From patchwork Fri May 7 19:14:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 12245131 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40327C433ED for ; Fri, 7 May 2021 19:14:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 06A0161456 for ; Fri, 7 May 2021 19:14:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229470AbhEGTP0 (ORCPT ); Fri, 7 May 2021 15:15:26 -0400 Received: from mx2.suse.de ([195.135.220.15]:54942 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229482AbhEGTPW (ORCPT ); Fri, 7 May 2021 15:15:22 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 9F566B008; Fri, 7 May 2021 19:14:21 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , Lakshmi Ramasubramanian , Tushar Sugandhi , linux-integrity@vger.kernel.org Subject: [PATCH v4 1/3] ima_keys.sh: Check policy only once Date: Fri, 7 May 2021 21:14:12 +0200 Message-Id: <20210507191414.14795-2-pvorel@suse.cz> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210507191414.14795-1-pvorel@suse.cz> References: <20210507191414.14795-1-pvorel@suse.cz> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Not needed to check the same policy twice. Rename to contain 'require' as we use tst_brk. Signed-off-by: Petr Vorel Reviewed-by: Lakshmi Ramasubramanian --- new in v4 .../security/integrity/ima/tests/ima_keys.sh | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 9951ab999..3476b8007 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2020 Microsoft Corporation -# Copyright (c) 2020 Petr Vorel +# Copyright (c) 2020-2021 Petr Vorel # Author: Lachlan Sneff # # Verify that keys are measured correctly based on policy. @@ -20,6 +20,7 @@ REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK" setup() { require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt + require_valid_policy_template } cleanup() @@ -27,15 +28,14 @@ cleanup() tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID } -check_policy_template() + +require_valid_policy_template() { while read line; do if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then - tst_res TCONF "only template=ima-buf can be specified for KEY_CHECK" - return 1 + tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK" fi done < $TST_TMPDIR/policy.txt - return 0 } check_keys_policy() @@ -59,8 +59,6 @@ test1() tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy" - check_policy_template || return - check_keys_policy "$pattern" > $tmp_file || return keycheck_lines=$(cat $tmp_file) keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \ @@ -115,8 +113,6 @@ test2() tst_res TINFO "verify measurement of certificate imported into a keyring" - check_policy_template || return - check_keys_policy "$pattern" >/dev/null || return KEYRING_ID=$(keyctl newring $keyring_name @s) || \ From patchwork Fri May 7 19:14:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 12245137 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66E06C43460 for ; Fri, 7 May 2021 19:14:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3CE1661432 for ; Fri, 7 May 2021 19:14:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229482AbhEGTP0 (ORCPT ); Fri, 7 May 2021 15:15:26 -0400 Received: from mx2.suse.de ([195.135.220.15]:54960 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229488AbhEGTPW (ORCPT ); Fri, 7 May 2021 15:15:22 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id D00C7B040; Fri, 7 May 2021 19:14:21 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Petr Vorel , Mimi Zohar , Lakshmi Ramasubramanian , Tushar Sugandhi , linux-integrity@vger.kernel.org Subject: [PATCH v4 2/3] IMA: Generalize key measurement tests Date: Fri, 7 May 2021 21:14:13 +0200 Message-Id: <20210507191414.14795-3-pvorel@suse.cz> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210507191414.14795-1-pvorel@suse.cz> References: <20210507191414.14795-1-pvorel@suse.cz> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Based on previous Tushar's work. Co-developed-by: Tushar Sugandhi Signed-off-by: Petr Vorel --- Rewritten .../security/integrity/ima/tests/ima_keys.sh | 78 +++---------------- .../security/integrity/ima/tests/ima_setup.sh | 76 +++++++++++++++++- 2 files changed, 87 insertions(+), 67 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh index 3476b8007..571f72d2d 100755 --- a/testcases/kernel/security/integrity/ima/tests/ima_keys.