| Message ID | 20230605165554.1965238-1-roberto.sassu@huaweicloud.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Simple EVM HMAC calculation tests | expand |
Hi Roberto, On Mon, 2023-06-05 at 18:55 +0200, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > Add two simple tests to check whether or not the HMAC calculated by the > kernel and evmctl matches. Do the tests for a regular file, and for a > directory successfully transmuted with Smack. > > Also add two bug fixes to include the filesystem UUID and the inode > generation in the HMAC calculation, and the new option --hmackey to specify > an alternate location of the HMAC key. The main purpose for having a "Simple EVM HMAC" test is to ensure that nothing breaks. "evmctl --hmac" was only enabled in debug mode, since the hmac key was not exposed to userspace. It was never really used. With the ability of creating an encrypted key based on user-provided decrypted data, verifying the EVM hmac is now feasible. This is the justification for "Add --hmackey option for evmctl". The initial test should work with either SELinux or smack extended attributes. None of the CI tests have SELinux or Smack enabled, except for the UFI kernel. Verifying the EVM hmac with an SELinux extended attribute is not being tested. On my local machine, the EVM HMAC with SELinux xattr is failing. Is this related to SELinux returning different lengths in the kernel vs. userspace? Whatever the reason, it needs to be fixed. The prereqs needed for running the Smack transmute test should not prevent running the first test.
On Wed, 2023-06-14 at 15:29 -0400, Mimi Zohar wrote: > Hi Roberto, > > On Mon, 2023-06-05 at 18:55 +0200, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > Add two simple tests to check whether or not the HMAC calculated by the > > kernel and evmctl matches. Do the tests for a regular file, and for a > > directory successfully transmuted with Smack. > > > > Also add two bug fixes to include the filesystem UUID and the inode > > generation in the HMAC calculation, and the new option --hmackey to specify > > an alternate location of the HMAC key. > > The main purpose for having a "Simple EVM HMAC" test is to ensure that > nothing breaks. > > "evmctl --hmac" was only enabled in debug mode, since the hmac key was > not exposed to userspace. It was never really used. With the ability > of creating an encrypted key based on user-provided decrypted data, > verifying the EVM hmac is now feasible. This is the justification for > "Add --hmackey option for evmctl". > > The initial test should work with either SELinux or smack extended > attributes. None of the CI tests have SELinux or Smack enabled, except > for the UFI kernel. Verifying the EVM hmac with an SELinux extended > attribute is not being tested. On my local machine, the EVM HMAC with > SELinux xattr is failing. Is this related to SELinux returning > different lengths in the kernel vs. userspace? Whatever the reason, it > needs to be fixed. Testing the EVM hmac w/SELinux xattr is now working properly on a test system, both with and without the "evm: Do HMAC of multiple per LSM xattrs for new inodes" patch set. > > The prereqs needed for running the Smack transmute test should not > prevent running the first test. >
On Wed, 2023-06-14 at 15:29 -0400, Mimi Zohar wrote: > Hi Roberto, > > On Mon, 2023-06-05 at 18:55 +0200, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > Add two simple tests to check whether or not the HMAC calculated by the > > kernel and evmctl matches. Do the tests for a regular file, and for a > > directory successfully transmuted with Smack. > > > > Also add two bug fixes to include the filesystem UUID and the inode > > generation in the HMAC calculation, and the new option --hmackey to specify > > an alternate location of the HMAC key. > > The main purpose for having a "Simple EVM HMAC" test is to ensure that > nothing breaks. > > "evmctl --hmac" was only enabled in debug mode, since the hmac key was > not exposed to userspace. It was never really used. With the ability > of creating an encrypted key based on user-provided decrypted data, > verifying the EVM hmac is now feasible. This is the justification for > "Add --hmackey option for evmctl". Ok, will add it. > The initial test should work with either SELinux or smack extended > attributes. None of the CI tests have SELinux or Smack enabled, except > for the UFI kernel. Verifying the EVM hmac with an SELinux extended > attribute is not being tested. On my local machine, the EVM HMAC with > SELinux xattr is failing. Is this related to SELinux returning > different lengths in the kernel vs. userspace? Whatever the reason, it > needs to be fixed. If you used setfattr without \0 for the value at the end, that is likely the reason. The correct way should be to use chcon. > The prereqs needed for running the Smack transmute test should not > prevent running the first test. Ok. Thanks Roberto
From: Roberto Sassu <roberto.sassu@huawei.com> Add two simple tests to check whether or not the HMAC calculated by the kernel and evmctl matches. Do the tests for a regular file, and for a directory successfully transmuted with Smack. Also add two bug fixes to include the filesystem UUID and the inode generation in the HMAC calculation, and the new option --hmackey to specify an alternate location of the HMAC key. Changelog v1: - Add documentation for --hmackey option of evmctl (suggested by Mimi) - Update kernel configuration for CI - Include inode generation in HMAC calculation for directories - Specify kernel patches required for the tests (suggested by Mimi) - Move xattr compare code to compare_xattr() - Add new Smack-specific test to check HMAC of transmuting directory (suggested by Mimi) - Check in the test that the --hmackey option is available (suggested by Mimi) - Remove i_version mount option (should be default in ext4) - Mount smackfs if the UML kernel is used Roberto Sassu (4): Include the filesystem UUID in HMAC calculation Restore correct HMAC calculation for directories Add --hmackey option for evmctl Add simple test to check EVM HMAC calculation README | 3 +- kernel-configs/base | 4 +- kernel-configs/integrity | 1 + src/evmctl.c | 31 ++++- src/imaevm.h | 1 + tests/Makefile.am | 2 +- tests/evm_hmac.test | 251 +++++++++++++++++++++++++++++++++++++++ tests/functions.sh | 6 + 8 files changed, 293 insertions(+), 6 deletions(-) create mode 100755 tests/evm_hmac.test