g", which first attempts to
kexec an unsigned kernel image with an IMA policy that requires
signatures on any kernel image. Then, the test attempts to kexec the
signed kernel image, which should succeed.
Signed-off-by: David Jacobson
---
evmtest/files/policies/kexec_policy | 3 +
evmtest/func
The first record in the IMA runtime measurement list is the boot
aggregate - a hash of PCRs 0-7. This test calculates the boot aggregate
based off the PCRs and compares it to IMA's boot aggregate.
Dependencies: a TPM, IBMTSS2.
Signed-off-by: David Jacobson
---
evmtest/func
command line.
Signed-off-by: David Jacobson
---
evmtest/README | 19 +++--
evmtest/evmtest | 51 +++-
evmtest/example.conf | 14
3 files changed, 81 insertions(+), 3 deletions(-)
create mode 100644 evmtest/example.conf
IMA supports file signatures by storing information in a security.ima
extended file attribute. This test ensures that the attribute is
preserved when a file is copied. This test requires root because only
root can write "security." xattrs to files.
Signed-off-by: David Jacobson
--
root privileges in order to write to securityfs
files.
Signed-off-by: David Jacobson
---
evmtest/Makefile.am | 4 +-
evmtest/files/Notes | 25 ++
evmtest/files/bad_privkey_ima.pem| 16
evmtest/files/policies/signed_policy
ogging for debugging
Signed-off-by: David Jacobson
---
Makefile.am | 5 +-
configure.ac| 1 +
evmtest/INSTALL | 11 ++
evmtest/Makefile.am | 23
evmtest/README
requires the kernel to be configured with the
"CONFIG_MODULE_SIG" option, but not with "CONFIG_MODULE_SIG_FORCE". For
this reason, the test requires that "module.sig_enforce=1" is supplied
as a boot option to the kernel.
Signed-off-by: David Jacobson
Chang
7 matches
Mail list logo
