it working with
> > sample-* files, but maybe there is a way.

Moving the test down to within "if [ "$(id -u)" = 0 ] && [ -c
"/dev/tpm0" ]; then" will allow the sample tests to work.  I've
modified your patch and pushed it out to next-testing.

thanks,

Mimi
Mimi Zohar Oct. 27, 2020, 4:06 p.m. UTC | #4
[Cc'ing Wartan Hachaturow]

Hi Wartan,

On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote:
> > > [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA
> 
> > I wasn't aware that because of lockdown, IMA was disabled.  Thank you
> > for reporting and updating the IMA w/lockdown status.
> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure
> about Ubuntu status).
> 
> @Dmitry: do you plan to update Debian package? (you're the listed maintainer,
> although the package was signed by Wartan Hachaturow).

Earlier this year Dmitry Eremin-Solenikov posted a patch to add
libressl support to ima-evm-utils.  Part of the reason for our adding
travis support was in order to create a testing matrix for testing
openssl, libressl, ibmtss and tpm2-tss, which further led to the
travis-docker distro support.  (Due to some issues, the libressl
support was not upstreamed.)

Do you know if there are any plans on updating the ima-evm-utils
package on Debian?
 
thanks,

Mimi
Tyler Hicks Oct. 27, 2020, 6:49 p.m. UTC | #5
On 2020-10-20 20:02:31, Petr Vorel wrote:
> Hi Mimi, Dmitry,
> 
> > [Cc'ing Dmitry Eremin-Solenikov]
> 
> > Hi Petr,
> 
> > On Mon, 2020-10-19 at 22:08 +0200, Petr Vorel wrote:
> > > This is required, because when TPM HW available (i.e. -c /dev/tpm0),
> > > evmctl ima_boot_aggregate returns sha1:xxxx.
> 
> > > skip requires to move cleanup().
> 
> > > Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
> 
> > Nice.
> > > ---
> > > Hi Mimi,
> 
> > > this Fixes problems on current Debian, which has still disabled CONFIG_IMA
> > > (FYI [1]). I was not able to figure out how to get it working with
> > > sample-* files, but maybe there is a way.
> 
> > > Although it sound strange, people may want to build and check evmctl
> > > even on a system with disabled CONFIG_IMA (both Debian and Ubuntu have
> > > outdated ima-evm-utils (1.1)).
> 
> > Oops, I need to keep Dmitry in the loop better.  I'm hoping to release
> > v1.3 shortly.
> Thanks!
> @Dmitry do you wish to be Cc: before release or any other time?
> 
> > > Kind regards,
> > > Petr
> 
> > > [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA
> 
> > I wasn't aware that because of lockdown, IMA was disabled.  Thank you
> > for reporting and updating the IMA w/lockdown status.
> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure
> about Ubuntu status).

I can help with the Ubuntu status. IMA is still enabled there. You can
see CONFIG_IMA set to 'y' in the 20.04 LTS (Focal) and most recent 20.10
release (Groovy):

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/tree/debian.master/config/annotations#n12861
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/groovy/tree/debian.master/config/annotations#n13173

Tyler

> 
> @Dmitry: do you plan to update Debian package? (you're the listed maintainer,
> although the package was signed by Wartan Hachaturow).
> 
> > Mimi
> 
> Kind regards,
> Petr
Mikhail Novosyolov Oct. 27, 2020, 6:51 p.m. UTC | #6
Hello,

27.10.2020 19:06, Mimi Zohar пишет:
> [Cc'ing Wartan Hachaturow]
>
> Hi Wartan,
>
> On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote:
>>>> [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA
>>> I wasn't aware that because of lockdown, IMA was disabled.  Thank you
>>> for reporting and updating the IMA w/lockdown status.
>> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure
>> about Ubuntu status).
>>
>> @Dmitry: do you plan to update Debian package? (you're the listed maintainer,
>> although the package was signed by Wartan Hachaturow).
> Earlier this year Dmitry Eremin-Solenikov posted a patch to add
> libressl support to ima-evm-utils.  Part of the reason for our adding
> travis support was in order to create a testing matrix for testing
> openssl, libressl, ibmtss and tpm2-tss, which further led to the
> travis-docker distro support.  (Due to some issues, the libressl
> support was not upstreamed.)