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_keys.sh @@ -6,7 +6,7 @@ # # Verify that keys are measured correctly based on policy. -TST_NEEDS_CMDS="cmp cut grep sed xxd" +TST_NEEDS_CMDS="cmp cut grep xxd" TST_CNT=2 TST_NEEDS_DEVICE=1 TST_SETUP=setup @@ -14,13 +14,14 @@ TST_CLEANUP=cleanup . ima_setup.sh -FUNC_KEYCHECK='func=KEY_CHECK' -REQUIRED_POLICY="^measure.*$FUNC_KEYCHECK" +POLICY_FUNC='func=KEY_CHECK' +REQUIRED_POLICY="^measure.*$POLICY_FUNC" +POLICY_FILE="$TST_TMPDIR/policy.txt" setup() { - require_ima_policy_content "$REQUIRED_POLICY" '-E' > $TST_TMPDIR/policy.txt - require_valid_policy_template + require_ima_policy_content "$REQUIRED_POLICY" '-E' > $POLICY_FILE + require_valid_policy_template $FUNC $POLICY_FILE } cleanup() @@ -28,74 +29,19 @@ cleanup() tst_is_num $KEYRING_ID && keyctl clear $KEYRING_ID } - -require_valid_policy_template() -{ - while read line; do - if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then - tst_brk TCONF "only template=ima-buf can be specified for KEY_CHECK" - fi - done < $TST_TMPDIR/policy.txt -} - -check_keys_policy() -{ - local pattern="$1" - - if ! grep -E "$pattern" $TST_TMPDIR/policy.txt; then - tst_res TCONF "IMA policy must specify $pattern, $FUNC_KEYCHECK" - return 1 - fi - return 0 -} - # Based on https://lkml.org/lkml/2019/12/13/564. # (450d0fd51564 - "IMA: Call workqueue functions to measure queued keys") test1() { local keycheck_lines i keyrings templates local pattern='keyrings=[^[:space:]]+' - local test_file="file.txt" tmp_file="file2.txt" + local policy="keyrings" + local tmp_file="$TST_TMPDIR/keycheck_tmp_file.txt" tst_res TINFO "verify key measurement for keyrings and templates specified in IMA policy" - check_keys_policy "$pattern" > $tmp_file || return - keycheck_lines=$(cat $tmp_file) - keyrings=$(for i in $keycheck_lines; do echo "$i" | grep "keyrings" | \ - sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') - if [ -z "$keyrings" ]; then - tst_res TCONF "IMA policy has a keyring key-value specifier, but no specified keyrings" - return - fi - - templates=$(for i in $keycheck_lines; do echo "$i" | grep "template" | \ - cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') - - tst_res TINFO "keyrings: '$keyrings'" - tst_res TINFO "templates: '$templates'" - - grep -E "($templates).*($keyrings)" $ASCII_MEASUREMENTS | while read line - do - local digest expected_digest algorithm - - digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) - algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) - keyring=$(echo "$line" | cut -d' ' -f5) - - echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file - - if ! expected_digest="$(compute_digest $algorithm $test_file)"; then - tst_res TCONF "cannot compute digest for $algorithm" - return - fi - - if [ "$digest" != "$expected_digest" ]; then - tst_res TFAIL "incorrect digest was found for $keyring keyring" - return - fi - done - - tst_res TPASS "specified keyrings were measured correctly" + check_policy_pattern "$pattern" $POLICY_FUNC $POLICY_FILE > $tmp_file || return + test_policy_measurement $policy $temp_file } # Create a new keyring, import a certificate into it, and verify @@ -109,11 +55,11 @@ test2() local cert_file="$TST_DATAROOT/x509_ima.der" local keyring_name="key_import_test" local pattern="keyrings=[^[:space:]]*$keyring_name" - local temp_file="file.txt" + local temp_file="$TST_TMPDIR/key_import_test_file.txt" tst_res TINFO "verify measurement of certificate imported into a keyring" - check_keys_policy "$pattern" >/dev/null || return + check_policy_pattern "$pattern" $POLICY_FUNC $POLICY_FILE >/dev/null || return KEYRING_ID=$(keyctl newring $keyring_name @s) || \ tst_brk TBROK "unable to create a new keyring" diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh index 565f0bc3e..b442d49be 100644 --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh +++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2009 IBM Corporation -# Copyright (c) 2018-2020 Petr Vorel +# Copyright (c) 2018-2021 Petr Vorel # Author: Mimi Zohar TST_TESTFUNC="test" @@ -54,6 +54,80 @@ compute_digest() return 1 } +require_valid_policy_template() +{ + local func="$1" + local policy_file="$2" + + while read line; do + if echo $line | grep -q 'template=' && ! echo $line | grep -q 'template=ima-buf'; then + tst_brk TCONF "only template=ima-buf can be specified for $func" + fi + done < $policy_file +} + +check_policy_pattern() +{ + local pattern="$1" + local func="$2" + local policy_file="$3" + + if ! grep -E "$pattern" $policy_file; then + tst_res TCONF "IMA policy must specify $pattern, $func" + return 1 + fi + return 0 +} + +test_policy_measurement() +{ + local policy_option="$1" + local lines="$(cat $2)" + local input_digest="$3" + local test_file="$TST_TMPDIR/test.txt" + local grep_file="$TST_TMPDIR/grep.txt" + local i sources templates + + tst_require_cmds cut sed xxd + + sources=$(for i in $lines; do echo "$i" | grep "$policy_option" | \ + sed "s/\./\\\./g" | cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') + if [ -z "$sources" ]; then + tst_res TCONF "IMA policy $policy_option is a key-value specifier, but no values specified" + return + fi + + templates=$(for i in $lines; do echo "$i" | grep "template" | \ + cut -d'=' -f2; done | sed ':a;N;$!ba;s/\n/|/g') + + tst_res TINFO "policy sources: '$sources'" + tst_res TINFO "templates: '$templates'" + + grep -E "($templates).*($sources)" $ASCII_MEASUREMENTS > $grep_file + + while read line; do + local algorithm digest expected_digest src_line + + digest=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f2) + algorithm=$(echo "$line" | cut -d' ' -f4 | cut -d':' -f1) + src_line=$(echo "$line" | cut -d' ' -f5) + + echo "$line" | cut -d' ' -f6 | xxd -r -p > $test_file + + if ! expected_digest="$(compute_digest $algorithm $test_file)"; then + tst_res TCONF "cannot compute digest for $algorithm" + return + fi + + if [ "$digest" != "$expected_digest" ]; then + tst_res TFAIL "incorrect digest was found for $src_line $policy_option" + return + fi + done < $grep_file + + tst_res TPASS "$policy_option measured correctly" +} + check_policy_readable() { if [ ! -f $IMA_POLICY ]; then From patchwork Fri May 7 19:14:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 12245135 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81C46C43462 for ; Fri, 7 May 2021 19:14:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 68D1661456 for ; Fri, 7 May 2021 19:14:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229488AbhEGTP0 (ORCPT ); Fri, 7 May 2021 15:15:26 -0400 Received: from mx2.suse.de ([195.135.220.15]:54982 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229512AbhEGTPX (ORCPT ); Fri, 7 May 2021 15:15:23 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 0D4A1B164; Fri, 7 May 2021 19:14:22 +0000 (UTC) From: Petr Vorel To: ltp@lists.linux.it Cc: Tushar Sugandhi , Mimi Zohar , Lakshmi Ramasubramanian , linux-integrity@vger.kernel.org, Petr Vorel Subject: [PATCH v4 3/3] IMA: Add test for dm-crypt measurement Date: Fri, 7 May 2021 21:14:14 +0200 Message-Id: <20210507191414.14795-4-pvorel@suse.cz> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210507191414.14795-1-pvorel@suse.cz> References: <20210507191414.14795-1-pvorel@suse.cz> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Tushar Sugandhi New functionality is being added to IMA to measure data provided by kernel components. With this feature, IMA policy can be set to enable measuring data provided by device-mapper targets. Currently one such device-mapper target - dm-crypt, is being updated to use this functionality. This new functionality needs test automation in LTP. Add a testcase which verifies that the IMA subsystem correctly measures the data coming from a device-mapper target - dm-crypt. Reviewed-by: Petr Vorel Signed-off-by: Tushar Sugandhi [ pvorel: rebased: removed template=ima-buf, added policy example, cleanup ] Signed-off-by: Petr Vorel --- The same as in v3. .../kernel/security/integrity/ima/README.md | 20 ++++++++ .../security/integrity/ima/datafiles/Makefile | 2 +- .../ima/datafiles/ima_dm_crypt/Makefile | 11 +++++ .../ima_dm_crypt/ima_dm_crypt.policy | 1 + .../integrity/ima/tests/ima_dm_crypt.sh | 47 +++++++++++++++++++ 5 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile create mode 100644 testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy create mode 100755 testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh diff --git a/testcases/kernel/security/integrity/ima/README.md b/testcases/kernel/security/integrity/ima/README.md index 5b261a191..767d98a22 100644 --- a/testcases/kernel/security/integrity/ima/README.md +++ b/testcases/kernel/security/integrity/ima/README.md @@ -65,6 +65,26 @@ CONFIG_SECURITY_SELINUX=y CONFIG_IMA_READ_POLICY=y ``` +### IMA DM target (dm-crypt) measurement test + +To enable IMA to measure device-mapper target - dm-crypt, +`ima_dm_crypt.sh` requires a readable IMA policy, as well as +a loaded measure policy with `func=CRITICAL_DATA data_sources=dm-crypt`, +see example in `ima_dm_crypt.policy`. + +As well as what's required for the IMA tests, dm-crypt measurement test require +reading the IMA policy allowed in the kernel configuration: +``` +CONFIG_IMA_READ_POLICY=y +``` + +The following kernel configuration is also required. It enables compiling +the device-mapper target module dm-crypt, which allows to create a device +that transparently encrypts the data on it. +``` +CONFIG_DM_CRYPT +``` + ## EVM tests `evm_overlay.sh` requires a builtin IMA appraise tcb policy (e.g. `ima_policy=appraise_tcb` diff --git a/testcases/kernel/security/integrity/ima/datafiles/Makefile b/testcases/kernel/security/integrity/ima/datafiles/Makefile index 280175b17..eef857c41 100644 --- a/testcases/kernel/security/integrity/ima/datafiles/Makefile +++ b/testcases/kernel/security/integrity/ima/datafiles/Makefile @@ -26,6 +26,6 @@ top_srcdir ?= ../../../../../.. include $(top_srcdir)/include/mk/env_pre.mk -SUBDIRS := ima_kexec ima_keys ima_policy ima_selinux +SUBDIRS := ima_dm_crypt ima_kexec ima_keys ima_policy include $(top_srcdir)/include/mk/generic_trunk_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile new file mode 100644 index 000000000..d9efdce3f --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/Makefile @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) Linux Test Project, 2021 + +top_srcdir ?= ../../../../../../.. + +include $(top_srcdir)/include/mk/env_pre.mk + +INSTALL_DIR := testcases/data/ima_dm_crypt +INSTALL_TARGETS := *.policy + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy new file mode 100644 index 000000000..226b6a4b7 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/datafiles/ima_dm_crypt/ima_dm_crypt.policy @@ -0,0 +1 @@ +measure func=CRITICAL_DATA data_sources=dm-crypt template=ima-buf diff --git a/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh new file mode 100755 index 000000000..5c4842245 --- /dev/null +++ b/testcases/kernel/security/integrity/ima/tests/ima_dm_crypt.sh @@ -0,0 +1,47 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (c) 2021 Microsoft Corporation +# Copyright (c) 2021 Petr Vorel +# Author: Tushar Sugandhi +# +# Verify that DM target dm-crypt are measured correctly based on policy. +# +# fdd1ffe8a812 ("selinux: include a consumer of the new IMA critical data hook") +# from v5.12 + +TST_NEEDS_CMDS="dmsetup" +TST_NEEDS_DEVICE=1 +TST_SETUP=setup +TST_CLEANUP=cleanup + +. ima_setup.sh + +POLICY_FUNC='func=CRITICAL_DATA' +PATTERN='data_sources=[^[:space:]]+' +REQUIRED_POLICY="^measure.*($FUNC.*$PATTERN|$PATTERN.*$FUNC)" +POLICY_FILE="$TST_TMPDIR/policy.txt" + +setup() +{ + require_ima_policy_content "$REQUIRED_POLICY" '-E' > $POLICY_FILE + require_valid_policy_template $FUNC $POLICY_FILE +} + +cleanup() +{ + [ "$dmsetup_run" ] || return + dmsetup remove test-crypt +} + +test1() +{ + local input_digest="039d8ff71918608d585adca3e5aab2e3f41f84d6" + local key="faf453b4ee938cff2f0d2c869a0b743f59125c0a37f5bcd8f1dbbd911a78abaa" + + tst_res TINFO "verifying dm-crypt target measurement" + + ROD dmsetup create test-crypt --table "0 1953125 crypt aes-xts-plain64 $key 0 /dev/loop0 0 1 allow_discards" + check_policy_measurement $policy $POLICY_FILE $input_digest +} + +tst_run