werunplugged/unplugged-vendor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ebc759d833
unplugged-vendor/external/ltp/testcases/kernel/security/integrity/ima
History
ziv-gabel ebc759d833 Initial commit: AOSP 12 vendor with modifications for Unplugged OS
2025-10-06 13:59:42 +00:00
..
datafiles Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
src Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
tests Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
Makefile Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00
README Initial commit: AOSP 12 vendor with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00

README 

These testcases test the Integrity Measurement Architecture(IMA).

Requirements
------------

A kernel with IMA configured, mount with i_version support, openssl
and openssl-devel packages, and auditd, if enabled, with the integrity
patch, are required to build and run the IMA testsuite.

- Enabling IMA in .config will also enable CRYPTO, SECURITYFS, TCG_TPM,
  and TPM_TIS.

CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y

- Both sysfs and securityfs if not mounted, will be mounted.

- The testsuite must be executed with root priveleges so that it
  can access securityfs files, such as: security/ima/policy and
  security/ima/ascii_runtime_measurement.

- Both openssl and openssl-devel must be installed, to build the
  testsuite.  At runtime, if openssl is not installed, many of the
  tests will skipped.

- auditd, if enabled, requires the integrity patch, which is available
  from https://www.redhat.com/archives/linux-audit/2009-March/msg00016.html.

- In order to re-measure a file after it changes, the file system must
  be mounted with i_version support(Bugzilla 471593).
  [util-linux-ng-2.14.2-2.fc11.src.rpm]

  Add 'iversion' in /etc/fstab as:
	dev/hdb1  	/home  	ext2  	defaults,iversion 	1 2

  To mount the root partition with i_version support, 'iversion' must
  be added on the remount line in /etc/rc.sysinit:
	# Remount the root filesystem read-write.
	update_boot_stage RCmountfs
	if remount_needed ; then
	  action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion /
	fi


Dependency
----------
The testsuite is dependent on the default TCB policy being enabled, which
measures all executables, all files mmapped for execute and all files
open for read by root.  For kernels 2.6.31 and greater, enable the
trusted computing base(TCB) policy using the ima_tcb=1 boot parameter.
If the TCB policy has been replaced, loading another measurement
policy will fail, as the policy may only be replaced once per boot.
Some of the policy dependency tests might also fail as well.

ima_tpm.sh: test02, verifying the PCR-10 value, requires a hard reboot.
[On Ubuntu, before running the ltp tests, disable /etc/init.d/kexec-load
and reboot.]

Run tests
---------
After doing 'make' and 'make install' from the top-level,
- execute './ltp-full-<version>/runltp -f ima' to run the entire testsuite.
- To run individual tests, cd into the IMA directory, and add testcases/bin
  to PATH:
  ./ltp-full-<version>/testcases/kernel/security/integrity/ima/tests/
  and execute the individual scripts.

System State after running the Testsuite
----------------------------------------
After running the testsuite, the default measurement policy has been
replaced with an identical policy. If you want to install a different
policy, such as an LSM specific one, a reboot is required.

More Info to look at
--------------------
http://linux-ima.sourceforge.net/ is a good place to start.
There's also IMA mailing lists
http://sourceforge.net/projects/linux-ima
--