Mimi, it was me who posted patch for LibreSSL ("[PATCH] ima-evm-utils: Fix compatibility with LibreSSL"), but unfortunately I did not have enough time to finish it properly (I am very sorry...).

I was just going to try a newer version of ima-evm-utils and, if possible, continue upstreamizing support of LibreSSL. also, a colleague of mine made an additional patch which requires separate upstreamization. Was there another patch from Dmitry about which I do not know
Mikhail Novosyolov Oct. 27, 2020, 6:57 p.m. UTC | #7
27.10.2020 21:49, Tyler Hicks пишет:
> I can help with the Ubuntu status. IMA is still enabled there. You can
> see CONFIG_IMA set to 'y' in the 20.04 LTS (Focal) and most recent 20.10
> release (Groovy):
>
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/tree/debian.master/config/annotations#n12861
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/groovy/tree/debian.master/config/annotations#n13173
>
> Tyler

Sorry for a bit offtop, by the way, does any Linux distro ship packages with IMA-signed files?

I know that work was done to support it in DEB and RPM and at least in RPM it was upstreamized.

We are going to try shipping IMA-signed packages in ROSA, it would be nice to study experience of other distros if there is any.
Mimi Zohar Oct. 27, 2020, 7:06 p.m. UTC | #8
On Tue, 2020-10-27 at 21:51 +0300, Mikhail Novosyolov wrote:
> Hello,
> 
> 27.10.2020 19:06, Mimi Zohar пишет:
> > [Cc'ing Wartan Hachaturow]
> >
> > Hi Wartan,
> >
> > On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote:
> >>>> [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA
> >>> I wasn't aware that because of lockdown, IMA was disabled.  Thank you
> >>> for reporting and updating the IMA w/lockdown status.
> >> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure
> >> about Ubuntu status).
> >>
> >> @Dmitry: do you plan to update Debian package? (you're the listed maintainer,
> >> although the package was signed by Wartan Hachaturow).
> > Earlier this year Dmitry Eremin-Solenikov posted a patch to add
> > libressl support to ima-evm-utils.  Part of the reason for our adding
> > travis support was in order to create a testing matrix for testing
> > openssl, libressl, ibmtss and tpm2-tss, which further led to the
> > travis-docker distro support.  (Due to some issues, the libressl
> > support was not upstreamed.)
> 
> Mimi, it was me who posted patch for LibreSSL ("[PATCH] ima-evm-
> utils: Fix compatibility with LibreSSL"), but unfortunately I did not
> have enough time to finish it properly (I am very sorry...).
> 
> I was just going to try a newer version of ima-evm-utils and, if
> possible, continue upstreamizing support of LibreSSL. also, a
> colleague of mine made an additional patch which requires separate
> upstreamization. Was there another patch from Dmitry about which I do
> not know

Mikhail, my mistake.  Thank you for the correction!   Testing the
libressl changes should be a lot easier now.  Please remember to
include a distro travis.yml example.

thanks,

Mimi
Mikhail Novosyolov Oct. 27, 2020, 7:29 p.m. UTC | #9
27.10.2020 22:06, Mimi Zohar пишет:
> On Tue, 2020-10-27 at 21:51 +0300, Mikhail Novosyolov wrote:
>> Hello,
>>
>> 27.10.2020 19:06, Mimi Zohar пишет:
>>> [Cc'ing Wartan Hachaturow]
>>>
>>> Hi Wartan,
>>>
>>> On Tue, 2020-10-20 at 20:02 +0200, Petr Vorel wrote:
>>>>>> [1] https://bugs.debian.org/972459 linux: Reenable CONFIG_IMA
>>>>> I wasn't aware that because of lockdown, IMA was disabled.  Thank you
>>>>> for reporting and updating the IMA w/lockdown status.
>>>> Feel free to comment it, please. It'd be nice to have IMA in Debian (not sure
>>>> about Ubuntu status).
>>>>
>>>> @Dmitry: do you plan to update Debian package? (you're the listed maintainer,
>>>> although the package was signed by Wartan Hachaturow).
>>> Earlier this year Dmitry Eremin-Solenikov posted a patch to add
>>> libressl support to ima-evm-utils.  Part of the reason for our adding
>>> travis support was in order to create a testing matrix for testing
>>> openssl, libressl, ibmtss and tpm2-tss, which further led to the
>>> travis-docker distro support.  (Due to some issues, the libressl
>>> support was not upstreamed.)
>> Mimi, it was me who posted patch for LibreSSL ("[PATCH] ima-evm-
>> utils: Fix compatibility with LibreSSL"), but unfortunately I did not
>> have enough time to finish it properly (I am very sorry...).
>>
>> I was just going to try a newer version of ima-evm-utils and, if
>> possible, continue upstreamizing support of LibreSSL. also, a
>> colleague of mine made an additional patch which requires separate
>> upstreamization. Was there another patch from Dmitry about which I do
>> not know
> Mikhail, my mistake.  Thank you for the correction!   Testing the
> libressl changes should be a lot easier now.  Please remember to
> include a distro travis.yml example.

What do you mean? Do you mean adding testing of building ima-evm-utils against LibreSSL?

Which environment is used there and which ones are available? There are not many dsitros where LibreSSL is pre-packaged [1], in many of them it is not updated often enough.
I would choose either ROSA where I myself maintain LibreSSL and ima-evm-utils or Arch Linux, is at least Arch Linux available in CI/CD environment?
Won't we have to deal with often breakages of other parts of the rolling Arch Linux?

Also, I can just build LibreSSL from source in any available distro, e.g. Ubuntu, but the pipeline will take a lot more time.

How do we better deal with it?

[1] https://repology.org/project/libressl/versions
Petr Vorel Oct. 27, 2020, 8:01 p.m. UTC | #10
Hi all,

...
> > Mikhail, my mistake.  Thank you for the correction!   Testing the
> > libressl changes should be a lot easier now.  Please remember to
> > include a distro travis.yml example.

> What do you mean? Do you mean adding testing of building ima-evm-utils against LibreSSL?
Yes, I understand Mimi wants this.

> Which environment is used there and which ones are available? There are not many dsitros where LibreSSL is pre-packaged [1], in many of them it is not updated often enough.
Look at the supported distros in travis/ in next or next-testing branch.
Could you use some bleeding edge distro (Tumbleweed or Fedora?)
You could handl LibreSSL vs. openSSL with variable, similarly like IBM TSS and
Intel TSS are handled (with $TSS variable).

> I would choose either ROSA where I myself maintain LibreSSL and ima-evm-utils or Arch Linux, is at least Arch Linux available in CI/CD environment?
> Won't we have to deal with often breakages of other parts of the rolling Arch Linux?

> Also, I can just build LibreSSL from source in any available distro, e.g. Ubuntu, but the pipeline will take a lot more time.
Please use distro package. Not only it's faster (as you noted), but it also
covers more users (IMHO most of the people use distro package, not a git version).

> How do we better deal with it?

Kind regards,
Petr

> [1] https://repology.org/project/libressl/versions
diff mbox series

Patch

diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test
index 42ed7b4..5fd4204 100755
--- a/tests/boot_aggregate.test
+++ b/tests/boot_aggregate.test
@@ -26,21 +26,6 @@  TSSDIR="$(dirname -- "$(which tssstartup)")"
 PCRFILE="/sys/class/tpm/tpm0/device/pcrs"
 MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs"
 
-if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
-	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
-else
-	BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
-	ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
-	export TPM_INTERFACE_TYPE="socsim"
-	export TPM_COMMAND_PORT=2321
-	export TPM_PLATFORM_PORT=2322
-	export TPM_SERVER_NAME="localhost"
-
-	# swtpm uses the raw, unencapsulated packet format
-	export TPM_SERVER_TYPE="raw"
-
-fi
-
 # Only stop this test's software TPM
 cleanup() {
 	if [ -n "${SWTPM_PID}" ]; then
@@ -165,6 +150,26 @@  check() {
 	return "$FAIL"
 }
 
+if [ ! -d "/sys/kernel/security/ima" ]; then
+	echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}"
+	exit "$SKIP"
+fi
+
+if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
+	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
+else
+	BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
+	ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
+	export TPM_INTERFACE_TYPE="socsim"
+	export TPM_COMMAND_PORT=2321
+	export TPM_PLATFORM_PORT=2322
+	export TPM_SERVER_NAME="localhost"
+
+	# swtpm uses the raw, unencapsulated packet format
+	export TPM_SERVER_TYPE="raw"
+
+fi
+
 # Start and initialize a software TPM as needed
 if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
 	if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then